mobile menu icon

The EU GDPR 10 things you need to know


  1. The new EU General Data Protection Regulation (“GDPR”) will become applicable across the EU on 25 May 2018. The UK Government have confirmed the UK will implement it as planned, Brexit notwithstanding.

  2. The general concepts stay the same. The GDPR will replace the current data protection laws across the EU (including the UK Data Protection Act 1998), and introduce a number of new obligations on organisations. But it isn’t a complete overhaul – the familiar concepts of personal data, sensitive personal data, controllers and processors, and the basic principles, stay the same – just with a few tweaks.

  3. Online identifiers (such as IP addresses) and other unique IDs are expressly included in the definition of “personal data”, and so should be protected in the same way as other personal data. Biometric and genetic information, as well as information about sexual orientation are now designated as “special category data” (i.e. sensitive personal data).

  4. The standard for genuine consent will get higher. Consent is only valid when the individuals have a genuine choice as to whether or not their data is processed in a particular way. If the data processing is not necessary for the provision of a service, then use of the service should not be made conditional on giving that consent. 

  5. Organisations will need to give more information about the processing to individuals. For example, information about retention periods, the legal basis for the processing, and how individuals can exercise their rights.

  6. The GDPR strengthens existing data subject rights, and introduces some new ones. Subject access requests must be processed free of charge, and within one month. There is a new right to erasure and a right to be forgotten.

  7. The GDPR introduces a new concepts of privacy by design and privacy by default. Data protection and privacy should be built into any new system, project or operation right from the outset. Information should not be shared or made public by default, but only if the individual opts-in.

  8. It will be mandatory to report security breaches to the supervisory authority (in the UK, the Information Commissioner’s Office) within 72 hours. Organisations will also have to report breaches to the affected individuals where they are at risk.

  9. Organisations will need to conduct Data Protection Impact Assessments (DPIA) prior to any data processing which could be considered as high risk, because of its potential to impact on individuals. For example, any new monitoring activity or collection of sensitive personal data.  A DPIA involves assessing the risks associated with the proposed project, and considering what safeguards can be put in place to protect individuals.

  10. The GDPR requires organisations to be able to demonstrate that they are compliant with the GDPR, through their internal policies, processes and training. This known as ‘accountability’.

Sign up for newsletters

If you would like to subscribe to regular Bristows publications, please click on the Sign up button below to complete our short registration form.

Share to: