[email protected] | Business Data 2020

Back To Main Page
GDPR Compliance

The Data Protection Act and GDPR Explained

This document sets out the basic principles of the Data Protection Act (DPA) to aid in understanding the new legal framework in the EU, and the General Data Protection Regulation (GDPR) which has applied in the UK since 25 May 2018. The purpose of this document is to provide clients with a manageable, comprehensive explanation of the Data Protection laws and what BDP Agency (“We”) require from you as a client and as a data processor.

Important Points To Note

Whilst much of the new General Data Protection Regulation is already in place and agreed upon, there is still some consultation to be decided within the European Union. The new laws were enforced in their entirely on 25th May 2018 and Brexit had no effect on these new laws being implemented.

We are still waiting for a decision on whether this will effect the Privacy & Communications Regulations, the latest update being brought into effect on 9th January 2019, any further updates will be provided once in place.

Latest Guidance

What to expect and when… here is the latest guidance from the Information Commissioners Office (ICO).


DM = Direct Marketing

DPA = Data Protection Act 1998

EEA = European Economic Area

EU = European Union

GDPR = General Data Protection Regulation

ICO = Information Commissioner’s Office

PECR = Privacy and Electronic Communications Regulations

Data Controller = the entity that determines the purposes, conditions and manner in which the data will be processed

Data Processor = the entity obtaining, recording or holding the information or data or carrying out any operation(s) on the information or data.

Basic Principles of The Data Protection Act

Schedule 1 to the Data Protection Act lists the data protection principles. In summary, personal data should be:

  1. Processed fairly and lawfully and should satisfy at least one condition for processing.
  2. Obtained only for one or more specified and lawful purposes.
  3. Adequate, relevant and not excessive in relation to the purpose(s) it is fulfilling.
  4. Kept Accurate and up-to-date
  5. Shall not be kept for longer than is necessary for that purpose(s).
  6. Processed in accordance with the rights of data subjects under this Act.
  7. Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or damage to personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects.

The GDPR differs to the DPA in that there is now an explicit requirement for transparency and accountability. This means it is an organisations own responsibility to be able to demonstrate that they comply with the above principles.

Please see our GDPR Accountability Policy for more information on how we comply with the principles.

Article 5 of The General Data Protection Regulation

Article 5 of the GDPR privacy laws now requires that personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to individuals;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR privacy laws in order to safeguard the rights and freedoms of individuals;

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Information Commissioners Office (ICO)

The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt. More than 400,000 organisations are currently registered, and BDP Agency requests that all our clients to register to comply with this law.

You can register here – It is a quick and easy online submission and in most cases the costs involved are minimal.

The ICO have also provided a data protection self-assessment tool to help assess your compliance with the DPA and to find out anything you need to do. This is a really useful tool that can be used in the approach to May 2018.

Electronic Communications Regulations (PECR)

The PECR sit alongside the DPA and give people specific privacy rights in relation to electronic communications. There are specific rules on marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory)

More information on PECR is available here to ensure that you have sufficient and effective policies and procedures in place, and to explain more about audits.