The General Data Protection Regulation (GDPR) applies to all EU Member States, including the UK

15 February 2019

The General Data Protection Regulation (GDPR) applies to all EU Member States, including the UK, from 25 May 2018.

The GDPR strengthens existing data protection rules through a number of measures, including:

  • an expansion of individual data protection rights, including the right to be forgotten
  • toughening the rules on individual consent to processing sensitive data
  • shortening the time scale for responding to ‘subject access requests’ from 40 days to one month, and removing the £10 fee
  • requiring organisations to report any data breaches which ‘risk the rights and freedoms of the individual’ to the regulatory authority and, where there’s a high risk of this, to the individual affected as well.

Breaches of the GDPR may lead to fines of up to 20 million Euros or 4 per cent of global turnover, whichever is the greater. Enforcement of the new rules in the UK rests with the Information Commissioner’s Office (ICO).

On 13 September 2017, the government introduced a new Data Protection Bill to:

  • set new standards for protecting general data in accordance with the GDPR, while retaining certain UK exemptions
  • replace the UK’s existing Data Protection Act 1998
  • implement the EU’s law enforcement directive (concerned with the prevention, detection and prosecution of criminal offences).

The Bill received Royal Assent on 23 May to become the Data Protection Act 2018 which became law on 25 May.

The ICO has a range of information and resources especially designed for organisations. CIPD members can also see our Data protection, surveillance and privacy at work law Q&As.