Tel: +44 (0)203 1373 295  M: +44 (0)7807 583 836


The protection of individuals' personal data under the General Data Protection Regulation ('GDPR')

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) came into force on 25 May 2018. It applies to ‘controllers’ and ‘processors’ - a controller determines the purposes and means of processing personal data whereas a processor is responsible for processing personal data on behalf of a controller.

Legal obligations are placed on processors, e.g. processors are required to maintain records of personal data and related activities. They can be found liable if responsible for a breach. But controllers are not relieved of their obligations where a processor is involved – the GDPR places further obligations to ensure contracts with processors comply.

The GDPR applies to processing carried out by enterprises operating within the European Union, and to those established outside the EU that offer goods or services to persons in the EU.

Article 5 of the GDPR sets out 7 key principles in relation to personal data controlling and processing – ‘lawfulness, fairness and transparency’; ‘purpose limitation’; ‘data minimisation’; ‘accuracy’; ‘storage limitation’; ‘integrity and confidentiality’; and ‘accountability’. 

Businesses whose main activities involve regular personal data processing are required to engage a suitable data protection officer for managing compliance. Any breaches must be reported within 72 hours if they adversely effect user privacy. 

An organisation's failure to comply with the basic principles may leave it vulnerable to significant fines. Article 83(5) provides that infringements of the basic principles for data processing shall be subject to fines of up to EUR 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding year, whichever is higher.


This note is for general information purposes only and does not constitute specific legal advice. If you would like advice on managing compliance with the General Data Protection Regulation or on data protection and privacy generally, then please feel free to contact us on or telephone +44 (0)20 8528 1132.