The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. A key European Union legislation, it gives people more rights over what organisations can do with their personal data. It applies across all EU member states, including the UK until the point of the UK's exit from the EU. After exit, the UK government plans to incorporate the GDPR into domestic UK law. Read more about Brexit: Data protection steps for a no-deal exit.
Under the GDPR regulation, businesses that store and process personal data of European citizens must do so lawfully, transparently, for a specific purpose and for no longer than necessary. Small businesses are not exempt - if you process any amount of personal data, you must comply with the GDPR.
Much of the new law builds on the previous data protection rules, so it may not seem radically different. However, parts of the regulation introduced greater rights for EU citizens and significant new requirements for organisations that process personal data.
This guide provides a quick start for those businesses looking to better understand the GDPR. It gives a summary overview of the new regulation and more detail on some of its key features, including the lawful basis, data subject rights, consent, privacy notices, penalties and breach reporting duties.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.