General Data Protection Regulation (GDPR)

Data protection is the fair and proper use of information about people.

What is the GDPR?

The GDPR is the General Data Protection Regulation (EU) 2016/679. It sets out the key principles, rights and obligations for most processing of personal data. The GDPR came into effect on 25 May 2018.

Does the GPDR applies to me?

The GDPR applies to:
  • organisations located within the EU, 
  • organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of EU individuals,
  • all companies processing and holding the personal data of individuals residing in the European Union, regardless of the company’s location.

What is 'processing'?

Almost anything you do with data counts as processing; including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.

What is ‘personal data’?

In short, personal data means information about a living individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official or member of the public.

It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.

Personal data only includes information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information.
  • special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.

Examples of personal data

  • a name and surname
  • a home address
  • an email address such as
  • an identification card number
  • location data (for example the location data function on a mobile phone)
  • an Internet Protocol (IP) address
  • a cookie ID
  • the advertising identifier of your phone
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person

Examples of data not considered personal data

  • a company registration number
  • an email address such as
  • anonymised data