Telephone: 01908 041464 | Email:

Introduction to the General Data Protection Regulation (GDPR)

Monday 7th September 2020

What is the GDPR?

The General Data Protection Regulation (GDPR) is the latest in EU data protection legislation, implemented in 2018. The Regulation applies to all businesses operating within EU jurisdiction. As an extension of previous legislation, the Regulation will also apply to those businesses and legal entities not based in the EU offering services, goods and technology to businesses and legal entities within the EU.

The domestic UK data protection regime is set out in the Data Protection Act 2018, along with the GDPR (which is by itself applicable in the UK), which is the application of the Regulation within the context of UK-based organisations. The Act is the third generation of UK data protection legislation. The Data Protection Act 2018 fills in certain holes in the legislation of the GDPR that incorporates the Regulation into the context of UK legislation and jurisdiction. The Data Protection Act 2018 essentially has a part in processing that which does not all within EU law, in this case the GDPR.

GDPR and Data Protection are critical pillars of Information Security, and organisations that operate with an ISO 27001 management system should recognise the legislation within their compliance register. The Statement of Applicability for ISO 27001 requires an organisation to identify how the use, process and manage data, and with increasing levels of punitive fines, all organisations need to manage this issue effectively. 

Why is it important to my business?

Organisations that protect data gain the trust of their employees and customers. Good data protection procedures will ensure that your organisation maintains people’s fundamental rights of privacy. Such procedures will let your stakeholders have control of their own data and protect their identity and interactions with others. Good data protection procedures will ensure your organisation strikes the balance between the needs of your business and the wider interests of society.  

Data protection can incorporate many different things. It is about ensuring that stakeholders, such as customers, employees, investors and even the general public, trust your business to use their personal data fairly and responsibly. In a more practical sense, it is about building a relationship of trust between individuals and organisations. At its most basic level, it is about treating people fairly and openly, and recognising their right to have control over their own identity and interactions with others. Data protection strikes a balance between the interests of business operators and the wider interests of society. 

Who enforces the GDPR and DPA 2018 in the UK?

Enforcement of the General Data Protection Regulation, and by extension the Data Protection Act 2018, falls under the Information Commissioner’s Office (ICO). The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals within the context of UK-based organisations.

Furthermore, the ICO also has the capacity and authority to cooperate with data protection authorities and organisations from other countries. Even after the events of BREXIT and the exiting of the EU by the UK, the secession of which comes into full effect on 31 December 2020, the ICO will continue to work with the European Data Protection Board (EDPB), which includes representatives from data protection authorities from each EU member state.

How can I implement it to the context of my organisation?

The majority of the GDPR’s main concepts, principles  and provisions are much the same as those in the current Data Protection Act 2018. If your business is in proper compliance with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are other new elements and significant enhancements that will require your business to do some things for the first time and some things differently. ISO 27001 and similar programmes, such as Cyber Essentials provide a sound platform of management practices on which to manage Data Protection and the GDPR requirements. 


Nic Farrell

Published on 7 September 2020

Related Articles

Comparing Cyber Essentials to ISO 27001
Use 27001 to meet the Hiscox recommendations
14 controls points in the Statement of Applicability

Adam Faiers - Director

Adam has been working on Quality and Environmental management systems for most of his career in small, medium and corporate organisations. A keen advocate of the ISO approach as a platform for improvement, Adam ensures that systems are practical and useful for Managers and Staff to use.

Following a number of years working on software development projects, Adam has diversified into Information Security and Business Continuity management. Keen to formalise his industry experience, he is currently undertaking a Diploma in Business Continuity Management at Buckingham University.

Adam has a PhD from Cranfield University and now supports the MSc Environmental Management programmes through the advisory panel and visiting lectures.

We hope this article has been helpful

If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:


Tel: 01908 255 525