On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect in the UK.

  • Territorial scope

    If your organisation processes personal data and has a base in the EU, the GDPR will apply to you. It also applies to businesses based outside the EU that process the personal data of people in the EU.

  • Definition of personal data

    Under GDPR the definition is broad, covering any data that directly or indirectly identifies a living person. Email addresses, extension numbers, IP addresses and identification numbers can all amount to personal data.

  • Controllers and processors

    The GDPR applies to data controllers and data processors and sets out their obligations when processing personal data. Hefty fines can be imposed if your organisation fails to comply with its obligations.

  • Definition of processing

    Under the GDPR the definition of processing is broad. You will process personal data if, for example, you collect, store, use or disclose personal data.

  • Rights of individuals

    The GDPR clarifies and extends the rights of individuals and introduces new rights. For example, the right of erasure means that in certain circumstances your organisation will have to delete personal data.

What happens if there’s a data breach?

  • 72 hours

    If you suffer a data breach, you may have to report it to the ICO and affected individuals within 72 hours. It is 72 clock hours, not business hours, so you should have a plan for dealing with this requirement.

  • Fines

    The regulator can impose severe monetary penalties for non-compliance with the GDPR. Depending on what you have done wrong, fines can be up to 4% of your annual worldwide turnover or EUR 20 million, whichever is greater.

  • Court action

    Individuals may be able to bring an action against your organisation in the civil courts if your organisation has failed to comply with the GDPR.

  • Criminal offence

    The misuse of personal data can be a criminal offence and can result in criminal convictions.