GDPR FAQs


GDPR FAQs: What does it mean and what is GDPR compliance?

GDPR (UK) Frequently Asked Questions Answered

  1. What is the GDPR?
  2. Which UK act of Parliament incorporated GDPR?
  3. Why is the GDPR important in the UK?
  4. Who is responsible for enforcing GDPR in the UK?
  5. Who needs to be GDPR compliant?
  6. How many principles apply to the GDPR?
  7. What are data subject rights under the GDPR?
  8. What is a GDPR breach?
  9. Will the GDPR apply after Brexit?

What is the GDPR?

GDPR stands for the General Data Protection Regulations, which are a set of data protection regulations that were made EU law in 2016. These regulations outline a number of data protection principles, and define the data privacy rights that all organisations are required to uphold.

Which UK act of Parliament incorporated GDPR?

Before Brexit, these data privacy laws were enforced in the UK by the Data Protection Act 2018. After leaving the EU, the GDPR was adopted into UK law with a few small amendments. This is often called the ‘UK GDPR’.

These laws are very similar, which means that compliance with one should ensure (but does not guarantee) compliance with the other.

Why is the GDPR important in the UK?

The GDPR is an important piece of legislation that helps to protect personal data and enforce good information security practices. Breaching the General Data Protection Regulation can lead to hefty fines of up to £17.5 million or 4% of a business’ annual turnover, whichever is greater.

Who is responsible for enforcing GDPR in the UK?

In the UK, the Information Commissioner’s Office (ICO) enforces the UK GDPR and, in the European Union, this responsibility falls on the local supervisory authority for each country.

Who needs to be GDPR compliant?

Any organisation that handles the personal data of a UK or EU citizen or resident must comply with the requirements of the UK or EU GDPR respectively. This applies to organisations anywhere in the world.

If your website is aimed at the EU market then it needs to be EU GDPR compliant, and if your website targets the UK market then it needs to be UK GDPR compliant. If you are unsure about which legislation you need to follow, you should seek legal advice before processing any personal data.

How many principles apply to the GDPR?

There are 7 principles of the GDPR that organisations have to follow in order to comply with the GDPR. The principles are:

  • Lawfulness, fairness and transparency: Processing must be done legally and in a way that people expect, and organisations must be open about the processing they do.
  • Purpose limitation: Organisations must be clear why they process the data they do, and not process it for a new purpose without permission.
  • Data minimisation: Organisations must collect and process the personal data they need to fulfil a specific purpose, and nothing more.
  • Accuracy: You must keep personal data accurate and up to date.
  • Storage limitation: Personal data must not be stored for any longer than is necessary.
  • Integrity and confidentiality: Processing must be done in a secure manner.
  • Accountability: Organisations that are processing data must be able to demonstrate that they are complying with the GDPR.

Find out more about the 7 GDPR principles in our online GDPR Awareness or Advanced GDPR Awareness courses.

What are data subject rights under the GDPR?

There are eight data privacy rights under the General Data Protection Regulation that organisations are required to provide. These 8 data privacy rights are designed to give people more control over their personal data.

  • Right to be informed: People have the right to be informed about how their personal data is collected and used.
  • Right of access: People have the right to access and receive a copy of the personal data that an organisation holds about them.
  • Right to rectification: People have the right to request that any inaccurate or incomplete personal data held about them is corrected.
  • Right to erasure: This is also known as the ‘right to be forgotten’, and allows people to request that their personal data is deleted. This right is not absolute, and only applies in certain circumstances.
  • Right to restrict processing: People can request that the processing of their personal data is temporarily restricted in certain circumstances.
  • Right to data portability: People must be able to move, copy or transfer their data between services (where possible) without affecting its usability.
  • Right to object: People have the right to object to their data being processed in certain circumstances.
  • Rights related to automated decision making: This grants people the right to challenge certain decisions made about them without human intervention.

What is a GDPR breach?

A data breach occurs when personal data is used in a way that it shouldn’t be. It can happen even with the strictest data security in place. A personal data breach can take a number of forms, including:

  • Access by an unauthorised third party.
  • Deliberate or accidental action (or inaction) by an organisation.
  • Sending personal data to the incorrect recipient.
  • The loss or theft of computing devices containing personal data.
  • Alteration of personal data without permission.
  • The loss of availability of personal data.

The supervisory authority, which is the Information Commissioner's Office in the UK, must be notified when certain data breaches have occurred.

Will the GDPR apply after Brexit?

As previously mentioned, the GDPR was adopted into UK law after Brexit, and has continued to apply since the UK left the European Union. For more information, visit our dedicated article here.