What is the General Data Protection Regulation (GDPR)?

11 July 2017


One of the top 5 questions asked by HR professionals in June was what is the General Data Protection Regulation?


Every month XpertHR analyses the most popular FAQs asked by HR professionals in the past month and one of the other top 5 questions was, will there be changes to the rules on obtaining consent to process personal data under the General Data Protection Regulation?


The EU’s General Data Protection Regulation (GDPR), which will be implemented in the UK in May 2018, updates the provisions of the Data Protection Act 1998 (DPA). The changes place greater obligations on organisations, with potential fines for breaches as high as €20 million or 4% of global turnover. Organisations need to act now to prepare for the potential changes to their systems and procedures.


Differences between DPA and GDPR

In short, many aspects of DPA which are considered to be “best practice” will be identified as “requirements” in GDPR and, as such, are subject to compliance checks with penalties for non-compliance.

Also if a breach of personal data occurs and the organisation fails to notify the breach within defined timescales a maximum fine of €10 million or 2% of global revenue can be levied.


Below is an excerpt from the CIPP’s GDPR training course to give you an idea of some of the key differences between the Data Protection Act (DPA) and GDPR:



DPA Best Practice

GDPR Requirements


Management to demonstrate a positive attitude and commitment towards data management and protection

A data controller to be appointed who is accountable for compliance.

A data Protection Office is required for public organisations and organisations that deal with large scale processing of personal data to be responsible for data protection compliance

Data Subject Management

Processes must be in place for Subject Access Requests (SARs).

Further requirements for data subject include:

Right of access (similar to SAR)

Right to restrict data

Has the right to be forgotten

Tighter compliance timescales

Tough penalties for non-compliance

Access Control

All processes and procedures in place to manage personal data access must be robust

All processes and procedures in place to manage personal data access must be robust and durable


ICO 12 steps

To help prepare for the GDPR the Information Commissioner’s Office has produced a downloadable booklet titled Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. The booklet goes into more detail of the process to use and the questions that should be asked. It advises on where procedures should be set up, and for what purpose and warns of the consequences of non-compliance with the regulations.


CIPP training course

Many of the principles of the UK’s DPA will remain when the UK implements the GDPR on 25 May 2018. The GDPR takes data protection further, with a change in emphasis from ‘best practice’ to ‘requirements’, greater consent from individuals, new rights such as the right to be forgotten, and other significant changes.

Payroll and HR data, procedures and systems will be directly affected, including where third party software or service providers are involved.

The CIPP course helps delegates understand and prepare for the changes, including how they affect payroll and HR functions, so that they can help their organisations become fully compliant by May 2018.

Full details can be found under Payroll Training on the CIPP website.


CIPP comment

Our latest Quick Poll asks if you have begun any data preparation or have a plan in place to start and also have you even heard or GDPR, maybe you have but think it doesn’t apply to your organisation.

Please take a moment to complete our CIPP Poll (on the right of this and every news item on the news pages of our website).