• The General Data Protection Regulation (GDPR) is an EU legal requirement. The UK Data Protection Act (2018) incorporates the GDPR into UK law.

  • Personal data for individuals shall be processed lawfully, fairly, and in a transparent manner.

  • People need to be told what personal data is being collected and for what purpose.

  • Personal data shall be collected for specified, explicit, and legitimate purposes. It shall not be used for any other reasons that conflict with these purposes.

  • Personal data shall only be kept and processed for as long as it is required for that purpose and for no longer than that.

  • A Data Protection Officer (DPO) is required if you process large amounts of sensitive personal data or systematically monitor Data Subjects on a large scale.

  • Personal data must be kept up-to-date and accurate.

  • People have the right to receive a copy of their data, or can request that their personal data no longer be used. Insome cases, they can have it erased entirely.

  • Organizations must implement appropriate security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or disclosure.

  • In addition, organizations need to ensure all staff members who handle personal data are properly trained in how to secure and protect that data.