Legalease Home page
Data protection


Data Protection


The European Union enacted on 6 April 2016 a major reform of data protection legislation by adopting the General Data Protection Regulation (GDPR) which replaced the former Directive of 1995, Directive 95/46/EC2. The GDPR will have direct effect from 25 May 2018 in all EU member states.

In the United Kingdom, the GDPR will therefore supersede the UK legislation, in particular the Data Protection Act 1998 (DPA). Although the terms of withdrawal of the UK from the EU are not finally settled as at the time of writing, it is likely that the provisions of the GDPR will continue to apply in the UK during the Brexit transition period and beyond.

According to the European Commission [Communication from the Commission to the European Parliament and the Council Stronger protection, Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018], the Regulation did not substantially change the core concepts and principles of the data protection legislation put in place back in 1995. This should mean that the vast majority of controllers and processors, provided that they are already in compliance with the existing EU data protection laws, will not need to make major changes to their data processing operations to comply with the Regulation.

The Regulation impacts most on operators whose core business is data processing and/or dealing with sensitive data. It also impacts on those that regularly and systematically monitor individuals on a large scale. These operators will most probably have to appoint a data protection officer, conduct a data protection impact assessment and notify data breaches if there is a risk to the rights and freedoms of individuals. Operators, in particular SMEs, which do not engage in high risk processing as their core activity will normally not be subject to these specific obligations of the Regulation.

What do businesses have to do to comply with the GDPR?

There are obligations on both 'Controllers* 'and 'Processors' of personal data. Businesses need to undertake thorough reviews of their use of personal data and to clearly identify which data they hold, for what purpose and on what legal basis. They should also assess the contracts in place, in particular those between controllers and processors, the avenues for international transfers and the overall governance (what IT and organisational measures to have in place), including the appointment of a Data Protection Officer. 

The Information Commissioner's Office has General Data Protection Regulation (GDPR) FAQs for small organisations.

What are the main changes introduced by the GDPR compared with the Data Protection Act?

* One single set of rules

There isone single set of rules for citizens and businesses throughout the EU, ending the situation where EU Member States have implemented the 1995 Directive’s rules differently.

One level-playing field will apply for all companies operating in the EU market, whereby businesses based outside the EU must apply the same rules as those based in the EU if they are offering goods and services related to the personal data or are monitoring the behaviour of individuals in the Union.

See: Article 2 GDPR

* Stronger individuals’ rights

Consent to processing: when data processing is based on consent, the data controller shall be able to demonstrate that the individual to whom the data relates (data subject) has consented to processing of his or her personal data. 'Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her [Article 4(11) GDPR].

Comment: reliance on ticking of an opt-out box or