A Primer on the General Data Protection Regulation (GDPR)

Regardless of the UK’s decision to leave the EU, the General Data Protection Regulation will be enforced from 25 May 2018. Its wide coverage applies to all UK organisations that deal with the personal data of EU citizens.

Who is subject to the GDPR?

The GDPR’s strictures apply to two groups: the ‘controllers’ and for the first time ‘processors’ of data. Controllers dictate why and how personal data is used, and the processors act on behalf of the controllers when the controllers aren’t doing the work themselves. The new rules emphasise stringent protocols for maintaining personal data records and greater legal liability in the case of a breach. While monitoring their own activity, controllers will be required to make sure their contracts with processors are executed very much in line with the dictates of the GDPR – nor will the engagement of third-party suppliers outside the EU be a way of getting around them.

What information is subject to the GDPR?

As with the UK’s Data Protection Act, this is all about personal data, but the GDPR has broadened the definition. Online identifiers will now be included as personal data – an IP address, for example, or maybe a cookie, location information or even a screen name. Revised definitions are reflective of changes in technology and the new ways that organisations collect data.

What are the advantages of GDPR?

Focus on the more alarming fines organisations face for non-compliance is understandable, but the new regime affords many advantages to companies willing to seek them out. As processing procedures are necessarily reviewed under the GDPR, it’s a good opportunity for companies to reorganise data flows and thereby meaningfully improve efficiency. Plus, the legislation clarifies multiple concepts that were sources of confusion, such as anonymisation, which makes following the rules more straightforward. Increased clarity and lighter compliance burdens for those engaged in less risky processing makes life easier.


Earlier this year, Ashfords conducted a survey in partnership with Insider South West which asked organisations about their knowledge of GDPR, how prepared they were for the upcoming changes, and the types of data that they currently process.

The research showed that 56% of companies have taken initial steps in preparing for the GDPR, but still have work to do. However, 10% have stated that they are well prepared for the GDPR while 34% of companies have not yet started to review their company policies and procedures when handling and storing data.

For more information about Ashfords' GDPR survey, please click here.

Send us a message