Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy

Overview

What is the GDPR?

The General Data Protection Regulation (GDPR) is one of the most wide-ranging pieces of legislation passed by the European Union in recent memory. The GDPR was introduced to provide a set of standards to ensure better safeguarding of personal data. It standardises data protection law across the single market and gives people in a fast-moving digital economy greater control over how their personal information is used.

Scope

Who does the GDPR apply to?

All organisations that process personal data and operate within, or sell goods to the EU are affected by the GDPR. The definition of processing is aimed at covering practically every type of data usage and includes collection, storage, retrieval, alteration, storage and destruction.

The GDPR applies to both data ‘controllers’ and ‘processors’. Data controllers determine the purpose and manner in which data is processed, while data processors are any third-party undertaking data processing on behalf of a controller.

Changing GDPR requirements

The UK GDPR

A montage of compliance related security images

In the UK, the requirements of the GDPR are implemented and ratified by the Data Protection Act 2018.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR), a law that sets out how personal data must be collected, handled and stored to protect people’s privacy. It also gives individuals the right to know what personal data is held about them and to have that data erased in certain circumstances. The Act came into force on 25 May 2018 and replaced the Data Protection Act 1998.

The GDPR is retained in domestic law as the UK GDPR. The UK GDPR sits alongside an amended version of the DPA 2018. Because the UK GDPR is very similar to the EU GDPR, organisations that comply with the latter are likely to be in compliance with the former.

The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the European Economic Area (EEA).

One key point is that the UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:

  • Offering goods or services to individuals in the UK; or
  • Monitoring the behaviour of individuals if it takes place in the UK

The UK GDPR also has implications for UK controllers with an establishment in the EU, have customers in the EU, or monitor individuals in the EU. While the EU GDPR still applies to this processing, the way organisations interact with European data protection authorities has changed.

Personal data

What is personal data?

Article 4 of the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. For most organisations, this will mean implementing appropriate measures to protect information relating to employees, customers and partners. The GDPR broadens the definition of personal data to include all types of information that could be used to indirectly identify individuals. Other examples of personal data include:

  • ID numbers
  • IP addresses and cookie IDs
  • HR records
  • Customer contact details
  • Health records
  • Biometrics
  • CVs
  • Employment information
  • CCTV footage
  • Phone call recordings

Need advice or help from our friendly team?

Get in touch

GDPR vs DPA

How does the GDPR differ from the Data Protection Act (DPA) 1998?

The UK GDPR sits alongside an amended version of the DPA 2018. With UK businesses now required to adhere to the updated requirements of the DPA as well as the GDPR, it is important to understand how requirements have changed since the previous Data Protection Act, from 1998.

Personal information

An expanded definition of personal information to include online identifiers such as IP addresses.

Increased sanctions

An increased level of fines for organisations that fail to comply and/or suffer a personal data breach.

Data Protection Officers

The requirement for organisations with more than 250 employees, or firms which process more than 5,000 subject profiles annually to appoint a dedicated Data Protection Officer.

Consent

A tightening of the consent rules governing the collection and processing of personal information.

Right to be forgotten

The right for individuals to be forgotten, by requesting the erasure of their personal data from company records.

Privacy by design

Promotion of privacy by design - ensuring data protection is taken into account at every stage of a product development process.

GDPR Article 5 Principles

Personal data shall be...

Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate and, where necessary, kept up to date
Retained only for as long as necessary
Processed in an appropriate manner to maintain security

Protecting personal data

The importance of ensuring the security of personal data

To ensure ongoing data security, principle six of the GDPR states that personal data should be processed in an appropriate manner.

Protecting personal data against unauthorised processing, accidental loss and destruction forms a key part of measures that all organisations should take.

Read our GDPR compliance guide
A cloud environment being monitored for threats

GDPR Solutions

Tailored solutions for GDPR compliance

By helping you to understand and address gaps in your organisation’s cyber security as well as proactively detecting and responding to threats when they occur, Kroll’s MDR, DFIR and assessment services support swift, hassle-free GDPR compliance.

ThreatDetect MDR

Managed Detection and Response

Award-winning support to rapidly detect and respond to the latest threats 24/7

Read more
A range of security assessment services

Assessment Services

Specialist engagements to uncover and address hidden cyber security risks

Read more
A person choosing from a range of Managed Security Services

Incident Response Services

Respond quickly and effectively to cyber incidents

Read more

Get in touch

Complete the form for a prompt response from our team.

Two Redscan team members analysing cyber security intelligence

1000 characters left
View our privacy policy

Resources

Discover our latest content and resources

From the blog
From the blog Case studies Latest news
25th March 2024
UK government finds 75% of UK businesses experienced a cyber incident in 2023
According to new figures published by the UK government, no less than three-quarters of UK businesses and 79% of charities experienced a cybersecurity incident in the past 12 months, with only limited improvements in organisations’ cybersecurity posture between 2022 and 2023.
18th March 2024
Prioritise the security of perimeter products, says NCSC
Securing perimeter products must be a priority for organisations as threat actors are increasingly targeting insecure self-hosted products at the corporate network perimeter, according to the UK's National Cyber Security Centre (NCSC).
4th March 2024
Insider threats an increasing concern for UK companies
More than half of UK business decision-makers surveyed for a new study stated that they were concerned about the likelihood of their employees being approached by cybercriminals, leading to a rise in insider threats.    
26th February 2024
78% of organisations hit by repeat ransomware attacks after paying
A new report shows that almost four in five organisations that paid a ransom demand were hit by a second ransomware attack, often by the same threat actor. Almost two-thirds (63%) of those organizations were asked to pay more the second time.