General Data Protection Regulation (GDPR)

What is the GDPR?


The General Data Protection Regulation (GDPR) is Europe's framework for data protection and privacy laws. It came into effect on 25 May 2018 across all European Union member countries.

The UK has since left the EU, however the GDPR will continue to apply in the UK for the duration of the Brexit transition period, scheduled to end on 30 December 2020. Following the transition period, the UK government plans to incorporate the GDPR into domestic UK law. Read more about Brexit: Data protection and EU exit.

What information does the GDPR apply to?

The GDPR covers personal data, including the category of sensitive personal data.

Sensitive personal data (or special category data) relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation.

Personal data definition covers any information that relates to an identifiable person (ie data subject) who can be directly or indirectly identified by referencing that data. The GDPR doesn't apply to deceased persons or corporations.

Data can be considered personal even when it's automated or pseudonymised, if you can identify a person from it. Examples of personal data under GDPR include:

  • people's names
  • date of birth
  • addresses
  • email addresses
  • phone numbers
  • bank details

Other, less obvious personal identifiers can include occupation, physical characteristics, identification numbers, location data, IP addresses, etc.

The GDPR does not regulate anonymous data - ie data where no individual can be directly or indirectly identified. Check key definitions under the GDPR.

Who does the GDPR apply to?

The GDPR is far-reaching. It applies to EU-based individuals, organisations, sole traders and companies of all sizes that hold or process personal data.

It also applies to organisations based outside the EU if they offer goods and services to EU residents, monitor their behaviour or otherwise process or hold their data.

Difference between data controllers and data processors

The GDPR applies to both controllers and processors. It is important to know which one you are, as the obligations for each differ. In short:

  • data controllers decide why and how they process personal data
  • data processors hold or process data on behalf of a data controller

You can be both a controller and a processor at the same time, depending on the circumstances.

What does processing mean under the GDPR?

Processing refers to any type of handling of personal data, including:

  • obtaining, recording or keeping data
  • organising or altering the data
  • retrieving, consulting or using the data
  • disclosing the data to a third party (including publication)
  • erasing or destroying the data

Simply storing personal data electronically or in hard copy also constitutes processing of personal data.

What is the GDPR replacing?

Until 25 May 2018, the Data Protection Act 1998 applied in the UK. From this date, the GDPR took effect in the UK, as well as other EU member states. In addition, from 25 May 2018, a new Data Protection Act 2018 has been implemented in the UK.

Difference between UK Data Protection Act and GDPR

GDPR allows EU member states to implement different or additional rules in some areas of data protection through domestic legislation. The UK government has legislated the Data Protection Act 2018 to replicate the vast majority of GDPR rules into UK law, with minor variances. Download an overview of the Data Protection Act 2018 (PDF, 258K).

Who will enforce the GDPR?

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply with the GDPR.

Data protection fee

Current data protection regulations require the data controllers to pay the ICO a data protection fee, unless they are exempt. There are three different tiers of fee the controllers are expected to pay - between £40 and £2,900 depending on their size, turnover and other factors. Find out more about the data protection fee.

Read more about the key GDPR changes and data protection principles under the GDPR.

This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.