EU General Data Protection Regulation

In the UK, the Data Protection Act 1998 sets out the principles of data protection in compliance with European legislation.

The more recent approval of the EU General Data Protection Regulation (GDPR) has imposed some changes on the operation of UK data protection law, though not to the principles which apply.

The changes, which are intended to strengthen and unify data protection for individuals within the EU, include:

  • Increased powers for regulators to fine organisations which fail to comply with data protection law. Fines can be levied up to €10 million or 4 per cent of the organisation's worldwide turnover;
  • Data controllers will have to be able to demonstrate compliance with the GDPR, which may mean implementing additional records and procedures to prove compliance;
  • The GDPR prohibits the assumption of 'implied' agreement for personal data to be retained and used. Consent must be 'freely given, specific, informed and unambiguous'; and
  • A data subject can normally require that their personal data is deleted in appropriate circumstances.

This list is not comprehensive.

This legislation will continue to apply until Britain leaves the EU, and may well be substantially retained thereafter, depending on the Brexit terms.