EU General Data Protection Regulation (GDPR)

Building a culture of privacy in your organisation

The General Data Protection Regulation (GDPR) is the biggest development in data protection law this century – increasing safeguards for individuals and making organisations more accountable for how they use our personal data. The GDPR brings data protection to the forefront of your organisation’s processes; whether you handle personal information relating to your customers or employees, GDPR will have an impact on the way you work. The European Parliament approved the General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] in April 2016 and it will apply from 25 May 2018. It will strengthen data protection for all individuals within the EU regardless of where the data is held. It builds on existing regulations to improve consistency and the safeguards in place.

Who does it apply to?

Article 3 of the GDPR sets out the territorial scope of the regulation, which covers:
  • The processing of personal data in the context of the activities of organisations in the European Union, regardless of whether the processing takes place in the Union or not.
  • The processing of personal data of data subjects (i.e. living individuals) who are in the Union by a controller or processor not based in the EU, where the processing activities relate to offering goods or services to data subjects in the Union; or to the monitoring of their behaviour within the Union.
  • The processing of personal data by organisations not established in the Union, but in a place where Member State law applies by virtue of public international law.

The six principles of the GDPR

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit and legitimate purposes and not processed beyond those purposes. Further processing for archiving purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up-to-date. Reasonable steps must be taken to ensure that inaccurate personal data is corrected or erased without delay.
  5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods for archiving purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required to safeguard the rights and freedoms of the data subjects.
  6. Processed in a manner that ensures appropriate security of the personal data through the use of technical and organisational measures.