The General Data Protection Regulation (GDPR) is an European Union (EU) regulation which comes into force on 25 May 2018. It changes how organisations process and handle data, with the key aim of giving greater protection and rights to individuals.
The GDPR replaces the Data Protection Act 1998.
The UK is in the process of implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small differences, but once the Bill has passed through Parliament and becomes an Act, UK law on data protection will largely be the same as that of the GDPR.
The GDPR states that personal data must be:
- processed lawfully, fairly and in a transparent manner
- collected only for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date
- held only for the absolute time necessary and no longer
- processed in a manner that ensures appropriate security of the personal data
For more information on the GDPR visit Information Commissioner's Office (opens in a new window).