Filter by:

Find an ECA Registered Member

Advanced search
Area of work:

GDPR Introduction & Information

The General Data Protection Regulation (GDPR) comes into effect from 25 May 2018. GDPR will apply to UK businesses or all sizes. Its personal data storage and handing requirements mean that companies will need to review their procedures, and update or create new ones as necessary. GDPR will apply to both staff and third party personal data, and it will include eight legally-backed ‘rights’ for individuals. Further advice on GDPR is provided in this section.

From May 2018, an individual will have the right to...

1.      …request access to their personal data (usually free of charge), and how you make use of it.  (Also known as the ‘Right of access’.)

2.      …ask you to delete/remove their personal data where there is no good reason for its continued storage or processing.  (Aka ‘Right to be forgotten’.)

3.      …transfer or move their personal data between service providers easily and safely, without obstacles to usability of the data.  (Aka ‘Right to data portability’.)

4.      …know how you intend to use their personal data when it is being gathered. They must freely give their consent to it. Their consent cannot be assumed or taken for granted. There are particular rules around what information you should supply and at what stage you need to supply the information to your customers.  (Aka ‘Right to be informed’.)

5.      …have personal data rectified if it inaccurate or incomplete. If you have disclosed the data in question to third parties, you must inform them of the rectification. You should also ensure that your customers are aware of the third parties to whom you have disclosed the data, where appropriate.  (Aka ‘Right to rectification’.)

6.      …allow you (in some cases) to store their personal data, but also state that you are not allowed to process that data for any reason.  (Aka ‘Right to restrict processing’.)

7.      …object to your usage of their data Individuals must have an objection on “grounds relating to his or her particular situation”.  (Aka ‘Right to object’.)

8.      …be safeguarded against the risk of a potentially damaging decision “without human intervention”. You should identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR. (Aka ‘Right to be protected from negative automated decisions’.)

GDPR will change how data protection and data handling operates in businesses. It could affect your business in various ways.  Fines under GDPR can be up to €20 million or 4% of turnover, whichever is higher, so it’s important to start considering what you will need to do, right away.  


GDPR and smaller businesses: ‘consent’ to collect and process personal data

(PDF, 1 MB)
Published 06 Feb 2018

ECA GDPR guide on data mapping

(PDF, 380 kB)
Published 30 Jan 2018Last reviewed 30 Jan 2018

10 Key Steps to Engaging with GDPR

(PDF, 8.1 MB)

Start your journey towards meeting your GDPR requirements by embarking on the 10 key steps in this document.

Published 23 Nov 2017Last reviewed 23 Nov 2017

General Data Protection Regulation (GDPR)

(PDF, 439 kB)
Published 05 Oct 2017Last reviewed 05 Oct 2017