General Data Protection Regulation (GDPR) - a comprehensive guide

By : Forum Member
Published 7th January 2018 |
Read latest comment - 27th April 2018

What is GDPR? What do you need to know about it? Here's a comprehensive legal guide for you. Any questions, post below!

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) aims to standardise and simplify data protection protocols across EU member states. It covers all individuals within the European Union (EU) and regulates the export of the personal data outside the EU.

GDPR comes into effect on 25 May 2018, and it will cover all individuals within the European Union (EU). The General Data Protection Regulation will govern all companies operating within the EU and all foreign companies processing the data of the EU residents.

The Regulation is estimated to cost up to four percent of the digital business turnover worldwide: this being the cost of implementation and penalties to non-compliant businesses.

Scope of the document

GDPR introduces three definitions of parties dealing with personal data. Data Controller shall be a person or an organisation that collects data from the EU residents. Whenever an organisation merely processes data on behalf of the data controller, e.g. for the purpose of algorithmic analysis or cloud storage, it shall be called a Data Processor. The Data Subject shall be a person who is based in the EU and provides the data.

The personal data shall be any information relating to the Data Subject, in their private, public and professional life. Therefore, the Regulation covers a whole spectrum of information, from an official data like name, home address and national insurance number, through to the posts on social media or IP address visit logs.

Supervisory Authority

Each member state shall establish an independent Supervisory Authority (SA) which will be tasked with receiving and investigating complaints, issuing fines and administrative sanctions. Each Data Controller or Processor will have their lead SA in the member state of their main establishment. That lead SA will be managing all affairs relating to the Data Controller or Processor and will supervise all activities across the EU.

The GDPR also creates the Data Protection Officers. They shall be tasked with ensuring that the organisations are compliant with the General Data Protection Regulation. A Data Protection Officer will be appointed for all public authorities and all businesses which core activities consist of data processing operations or large-scale data handling. The Data Protection Officer will have a sound knowledge of data protection law, IT proficiency and data security expertise. The Officer will assist the business with GDPR compliance, deal with cybercrime attacks and ensure business service continuity in respect of personal data processing and protection.

Citizens rights 

According to the General Data Protection Regulation, all Data Subjects will have a fundamental right to be informed about their data processing, including the purposes of data collection, retention time, and contact information to the Data Controller and Data Protection Officer.

Even when the above decisions are made by an algorithm, not a physical person, all Data Subjects will have the right to question and appeal all significant decisions that are made on the basis of this algorithmic processing.

The Data Controller will have an obligation to explain exactly what the personal data will be used for and be held liable for all decisions made. This may prove particularly difficult in the cases of deep learning or artificial intelligence, where the exact inside-the-box processing of the algorithm may be less clear.

Data Subjects will also have the Right of Access, which will enable them to access any data held by the Data Controller and to be informed about how this data is acquired, processed, and shared. Furthermore, the Right to Erasure will give Data Subjects a right to have all their personal data removed (similar to the Right to be Forgotten)

Whilst anonymised and encrypted data is excluded, whenever data could be linked back to the individual, Data Subjects will also have a right to request a transfer of the data to another Data Controller. This data portability rule will not be hindered or obstructed by the Data Controller.

Data Controller’s obligations

Businesses will have to demonstrate that they are GDPR compliant. They must implement robust security and privacy policies, and personal data collected should be anonymised or at least pseudo-anonymised at the earliest opportunity during the data collection.

It is important to note that under GDPR, the Data Controller assumes responsibility and liability for the compliance of the data processing activities. Thus, even if the processing is outsourced to the Data Processor, the commissioning Data Controller is still fully liable.

The Data Controller is also obliged to notify the SA about any data breach within 72 hours of becoming aware of the event. The Data Subject will also be notified if there is any adverse impact anticipated as a result of the breach. If the data was properly anonymised, however, the notification would not be feasible and thus is not necessary.

Ensuring lawful basis for data processing

For the Data Processor to lawfully accept and process personal data, the Data Subject must give an informed consent to the exact activities the data shall be processed for, for the exact given time and exact given purpose. The data must not be used for just any purpose or left without a given purpose on the Data Processor’s servers. The processing of the data must be necessary for the performance of a contractual relationship between the Data Processor and the Data Subject.

Other purposes outlined by the GDPR include compliance with a legal order or obligation, protecting vital interests of the Data Subject or another person, to fulfil a request from a relevant authority in the public interest.


There are a number of fines and sanctions that could be imposed under GDPR. The SA can issue a warning in writing, especially if non-compliance is non-intentional and had not been committed before. There could be regular audits of compliance and financial fines of up to 20m EUR or 4% of the annual worldwide turnover for an infringement of the basic rights and principles of the GDPR.

Final note

Whilst GDPR remains a hugely controversial regulation, businesses must ensure that by 25th of May 2018 they have the right infrastructure in place to be fully compliant. For more information about GDPR and how to ensure compliance please get in touch by writing to, our Data Protection Officer will be happy to help.

Fixed Fee Legal Services | Bespoke Document Drafting | Document Templates

Hello Legal Stop, Happy 2018 

I did do a GDPR post in Dec: Are you ready for GDPR - it will impact you

Be great if you could give it a once over or add any comments as you are our resident legal bod 

Steve Richardson
Gaffer of My Local Services
My Local Services | Me on LinkedIn

Both really useful posts guys, thank you. I am not sure that all business owners understand how important this is so I would imagine there will be a bit of a mad panic to catch up just before the deadline! 

Good to have a source of reference for where to start.


Many thanks,
Natalie - Your Local Girl Friday

Hello all,

GDPR, highly topical and yet a low awareness in the community- good article Legalshop 

I mainly focus on spreading the word about employee data protection, as I am building an employee admin app for SMEs. My latest blog post aims at introducing the idea that perhaps going digital might help small business being GDPR ready.

Any feedback or even better sharing the post or linking back to it would be greatly appreciated 



Don't forget... document and media destruction is a key part of being GDPR compliant. When getting rid of old documents and files make sure you look for an ISO 27001 accredited shredding firm that offers a full audit trail and certificate of destruction. Cross cut shredding and getting your documents shredded on-site will ensure the most compliance as this will significantly reduce the risk of a data breach.

For more info on getting ready for GDPR and data destruction take a look at out blog posts here.

Tom Gilruth

This Thread is now closed for comments