The General Data Protection Regulation




The General Data Protection Regulation (2016/679 EU) (GDPR) is the new governing legislation for collecting and processing personal data in the EU.

It comes into effect on 25 May 2018 for all EU member states. The Government has confirmed that the Regulation will be implemented in the UK as it will still be a member of the EU at that time. The Regulation will replace the Data Protection Directive (95/46/EC) (which is implemented in the UK by the Data Protection Act 1998) when it comes into effect.

The Regulation requires that personal data be processed according to many of the same principles as under the current Data Protection Act 1998 with the exception of new requirements:

  • that restrict the use of consent as a justification for processing data;
  • on demonstrating compliance through the documentation of data processing activities;
  • on adopting organisational measures for data protection such as policies and practices; and
  • on providing more information to employees and job applicants on the purpose and legal grounds for collecting their data, and their rights in relation to their personal data.

The Regulation creates a new enforcement system, with significantly higher maximum penalties than under the Data Protection Act 1998. In particular, breach of the Regulation in some circumstances can lead to a maximum fine of 20 million euros or 4% of an undertaking’s worldwide annual turnover, whichever is higher.


Information Commissioners Office : Guide to the General Data Protection Regulation (GDPR)

EU GDPR website.


Business, Finance & Law