GDPR—the basics
GDPR—the basics

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • GDPR—the basics
  • The data protection regime
  • The EU GDPR
  • Impact of Brexit
  • UK data protection regulator
  • Types of data covered by the GDPR
  • Personal data
  • Special category personal data
  • Data controller and processors
  • Processing personal data
  • More...

IP COMPLETION DAY: 11pm (GMT) on 31 December 2020 marks the end of the Brexit transition/implementation period entered into following the UK’s withdrawal from the EU. At this point in time (referred to in UK law as ‘IP completion day’), key transitional arrangements come to an end and significant changes begin to take effect across the UK’s legal regime. This document contains guidance on subjects impacted by these changes. Before continuing your research, see Practice Note: What does IP day mean for Risk & Compliance?

This Practice Note explains, in simple terms, the key features of the General Data Protection Regulation (GDPR). See also Precedent: Data protection cheat sheet for staff.

This Practice Note is intended for non-privacy specialists and there are separate, more detailed, Practice Notes on the GDPR, eg:

  1. Introduction to the EU GDPR and UK GDPR

  2. Data protection compliance planning

  3. Data protection officer

  4. Data mapping

  5. Data protection compliance—data subjects rights

  6. Processing personal data—lawful processing

The data protection regime

The GDPR is the main source of data protection law—see Practice Note: The EU’s General Data Protection Regulation (EU GDPR). It is supplemented in the UK by the Data Protection Act 2018 (DPA 2018).


The EU GDPR sets out the rules on processing personal data across the EU, and also applies in Iceland, Norway and Liechtenstein—this wider group is known as the EEA.

The EU GDPR has

Popular documents