Part 1: What is GDPR?

The General Data Protection Regulation (GDPR) is the rulebook relating to the Processing of Personal Data across the EU.

Important GDPR Definitions

The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:

  1. Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
  2. Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.

The GDPR

The GDPR (officially called the General Data Protection Regulation (EU) 2016/679) replaced the Data Protection Directive (officially called Directive 95/46/EC) on 25 May 2018.

The intention of the GDPR is to strengthen and unify data protection for individuals within the European Union (EU). But what exactly does that mean?

The previous Data Protection Directive was, as the name suggests, a directive. Directives set out certain outcomes that must be achieved, but each EU member state can choose how to apply it. This inevitably leads to inconsistency, as each of the 28 member states (correct at the time of writing) can do something differently to the others.

The GDPR, however, is a regulation. Regulations differ from directives in that they are applicable (in their more consistent, singular format) in each member state at the same time (which is set by the EU), and are enforceable through law.

In the UK, the Data Protection Directive was applied through the Data Protection Act 1998, which was quite different to the applications in other member states. The GDPR is supplemented in the UK through the Data Protection Act 2018, which refers in many places to the GDPR itself, as well as defining how certain aspects of the GDPR will apply in the UK.

The GDPR is an EU law that applies in the UK and which sets out requirements and rules around data protection.