The Regulation

The EU General Data Protection Regulation (GDPR) replaced the EU Data Protection Directive and on 25th May 2018. The Data Protection Act 2018 is the UK’s implementation of GDPR. This legislation continues to apply in the UK following the UK's departure from the EU.

The Regulation is designed to harmonise data privacy laws across the EU, protect and empower all EU citizens' data privacy and reshape the way organisations approach data privacy. Compliance with GDPR in the UK is overseen by the Information Commissioner’s Office.

The GDPR sets out a legal framework of rights and duties which are designed to help safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for their business, and the rights of individuals to have their personal details protected and not misused. It ensures that organisations recording personal data:


  • Have a lawful basis for processing data.
  • Are accountable under GDPR and can demonstrate compliance with the Regulation.
  • Process data securely.
The GDPR is much larger in scope than the Data Protection Act since it applies to all companies processing the personal data of data subjects residing in the EU, regardless of a company’s location. The Regulation also covers most forms of personal and sensitive data used in modern day society.