The General Data Protection Regulation (GDPR) is an EU legal requirement. The UK Data Protection Act (2018) incorporates the GDPR into UK law.
Personal data for individuals shall be processed lawfully, fairly, and in a transparent manner.
People need to be told what personal data is being collected and for what purpose.
Personal data shall be collected for specified, explicit, and legitimate purposes. It shall not be used for any other reasons that conflict with these purposes.
Personal data shall only be kept and processed for as long as it is required for that purpose and for no longer than that.
A Data Protection Officer (DPO) is required if you process large amounts of sensitive personal data or systematically monitor Data Subjects on a large scale.
Personal data must be kept up-to-date and accurate.
People have the right to receive a copy of their data, or can request that their personal data no longer be used. Insome cases, they can have it erased entirely.
Organizations must implement appropriate security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or disclosure.
In addition, organizations need to ensure all staff members who handle personal data are properly trained in how to secure and protect that data.