4 minute read

The General Data Protection Regulations (GDPR) Essentials

The GDPR applied in the UK since 25 May 2018 replacing all previous data protection directive.

The GDPR affects any business that have day-to-day responsibility collects, processes, stores, and uses personal data from people residing in the UK, and to controllers and processors based outside the UK if their processing activities relate to:

  • Offering goods or services to individuals in the UK
  • Monitoring the behavior of individuals taking place in the UK

1st January 2021 the UK formally left the European Union (EU) and became known as a third country. This led to the creation of EU-GDPR and the Data Protection Act (2018) UK-GDPR The UK-GDPR is identical to the EU-GDPR but is an independent UK legislation governed and enforced by the UK data protection agency Information Commissioner’s Office (ICO) and does not influence EU authorities.

All UK businesses must be 100% compliant with UK-GDPR or face substantial fines for non-compliance.

Why the need for GDPR?

People have the right to know and have some control over what personal information a business collects, uses, and shares about them.

With major advancement in technology, easier access to the internet via mobile devices, online shopping and the increased use of social media, Google, Facebook, and LinkedIn etc. has resulted in the enormous increase of consumer personal data being captured, used, shared, and stored by businesses.

What is Personal Data?

As defined in the GDPR Personal Data is a legal term, for “any information relating to an identified or identifiable natural person ‘Data Subject’.

An identifiable person is anyone that can be identified, directly or indirectly, such as:

  • An identification number i.e. National Insurance Number.
  • One or more factors to their physical, physiological, mental, economic, cultural, or social identity.

Linked / linkable personal data, including:

  • Name,
  • Email address
  • Personal identification number i.e. Passport number

Sensitive data, or special category data, is any data that reveals a subject’s information.

Sensitive/Special category personal data includes:

  • Racial or ethnic origin
  • Political beliefs
  • Religious beliefs
  • Sexual orientation

You need a lawful basis in order to process special category data, include:

  • If the individual (data subject) has given their explicit consent, or made the data public
  • Processing is necessary for the organisation to meet obligations in terms of employment, social security, or social protections as is authorised by UK law
  • Processing is being carried out in pursuance of legitimate activities (by a law) by a foundation or not-for-profit organisation
  • Protecting data subject interests when the subject is unable or incapable of providing consent
  • Substantial public health concerns

 Non-Sensitive personal data includes:

  • Gender
  • Date and place of birth
  • Post code

GDPR Breaches and Fines

A personal data breach occurs when an individual’s personal data is compromised through an incident that impacts the security of that data.

This incident could be accidental or deliberate and unlawful, leading to the destruction, loss, alteration, unauthorised disclosure, or unauthorised access of the individual’s personal information.

Personal Data Breaches include:

  • Access to an individual’s personal data by an unauthorised person(s)
  • Deliberate or accidental action or in-action by a Data Controller or a Data Processor
  • Sending personal data to an unintentional or incorrect recipient.
  • Personal data being lost or stolen on a computing device such as a laptop or memory stick
  • Altering personal data without permission.
  • Availability of personal data

You must report a notifiable data breach to the ICO without unnecessary delay, and not later than 72 hours after becoming aware of it.

Reporting a data breach to ICO


Failing to comply with GDPR businesses face prosecution action by the ICO, who can issue penalties for a data breach including:

  • Warnings and reprimands
  • Compliance orders
  • Bans on processing or data transfers, temporary or permanent
  • Administrative fines

Businesses may be subject to:

  • Private claims for compensation for damages suffered from individuals or consumer protection or legal bodies on behalf of individuals
  • Damage to business reputation
  • Loss of consumer trust
  • Loss of customers, sales and revenue
  • Loss of intellectual property if hackers manage to steal designs, strategies, and proposals
  • Hidden costs such as legal fees, breach investigation experts, legal fees and hike in business insurance premiums
Need help with Data Protection and GDPR?
P4P can help businesses across a wide range of regulated industries develop effective strategies, connect with the right tools, provide support and guidance to ensure compliance with regulatory laws.

Follow, like, share and subscribe

All images images, photographs and videos used on this website, are purchased, free stock, or CC0 and accredited to the artist where possible.

The information contained within this article does in no way constitute legal advice. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.
error: Content is protected !!