What is GDPR? Who does it apply to? What obligations does it impose and what are the consequences of a breach of the rules?

This is a freeview 'At a glance' guide to the General Data Protection Regulation (GDPR).

At a glance

On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect.

  • GDPR will apply to every European organisation that handles the information of private individuals plus non-EU organisations offering goods and services to EU individuals.
  • The EU GDPR does not apply post-Brexit, however the rules have been enacted into UK law. The UK GDPR applies from 1 January 2021.
  • GDPR gives the Information Commissioners Office (ICO) the power to impose high fines: violation of the regulations could result in fines of the higher of €20,000,000 or 4% of global turnover depending on the type of breach.
  • A violation can be caused by the act of a third party, i.e by the organisation being hacked. There will be no exemption or relief where the breach is the result of a cyber-attack.
  • The GDPR provide additional rights to individuals and increased restrictions to how and when organisations can process personal data.

We have produced a Sample template for a Statement on GDPR Compliance.

GDPR timeline

  • From 31 December 2020, the EU GDPR ceased to apply in the UK.
  • The EU GDPR’s requirements have been enacted into UK law ‘the UK GDPR’ with effect from 1 January 2021.
  • The UK is now a 'third country' under the EU GDPR. The European Commission has the power to decide whether a third country has an adequate level of data protection. On 28 June 2021, the European Commission adopted an adequacy decision for the UK under the GDPR. 
  • The key definitions and terminology in the UK GDPR are the same as those in the EU GDPR except in a few areas where the UK GDPR differs. Businesses and organisations who receive data from EEA contacts should review their GDPR documentation to check whether any amendments are required to meet the requirements of the new UK GDPR. See Overview tab for more details.

In April 2019 the ICO issued enforcement notices to HMRC for breaches by the use of voice authentication (Voice ID) for customer verification on some of their helplines. HMRC are required to delete some five million taxpayer records where taxpayers were not given the chance to give or withhold their consent for their data to be held, or given sufficient details about how their data would be processed. 

In January 2018 the European Commission published guidance on the new rules, together with an online tool for small and medium-sized enterprises.


Squirrel ad


Are you enjoying our content? 

Thousands of accountants and advisers and their clients use www.rossmartin.co.uk as their primary TAX resource.

Register with us now to receive our receive our FREE SME Topical Tax Update & newletter