The GDPR is due for implementation by 25th May, 2018. It aims to strengthen the rights of individuals in relation to the processing of their personal data, whether automated or held in structured manual files. At its heart will be six updated data protection principles. Personal data is defined as “any information relating to an identified or identifiable person (‘data subject’)”.   

There is a separate definition for high risk ‘special categories’ (such as health, ethnicity and sex life). A new Data Protection Act 2018 will supplement the GDPR. Processing is a wide concept and includes acquiring, holding and disclosing personal data.

The legislation seeks to achieve greater accountability for processing and privacy, by design in planning the life cycle of personal data. If you have 250 employees or more, or process personal data on a large scale, or special categories of personal data, you should keep a record of relevant categories of personal data, including purposes, data subjects, recipients, transfers out of the European Economic Area, the legal basis for processing, retention periods and security measures. 

There will no longer be a requirement annually to notify the Information Commissioner (ICO). The appointment of Data Protection Officers will be mandatory in some cases, but otherwise is helpful to promote compliance. Data processors who undertake their work on behalf of data controllers will acquire new obligations. 

The first principle requires that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. For each category of personal data there must be a lawful basis for processing (for instance, consent, necessary for performance of a contract, etc) and a Privacy Notice provided when data is first obtained, or the purpose changed. 

"The legislation seeks to achieve greater accountability for processing and privacy, by design in planning the life cycle of personal data."

The key information to provide is who you are, the purposes, lawful basis, recipients and whether it is to be transferred out of the European Economic Area. In addition, you should make available (such as on a website privacy policy) retention periods and rights of the data subjects (such as to access their information, to be forgotten or to have their data transferred to a new data controller).  

The second data protection principle requires that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. In short, if you obtain personal data for the purposes of fulfilling an order for goods, you should not be using it for an unrelated purpose without a lawful basis such as the specific, informed consent of the data subject.

Under the third principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. For example, do not request information such as date of birth where it is unnecessary.

The fourth principle requires that personal data must be accurate and, where necessary, kept up to date. Inaccurate data can inconvenience or harm the data subject.

The fifth principle requires storage limitation of personal data. Adopt effective retention and disposal practices.

The sixth principle requires that personal data is processed in a way that ensures appropriate safety of the personal data. Under the GDPR there will be mandatory reporting of data breaches by data controllers to the ICO within 72 hours if there is a risk to the data subject (for example, reputational damage or identity fraud) and reporting within a reasonable time to data subjects if there is a high risk to them.  

Administrative fines for various infringements of the legislation will be increasing to up to £17m or 4% of total worldwide annual turnover (whichever is greater). It is therefore imperative to implement good governance, training and policies to manage the risks of the legislation.  

The full wording of the GDPR can be found at