What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (2016/679 EU) (GDPR) is the governing legislation for collecting and processing personal data in the EU.

As an EU regulation, the GDPR applies automatically in the UK during the Brexit transition period and will be incorporated into UK law when the transition period ends on 31 December 2020. The Government has also introduced the Data Protection Act 2018, which supplements the GDPR, so the GDPR standards will continue to apply following Brexit.

The GDPR requires that personal data be processed according to many of the same principles as under the previous Data Protection Act 1998 regime. However, employers should note, in particular, that the GDPR introduced requirements:

  • that restrict the use of consent as a justification for processing data;
  • on demonstrating compliance through the documentation of data processing activities;
  • on adopting organisational measures for data protection such as policies and practices; and
  • on providing more information to employees and job applicants on the purpose and legal grounds for collecting their data, and their rights in relation to their personal data.

Employers should also be aware that the GDPR enforcement system provides for significantly higher maximum penalties than under the previous data protection regime. In particular, breach of the GDPR in some circumstances can lead to a maximum fine of €20 million or 4% of an undertaking's worldwide annual turnover, whichever is higher.