In Plain English
GDPR is the law that protects peoples personal information. If your business collects names, email addresses, or any data that identifies a person, GDPR applies to you.
The regulation gives individuals rights over their data and requires businesses to handle it responsibly. The UK has its own version (UK GDPR) that works similarly to the EU version.
Key Principles
- Lawfulness - Have a valid reason to process data
- Purpose limitation - Only use data for stated purposes
- Data minimisation - Collect only what you need
- Accuracy - Keep data correct and up to date
- Storage limitation - Do not keep data longer than necessary
- Security - Protect data with appropriate measures
- Accountability - Document compliance and be able to demonstrate it
Individual Rights
People can request access to their data, correction of errors, deletion (right to be forgotten), data portability, and can object to certain processing. You must respond within one month.
Breach Notification
If you suffer a data breach likely to result in risk to individuals, you must notify the ICO within 72 hours. High-risk breaches also require notifying affected individuals without undue delay.
Getting Compliant
- Know your data - What you collect, why, and where it goes
- Update privacy notices - Tell people clearly how you use data
- Review consent - Ensure consent is freely given and specific
- Implement security - Appropriate technical and organisational measures
- Document everything - Records of processing activities