‘The GDPR: One Year On’ - looking back on the GDPR, what have we learnt and what should we focus on going forward – Part 1

‘The GDPR: One Year On’ - looking back on the GDPR, what have we learnt and what should we focus on going forward – Part 1   

Laura Johnson, a Technology, Outsourcing and Privacy solicitor at Fieldfisher LLP, joined our recent LexisNexis Aspire networking and professional group facilitated by Sophie Gould, to share her expertise in an engaging and interesting presentation covering the low-down on the GDPR one-year post-implementation.

Key GDPR concepts

Laura started off by giving us a quick overview of the GDPR. This legislation applied from 25 May 2018 and replaced the Data Protection Act 1998 in the UK. It was implemented to modernise and harmonise the laws around data protection in order to better protect the personal information of individuals. However, as Laura reminded us, there is still more work to be done to catch up with the evolving technology in this area.

Personal data can be defined as any information relating to a data subject which leads to direct or indirect identification. Or, to put it simply, any information which identifies us as individuals e.g. IP addresses and device IDs.

There are a few other key terms under the GDPR, including:

  • Special category data – this is personal data which is especially sensitive and is therefore in need of greater protection
  • Criminal conviction data – to process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 and authority for it under Article 10
  • Anonymous data – data which must be truly anonymous
  • Pseudonymous data – where the means of storing the data stops it from being classified as personal data per se e.g. where the identifying element is stored elsewhere

Scope of the GDPR

The material scope of the GDPR includes when data is processed by automated means or where there is a hard copy which forms part of the relevant filing system.

The territorial scope of the GDPR is that it applies to any controller or processor which is:

  • established in the EU
  • located outside the EU:
  • offers goods and services to data subjects in the EU
  • monitors the behaviour of data subjects in the EU to the extent it takes place in the EU

Lawful processing

There are six lawful bases for processing personal data:

  •  Consent – the most well-known one, not enough to just consent to processing
  • Contractual necessity
  • Legal obligation (under EU law)
  • Vital interests
  • Public interests (under EU law)
  • Legitimate interests (unless public authority)


Subscription Form

Already a subscriber? Login
RELX (UK) Limited, trading as LexisNexis, and our LexisNexis Legal & Professional group companies will contact you to confirm your email address. You can manage your communication preferences via our Preference Centre. You can learn more about how we handle your personal data and your rights by reviewing our  Privacy Policy.

Related Articles:
Latest Articles:

Access this article and thousands of others like it free by subscribing to our blog.

Read full article

Already a subscriber? Login

About the author:

Claire is a paralegal is the LexisAsk and Commercial and Sectors teams at LexisNexis teams. She previously did a law conversion at BPP Law school and plans to study the LPC latterly. She is an English literature graduate and hopes to combine her studies by pursuing a career in the IP sector.

Claire is a keen member of the LexisNexis Singers and practices with them weekly. Outside of work, Claire is a keen hockey player and cyclist and brings this energy into everything she does in her job.