General Data Protection Regulation (GDPR & DPA)

General Data Protection Regulation (GDPR)

Redlo offer a bespoke range of Business & HR Services to a wide range of organisations. Our  team offer on-boarding services, and sales team reviews which have a proven benefit to numerous organisations.  We can also assist your organisations plans to make sure you comply with the new GDPR legal requirements and have listed below some of the key updates and requirements for your records.

Contact our team to discuss your GDPR/Data training aspirations on the below options:

Call 07586 342161 or email us at:

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA) 1998 so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

Quick overview on whom the GDPR applies to?

  • Essentially it is for those who have day-to-day responsibility for data protection.
  • General Data Protection Regulation (GDPR) which will apply from 25 May 2018.
  • For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social  networking.
  • The GDPR requires you to maintain records of your processing activities. (See below)
  • Implementing the GDPR could have significant resource implications, and its key to know your requirements.
  • When you collect personal data you currently have to give people certain
    information, such as your identity and how you intend to use their information. (This is usually done through a privacy notice.)  Under the GDPR there are some additional things you will have to tell people.
  • The GDPR applies to ‘controllers’ and‘processors’.
    • The Controller says how and why personal data is processed. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
    • The Processor acts on the controller’s behalf. (If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.) If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities.

You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.


  • Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Why its key that all organisations know the requirements, and consider new Data processes before next May!

You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large business this could have significant budgetary, IT, personnel, governance and communications implications.

The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance with all the areas listed in this document will require organisations to  review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.

What information does the GDPR apply to?

Personal data

Like the DPA, the GDPR applies to ‘personal data’. Yet the GDPR’s definition is more detailed and makes it clear that information such as a client/customers detail such as an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

  • For most organisations, keeping HR records/client databases, or even contact details, the change to the definition should make little practical difference.
  • You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
  • The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
  • Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Information you hold/use or share: 

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas. The GDPR requires you to maintain records of your processing activities.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Redlo offer training one day and half day courses to assist all departments with the key GDPR areas and strategies to ensure your compliant, and aware of the risks. Our team have the ability to offer packages to suit your business size, and requirements. If you collect data, process data, or individuals details, or have client databases then we advise you contact our team!

Contact our team to discuss your GDPR aspirations on the below options:

Email us at:

Call our team on  07586 342161.

Consider the rights of individuals: 

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

The GDPR includes the following rights for individuals:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making including

Essentially the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements.  If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy.

This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data?

Who will make the decisions about deletion?
The right to data portability is new. It only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the
    performance of a contract; and when processing is carried out by automated means.

You should consider whether you need to revise your procedures and
make any changes? (You will need to provide the personal data in a structured commonly used and machine readable form and provide the information free of charge.)


(C) 2017 Redlo Ltd. No part of information, data or images can be used or taken without written permission.