At a Glance

On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect.

  • GDPR will apply to every European organisation that handles the information of private individuals plus non-EU organisations offering goods and services to EU individuals.
  • The UK government has confirmed that Brexit will not affect the commencement of the GDPR.
  • GDPR gives the Information Commissioners Office (ICO) the power to impose high fines: violation of the regulations could result in fines of the higher of €20,000,000 or 4% of global turnover depending on the type of breach.
  • A violation can be caused by the act of a third party, i.e by the organisation being hacked. There will be no exemption or relief where the breach is the result of a cyber-attack.
  • The GDPR provide additional rights to individuals and increased restrictions to how and when organisations can process personal data.

we have produced a sample template for a Statement on GDPR Compliance.

Overview and examples

What's new?

In April 2019 the ICO issued enforcement notices to HMRC for breaches by the use of voice authentication (Voice ID) for customer verification on some of their helplines. HMRC are required to delete some £5m taxpayers records where taxpayers were not given the chance to give or withhold their consent for their data to be held, or given sufficient details about how their data would be processed. 

In January 2018 the European commission published guidance on the new rules, together with an online tool for small and medium sized enterprises.

New Powers and obligations

The Information Commissioners Office (ICO) regulates data protection and information rights in the UK. Under the GDPR from May 2018 they will have increased enforcement powers in respect of:

  • Failure to conduct a data protection conduct assessment.
  • Data Protection Orders (DPOs).
  • Failures in respect of documentation.

There will be new obligations for businesses in respect of consent and the reporting of data breaches:

  • Consent must be specific, informed, freely given and unambiguous.
  • Businesses must prove they have consent in order to be able to rely on it. (see below for more details)
  • Protections must be in place for transferring data to certain countries such as Japan and India.
  • Businesses must be accountable by demonstrating that they comply with the principles.
  • If the organisation has more than 250 employees, it must maintain additional internal records of processing activities. Details of the information required can be found here
  • If the organisation has less than 250 employees it is required to maintain records of activities related to higher risk processing, such as:
    • processing personal data that could result in a risk to the rights and freedoms of individual; or
    • processing of special categories of data or criminal convictions and offences.
  • Certain businesses must appoint a data protection officer, for example if they carry out large scale systematic monitoring of individuals (such as online behaviour tracking) or carry out large scale processing of special categories of data (see below).
  • The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate compliance.

Penalties and fines

There are two levels of fine. The maximum fines are:

  • The higher of €10,000,000 or 2% of global turnover.
  • The higher of €20,000,000 or 4% of global turnover for certain violations.

Prior to GDPR fines were limited to £500,000.

  • Fines will be considered on a case-by-case basis
  • The level of fine issued will take a number of criteria into consideration, such as the intent, how many individuals are affected and any previous breaches.

The lower level of fine (€10,000,000 or 2% of global turnover) will be considered for breaches relating to:

  • Records of processing activities
  • Cooperation with the supervising authority
  • Security of data processing
  • Notification of a personal data breach to the supervisory authority
  • Notification of a personal data breach to the data subject
  • Data Protection Impact Assessment
  • Designation, position or tasks of the Data Protection Officer
  • Certification

The higher level of fine, (€20,000,000 or 4% of global turnover) will be considered for breaches relating to:

  • Rights of the data subject (see Comparison of Individual Rights tab)
  • The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data (see below)
  • Transfer of personal data to a recipient in a third country or an international organisation

Who does the GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.

  • If you were previously subject to the Data Protection Act (DPA), it is likely that you will also be subject to the GDPR.
  • The GDPR places specific legal obligations on processors; for example, they are required to maintain records of personal data and processing activities.
  • A processor has significantly more legal liability if responsible for a breach. These obligations for processors are a new requirement under the GDPR.
  • Controllers are not relieved of their obligations where a processor is involved; the GDPR places further obligations to ensure contracts with processors comply with the GDPR, for example where data processing is outsourced.
  • The GDPR does not apply to certain activities including, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

What information does the GDPR apply to?

Personal data

Like the DPA, the GDPR applies to ‘personal data’ but the definition is clearer:

  • Information such as an online identifier, such as an IP address, can be personal data as can cookies in some businesses.
  • The definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organizations collect information about people.
  • If you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
  • The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition.
  • Personal data that has been pseudonymised or anonymised can fall within the scope of the GDPR depending on how difficult it is to match the name used to a particular individual.

Sensitive personal data

  • The GDPR refers to sensitive personal data as “special categories of personal data”.
  • The special categories specifically include genetic data, and biometric data where it is processed to uniquely identify an individual.
  • Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

How does the GDPR work?

For processing to be lawful under the GDPR, it is necessary to identify a lawful basis for it and to document that basis before the personal data is processed. These are often referred to as the “conditions for processing” and include:

  • Consent of the subject (see below).
  • Where it is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.

For example, processing credit card details in respect of payments for online purchases of goods or services or taking personal details to respond to an enquiry about services offered.

  • Where it is necessary to comply with a legal obligation under EU laws or the laws of a member state. This could be problematic where the legal obligation relates to the laws of a non-EU member state such as a US court order. It must apply to the data controller and must be legally binding/mandatory; a request for information does not create a legal obligation.
  • Where it is necessary to protect the vital interests of a data subject or another person (such as their child).
  • Where it is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject, especially where the subject of the data is a child. Parental permission is required for children (defined as those under the age of 16); this can be difficult to prove.
  • This becomes more of an issue under the GDPR because the lawful basis for processing has an effect on individuals’ rights. See Comparison of individual rights tab.
  • For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted, than if you rely on other basis'.
  • Where it is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller; processing carried out on this basis may be subject to objections from data subjects.
  • A member state can introduce additional lawful bases where necessary for the performance of a task carried out in the public interest and for limited purposes connected with national law.

At least one lawful basis must apply.


For consent to be a lawful basis for processing data the consent must be:

  • Freely given, specific, informed and unambiguous
  • There must be a positive opt-in; consent cannot be inferred from silence, pre-completed boxes or doing nothing.
  • It must be separate from other terms and conditions, with simple ways provided for people to withdraw it. Public authorities and employers will need to take particular care to ensure that consent is freely given.
  • It must be verifiable.
  • Organizations are not required to replace or refresh existing consents under the DPA in preparation for the GDPR but if relied upon it must meet the GDPR standards as listed above.

What constitutes a personal data breach?

A personal data breach means:

  • A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • A breach is more than just losing personal data.
  • For example, the inappropriate accessing of a patient’s health record within a hospital.

What breaches must be notified to the relevant supervisory authority?

The relevant supervisory authority (ICO in the UK) must be notified of a breach:

  • Where it is likely to result in a risk to the rights and freedoms of individuals.
  • Where if unaddressed such a breach is likely to have a significant detrimental effect on the subject, such as resulting discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
  • This has to be assessed on a case by case basis.
  • For example, notification to the relevant supervisory authority will be required about a loss of an individual client’s personal details where the breach leaves them open to identity theft, whereas the loss of a staff telephone list would not require notification.

When do individuals have to be notified of a breach?

Individuals must be notified:

  • Where a breach is likely to result in a high risk to their rights and freedoms.
  • The threshold for notifying individuals is therefore higher than for notifying the relevant supervisory authority.

Should an individual ask for a copy of their record (a subject access request):

  • In most cases organizations will no longer be allowed to charge for providing it.
  • They will have a month (previously 40 days) to provide it.

How and when should breaches be notified?

  • A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it.
  • The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows the provision of information in phases.
  • If the breach is sufficiently serious to warrant notification to the public, the organization responsible must do so without undue delay.
  • The organization should ensure that staff understand what constitutes a data breach, and that this is more than a loss of personal data.
  • Organizations should ensure that they have an internal breach reporting procedure in place to facilitate decision-making about whether they need to notify the relevant supervisory authority or the public.

What exemptions are permitted?

Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights in certain situations; these are similar to the existing exemptions from rights and duties in the DPA.

These only apply:

  • Where the essence of the individual’s fundamental rights and freedoms are respected.
  • Where the exemption or restriction is a necessary and proportionate measure in a democratic society to safeguard:
    • national or public security;
    • defence;
    • the prevention, investigation, detection or prosecution of criminal offences;
    • other important public interests, such as economic or financial interests, including taxation matters, public health and security;
    • the protection of judicial independence and proceedings;
    • breaches of ethics in regulated professions;
    • the protection of the individual, or the rights and freedoms of others; or
    • the enforcement of civil law matters.

Can penalties be appealed or mitigated?

A violation can be caused by the act of a third party, i.e. by the organisation being hacked. There will be no automatic exemption or relief where the breach is the result of a cyber-attack. ICO will not treat a data controller as a victim of a cyber-attack; they will instead be treated as negligent and responsible.

However, the following will be taken into consideration for each individual case in deciding whether to impose a fine and the level of fine; in minor cases a reprimand can be given instead.

  • The nature and duration of the breach taking into the number of data subjects affected and the level of damage suffered by them.
  • Whether the breach is intentional or negligent.
  • Whether any action has been taken to mitigate the damage suffered as a result of the breach and what this is.
  • Any relevant previous breaches by the controller or processor and what has been done to remedy these including compliance with rules, obligations and bans set by the regulatory authority.
  • Cooperation with the supervisory authority.
  • Whether the controller or processor notified the breach to the supervisory authority.
  • Adherence to approved codes of conduct or approved certification mechanisms.
  • Any other mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the breach.

It is not clear from the regulations what, if any, course of appeal will be open to organisations receiving fines. It is assumed that the ability to appeal ICO decisions which was available prior to the introduction of GDPR will continue to be available.

There are fears that the level of fines under GDPR will lead to specifically targeted cyber-attacks and extortion with threats to send hacked data to ICO if organisations do not pay up.

Professional standards and GDPR

The CCAB draft money laundering standards published in August 2017 require that member businesses must have systems and controls capable of keeping appropriate records. Such systems will need to be reviewed and updated if necessary to meet GDPR requirements.

The Money Laundering Terrorist Financing and Transfer of Funds (information on the Payer) Regulations 2017 also cover data protection stating that personal information obtained in accordance with the regulations must be deleted after 5 years from the point that the business relationship ends unless statutory obligations, or legal proceedings require it to be retained or the relevant individual consent to it being retained.

What now?

ICO produced a document titled  ‘Preparing for General Data Protection Regulation: 12 steps to take now’ to help business prepare ahead of the May 2018 deadline. The 12 steps are:

  1. Awareness
  2. Information you hold
  3. Communicating privacy information
  4. Individuals rights
  5. Subject access requests
  6. Lawful basis for processing personal data
  7. Consent
  8. Children
  9. Data Breaches
  10. Data Protection by Design and Data Protection Impact Assessments
  11. Data Protection Officers
  12. International

Comparison of individual rights: GDPR v DPA

The rights of individuals under GDPR

The GDPR creates new rights for individuals and strengthens some rights already provided for within the DPA. 


Rights under GDPR 

Rights under DPA

The right to basic information

This right is the same under the DPA as for the GDPR

The right of access; controllers are obliged to provide data subjects with access to their own personal data

The DPA list of mandatory information which must be provided is much narrower than that for the GDPR.

The right to rectification; data subjects are entitled to require a controller to rectify any errors in their personal data

The position is the same as under the GDPR.

The right to erasure; data subjects have the right to erasure of personal data (the "right to be forgotten") if:

  • the data are no longer needed for their original purpose (and no new lawful purpose exists);
  • the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists;
  • the data subject objects, and the controller has no overriding grounds for continuing the processing;
  • the data have been processed unlawfully; or
  • erasure is necessary for compliance with EU law or the national law of the relevant Member State.

This ‘right to be forgotten’ is narrower under the DPA

The right to restrict processing; meaning that the data may only be held by the controller, and may only be used for limited purposes) if:

  • the accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
  • the processing is unlawful and the data subject requests restriction (as opposed to asking for erasure);
  • the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights; or
  • if verification of overriding grounds is pending, in the context of an erasure request.

The DPA does not directly cover the right to restrict processing although it does provide for the right to request the blocking of data. This means that the controller must refrain from using the data during the period for which that right applies, even though the data have not yet been deleted.

The right to data portability

This is not included at all under the DPA and it may require investment in new systems and processes

The right to object

The DPA permits an organisation to continue processing the relevant data unless the data subject can show that the objection is justified. The GDPR reverses this burden; the organisation must demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If it cannot demonstrate this it must cease the processing activity.

Rights in relation to automated decision making and profiling such as the right to object to processing for scientific, historical or statistical purposes

The GDPR gives individuals more specific rights than the DPA

Mr Scruff does GDPR

We like this alternative version of GDPR

Comments (0)

Rated 0 out of 5 based on 0 voters
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Rate this post:
Attachments (0 / 3)
Share Your Location