A GDPR summary guide to outline changes to data protection rules


Enforceable since May 2018, The General Data Protection Regulation (GDPR) is one of the most wide-ranging pieces of legislation passed by the EU in recent memory.
It was introduced to standardise data protection law across the single market and give people in a growing digital economy greater control over how their personal information is used.


Who does the GDPR apply to?


All organisations that process personal data and operate within, or sell goods to, the EU are impacted by the GDPR. The definition of processing is designed to cover practically every type of data usage and includes collection, storage, retrieval, alteration, storage and destruction.


The GDPR applies to both data ‘controllers’ and ‘processors’. Data controllers determine the purpose and manner in which data is processed. Data processors are any third party undertaking data processing on behalf of a controller.


How does Brexit affect the GDPR in the UK?


In the UK, the GDPR has been enforceable since 25th May 2018. The GDPR is to be read side-by-side with the Data Protection Act 2018, which outlines the UK’s specific GDPR provisions, alongside additional national data protection laws.


GDPR summary – the DPA


The Data Protection Bill, designed to ensure that the UK retains its position as a ‘world-class regime protecting personal data’, will continue to enforce GDPR standards post-Brexit.
Read more about the Data Protection Bill


What is personal data?


Article 4 of the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. For most organisations, this means implementing appropriate measures to protect information relating to employees, customers and partners.


The GDPR expands the definition of personal data beyond the previous Data Protection Act (1998) to also include information that could be used to indirectly identify individuals, such as ID numbers, location data and online identifiers including IP addresses and web cookies. Other examples of personal data include:


  • HR records
  • Customer contact details
  • Health records
  • Biometrics
  • CVs
  • CCTV and call recordings