This GDPR 101 guide/overview is the first of a series of posts from, and highlights some of the major changes that the EU GDPR will bring from 25th May 2018 when it replaces the 1998 Data Protection Act (DPA) and 1995 Data Protection Directive.


The 1998 Data Protection Act (DPA) in accordance to the 1995 Data Protection Directive, was formed to ensure that large organisations and corporations were responsible in how they stored and processed personal data and countries interpreted the Directive into its own national law. However, since 1998, rapid technological developments, coinciding with globalisation, and of course the mass adoption and growth of the internet as a medium for communication and commerce, this meant that companies of any size (including SME’s and micro organisations) store and process personal data – on an unprecedented scale – in order to pursue their business activities, whether it be for Sales, Marketing, Human Resources, Customer Service, or otherwise.

People are increasingly making personal data available and obtainable, not just within their home country but across international territories too, and in public – every day!

All that personal information that companies have collected over the years means existing legislation no longer adequately protects the rights of an individual. As the 1995 Data Protection Directive has been incorporated in 28 different ways (each EU member has their own version of the directive as part of their own national law, i.e. the 1998 Data Protection Act for the UK), the EU decided to take action, and as a result, the EU General Data Protection Regulation (GDPR) was drafted, agreed by each EU state, and was written into EU law in April 2016, with the objective being to ensure that there is a unified legislation that protects the personal data of EU citizens. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

Some of the Major Changes

Whilst some elements of the 1998 Data Protection Act have been carried over to be incorporated into the EU GDPR, there are significant changes around the following, which state that organisations MUST:

  • use personal information fairly and lawfully;
  • collect only the information necessary for a specific purpose(s);
  • ensure that the personal data you hold is relevant, accurate and up to date;
  • only hold as much personal information as you need, and only for as long as you need it;
  • allow the subject of the information to see it on request; and
  • keep it secure.

Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses.

To Whom does GDPR Apply?

To quote the UK Information Commissioner’s Office:

  1. “Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor.”
  2. “The ICO has the power to take action against controllers and processors under the GDPR.”
  3. “Individuals can bring claims for compensation and damages against both controllers and processors.” (source:

We hope you find this GDPR 101 guide to be useful in finding out a bit more about the new regulation. Over the course of the coming weeks and months we will continue to post news and commentary relating to the EU GDPR so look out for them on our site and if you have any questions about this GDPR 101 guide or are looking to implement GDPR into your organisation and are unsure where to start, then get in touch via the contact us page and we’ll be in touch.

Read our next Bog post about the Role of the ICO here 

One Comment

Comments are closed.