7 years of the GDPR

The GDPR (General Data Protection Regulation) and UK DPA (Data Protection Act) 2018 took effect on 25 May 2018, updating the UK’s data protection regime for the first time in more than 20 years.*

Seven years later, following a global pandemic, an extensive shift to remote and hybrid working, and the widespread adoption of generative AI, data processors and controllers should reflect on their data protection obligations, review their data processing activities and refresh their compliance programmes.

After all, GDPR compliance is an ongoing process that should adapt and grow alongside your business.

Find out more

The EU GDPR has applied to the processing of EU residents’ personal data since 25 May 2018.

A new UK Data Protection Act took effect at the same time as the GDPR. It fills in sections of the Regulation that were left to individual member states to interpret and implement, and applies the GDPR’s provisions to certain areas that fell outside the Regulation’s scope, such as law enforcement processing and intelligence services processing.

Combined, the two laws granted greater data privacy rights to individuals and placed tougher obligations on organisations – all backed up by a system of fines and other regulatory penalties.

The UK GDPR superseded the EU Regulation in the UK on 31 December 2020, following the Brexit transition period.

UK organisations that process personal data must therefore comply with:

• The DPA 2018 and UK GDPR if they process only domestic personal data; or
• The DPA 2018 and UK GDPR, and the EU GDPR if they process the personal data of UK residents and offers goods and services to, or monitor the behaviour of, EU residents.

 Learn more about the UK GDPR and DPA 2018

 Learn more about the EU GDPR

 Learn more about the difference between the EU GDPR and the UK GDPR/DPA 2018

Since Brexit, successive UK governments have sought to reform data protection law in the UK. The latest bill to pass through parliament is the Data (Use and Access) Bill.

In its draft form, the Bill is less expansive than the previous government’s shelved DPDI (Data Protection and Digital Information) Bill. It’s proposed provisions include:

• DSARs (data subject access requests)
  The Bill introduces a “reasonable and proportionate” search standard when responding to DSARs and allows data controllers to request additional information from data subjects to clarify requests.
• Legitimate interests
  The Bill establishes RLIs (recognised legitimate interests), such as public safety and national security, which permit data processing to be carried out.
• Automated decision making
  The Bill replaces Article 22 of the GDPR, reducing restrictions on automated decision making. Additional safeguards are introduced.
• International data transfers
  The Bill establishes a “data protection test” to assess the adequacy of non-UK countries’ data protection laws.
• Scientific research
  The Bill expands the definition of scientific research to include both commercial and non-commercial activities.
• ICO (Information Commissioner’s Office)
  The Bill renames the ICO the ‘Information Commission’ and establishes a formal board structure.
• Cookies and PECR (Privacy and Electronic Communications Regulations) enforcement
  The Bill exempts certain cookies from consent requirements as long as users are informed and can opt out. PECR fine levels are raised to match UK GDPR fines.

Until the Bill is enacted, the UK GDPR and DPA 2018 continue to apply in their current forms.

If you think you need to update your data processing activities, our products and services will help you identify and remediate any GDPR compliance gaps simply and effectively.

• DSAR as a Service
• GDPR and Data Protection Act 2018 Staff Awareness E-learning Course
• Privacy Audit Service
• EU GDPR Representative Service
• GDPR Advice Service

GRC Solutions has been at the forefront of GDPR compliance solutions since before the Regulation took effect. Since then:

• More than 8,300 people have taken our GDPR training courses;
• We’ve delivered GDPR staff awareness training to more than 88,900 people;
• We’ve provided GDPR consultancy to more than 2,500 organisations; and
• We’ve sold over 7,800 GDPR books, documentation templates and toolkits.

If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need – whatever your resources or expertise.

Find out more

For more information about achieving – and demonstrating – GDPR compliance, read our blogs:

• Step-by-Step Guide to Achieving GDPR Compliance
• How Do You Demonstrate Accountability Under the GDPR?
• What are the Data Subject Rights under the GDPR?
• List of Mandatory Documents Required by the GDPR
• What it Takes to be your Organisation’s DPO or Data Privacy Lead
• Streamlining GDPR Compliance with ROPAs, Data Flow Maps and DPIAs
• GDPR: International Data Transfers Using the IDTA, SCCs or BCRs

Find out more

* A UK version of the GDPR replaced the EU Regulation in the UK at the end of the Brexit transition period on 31 December 2020. There is relatively little difference between the two laws. However, for the sake of clarity, we refer to “the GDPR” to mean those requirements common to both the UK and EU versions of the Regulation. Where the two laws differ, we use the regional prefixes.

**The GDPR Gap Analysis service is provided by DQM GRC. Data Protection Officer (DPO) as a Service, the GDPR Advice Service, GDPR Contract and Legal Services, GDPR UK Representatives, and Data Subject Access Request as a Service are all provided by GRCI Law. The GDPR EU Representative service is fulfilled by IT Governance Europe. DQM GRC, GRCI Law, IT Governance Europe and IT Governance Ltd are all part of GRC Solutions. For a more efficient customer experience, you will be redirected to the relevant website.