Principles and Rights

GDPR upholds seven principles and eight rights of data protection. It gives greater rights to “Data Subjects” individuals to control how organisations hold and use their data in an increasingly digital age. It updates previous legislation to reflect the rate of technology change in relation to data handling and use over the last twenty years. Penalties are financially extreme for those organisations that break the regulations.

It is an EU regulation (law), introduced in April 2016 which will be enforceable in every EU country on 25th May 2018 (the end of the two year implementation period). The UK parliament will introduce the Data Protection Act 2018 which will provide some derogations to the GDPR however without this in place the default clauses of the GDPR will apply. Derogations are limited, the intent being that the basics of the regulation are consistently applied across the whole of Europe (EEA) giving a standard basis of principles and rights. The GDPR will remain applicable after March 2019 when the UK leaves the EU.
Data protection principles and rights will be enforced under the Data Protection Act 2018 by the Information Commissioners Office (ICO).
Much of the new regulations are similar to the requirements of the DPA 1998 but more prescriptive. Businesses will need to audit their status and update their policies to ensure compliance.

See more about the regulations here.

The seven data protection principles form the cornerstones of guidance in protecting personal data.


  1. Legality, Transparency and Fairness
  2. Purpose Limitation
  3. Minimisation
  4. Accuracy
  5. Storage Limitation
  6. Integrity & Confidentiality
  7. Accountability

The eight rights provide a clear basis for the individual to hold those that collect and use their data to account.


  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

Getting it Right for the SME

TheĀ  document below is a brief SME guide highlighting key data protection items for consideration. The guide is a brief set of information for the small, less data complex, business and provides a basic outline of what is required to comply with the regulations. This document is based on the current Data Protection Act 1998, not GDPR specific but provides some useful tips.

Check Out Your Status

The ICO offer several questioning tools to assess current data protection readiness. Use these tools to assess your current data protection status.