General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

If we don’t manage our information, we leave ourselves vulnerable.

Have you ever moved house and forgotten to update your details at the bank, only to realise when your new card ends up in the wrong hands? This kind of mistake opens up the possibility of fraud, and though this example deals with the physical, it’s much the same with our data. The life cycle of information must be managed in a way that supports the assurance or security of information throughout the entire information life cycle. So, let’s find out more about the stages involved so we have the foundations to build our best practices on…

Decorative Image: Flow diagram showing GDPR, arrows pointing to id and human rights

Figure 1: General Data Protection Regulation

What is GDPR?

The General Data Protection Regulation (GDPR) is designed to ensure that:

'Organisations processing and storing personal information adequately protect it...any transfer of information outside of the EU is handled in an appropriate way.'

Let’s start by looking at the laws which protect the collection and storage of personal and private data.

In the EU, the right to personal privacy is protected through the GDPR, which protects the rights of ‘Data Subjects’. The UK Government adopted GDPR through the 2018 Data Protection Act.

The right to privacy, like other human rights in Europe, is derived from the European Convention on Human Rights which was incorporated into UK domestic law as the Human Rights Act 1998.

In the US, there’s no Federal overarching right of privacy, although there are Federal sector-based laws protecting privacy, such as the Health Insurance Portability and Accountability Act (HIPAA), which protects personal medical data. There are also state-based privacy laws, for example the California Consumer Privacy Act 2018.

Under GDPR, there’s a requirement for organisations processing and storing personal information to ensure it’s adequately protected, and that any transfer of information outside of the EU is handled appropriately. This is particularly significant for the transfer of data to the US where data protection controls are typically much less stringent than in Europe.

Decorative image: Simple flow diagram showing GDPR with arrows branching off to: 1. The organisation or person that decides how personal data is to be used; 2. The organisation or person that processes personal data on behalf of the data controller

Figure 2: GDPR: Protecting the data

GDPR basics

The Data Controller determines how personal data is used and the Data Processor acts on the Data Controller’s behalf. They are responsible for, and must be able to demonstrate, compliance with GDPR.

GDPR places specific legal obligations on Data Processors, including the requirement to maintain records of personal data and processing activities.

It applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. However, it doesn’t apply to processing covered by the Law Enforcement Directive, processing for national security purposes, or processing carried out by individuals purely for personal or household activities.

Each EU member state has a body responsible for upholding the rights of Data Subjects under GDPR, in the UK this is the Information Commissioner’s Office (ICO).

Decorative image: Picture of casually dressed person at laptop

Figure 3: GDPR: The data protection principles

Personal data  

Personal data is defined by GDPR as:

'Any information relating to an identified or identifiable natural person (the 'data subject')...who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’

- The information comissioner's office

GDPR applies to both automated personal data and manual filing systems, which includes chronologically ordered sets of manual records containing personal data. It also now includes online identifiers, for example, IP addresses if this can be used to uniquely identify an individual.

Personal data that has been pseudonymised, for example, key-coded, can fall within the scope of GDPR if the pseudonym can be attributed to a specific individual.

Special category personal data is defined as:

‘Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.’

 - The information comissioner's office

As you can see, this includes genetic and biometric data used to identify an individual. Personal data relating to criminal convictions and offences are not included, but extra safeguards apply in these cases.

hexagonal diagram with data about data protection principles: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitations; Integrity and confidentiality.

Acceptable use policy

GDPR is based on six data protection principles:

  1. The first principle states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  2. The second principle requires that any personal data collected is for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. The third principle states that when personal data is collected or processed, it’s adequate, relevant and limited to what is necessary in relation to the purposes for which it’s processed.
  4. The fourth principle requires personal data to be accurate and, where necessary, kept up to date in relation to the purpose for which it’s processed.
  5. The fifth principle requires that personal data is kept for no longer than is necessary for the purposes for which it’s processed. When personal data is no longer needed it must be destroyed.
  6. The final principle requires data processors to process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

What’s next?  

Now you’ve had a basic introduction to GDPR, let’s move on to look at the information life cycle.


This course will explore the necessary steps to take at each part of the information life cycle.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.