Guide to the G eneral D ata P rotection R egu lation (GDPR)

1 Guide to theGeneral D ata Protectio nRegulatio n ( gdpr )Data pro tec ti onAbout the Guide to the GDPRWhat's newKey definitionsWhat is personal data?Controllers and processorsPrinciplesLawfulness, fairness and transparencyPurpose limitationData minimisationAccuracyStorage limitationIntegrity and confidentiality (security)Accountability principleLawful basis for processingConsentContractLegal obligationVital interestsPublic taskLegitimate interestsSpecial category dataCriminal offence dataIndividual rightsRight to be informedRight of accessRight to rectificationRight to erasureRight to restrict processingRight to data portabilityRight to objectRights related to automated decision making including profilingAccountability and governanceContractsDocumentationData protection by design and defaultData protection impact assessmentsData protection officersCodes of

2 ConductCertificationData protection feeSecurityEncryptionRansomware and data protection compliancePasswords in online servicesPersonal data breachesInternational transfers after the UK exit from the EU Implementation PeriodInternational data transfer agreement and guidanceExemptionsImmigration exemptionNational security and defence01 January 2021 - the Guide to the GDPRThe Guide to the UK gdpr is part of our Guide to Data Protection. It is for DPOs and others who haveday-to-day responsibility for data explains the general data protection regime that applies to most UK businesses and organisations.

3 Itcovers the UK General Data Protection Regulation (UK gdpr ), tailored by the Data Protection Act explains each of the data protection principles, rights and obligations. It summarises the key points youneed to know, answers frequently asked questions, and contains practical checklists to help you relevant, this Guide also links to more detailed guidance and other resources, including ICO guidanceand statutory ICO codes of practice. Links to relevant guidance published by the European Data ProtectionBoard (EDPB) are also included for reference may also find other sections of the Guide to Data Protection useful.

4 Introduction to data protection for more on how the DPA 2018 worksGuide to law enforcement processing for more on the separate regime for law enforcementGuide to intelligence services processing for more on the separate regime for the intelligence servicesKey data protection themes for specific guidance on key themes and topics, including children s dataOther resourcesMaking data protection your business - resources for sole tradersFor organisations Data protection self assessment toolkitFor organisations 01 January 2021 - 's newWe will update this page monthly to highlight and link to what s new in our Guide to the UK 2022We have updated the Exemptions and Immigration exemption guidance.

5 March 2021We have published new guidance on the national security exemption in Part 2 of the DPA18 January 2021We have published an Updated BCR communication following the EU-UK Trade and Co-operation Agreementto the International transfers after the UK exit from the EU Implementation 2020We have updated our guidance on Personal data 2020We have published the Accountability Framework, which provides detailed guidance on complying with theaccountability 2020We have published detailed guidance on codes of conduct and 2019We have updated the page in the lawful basis section on European Data Protection Board (EDPB) has published Guidelines 2/2019 on the processing of personaldata under Article 6(1)(b) gdpr in the context of the provision of online services to data subjects forconsultation.

6 Comments should be sent to 2018We have expanded our guidance on contracts, published guidance on controllers and processors andpublished detailed guidance on controllers and processors and contracts and 2018We have published detailed guidance on 2018We have expanded our guidance on 201801 January 2021 - have expanded our guidance on International 2018 The European Data Protection Board (EDPB) has published draft guidelines on certification and identifyingcertification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 for consultation.

7 Theconsultation will end on 12 have published detailed guidance on children and the have published detailed guidance on determining what is personal have expanded our guidance on data protection by design and default, and published detailed guidanceon automated decision-making and have published a new page on codes of conduct, and a new page on have published detailed guidance on the right to be have published detailed guidance on Data Protection Impact Assessments (DPIAs).We have expanded the pages on the right of access and the right to have published detailed guidance on have expanded the page on the right to data 2018We have expanded the page on Accountability and have expanded the page on have updated all of the lawful basis pages to include a link to the lawful basis interactive guidance 2018We have published detailed guidance on DPIAs for consultation.

8 The consultation will end on 13 April have also updated the Guide page on DPIAs to include the Guide level content from the have published detailed guidance on legitimate have expanded the pages on:Data protection impact assessmentsData protection officersThe right to be informedThe right to erasureThe right to rectificationThe right to restrict processing01 January 2021 - 2018 The consultation period for the Article 29 Working party guidelines on consent has now ended andcomments are being reviewed. The latest timetable is for the guidelines to be finalised for adoption on10-11 consultation period for the Article 29 Working Party guidelines on transparency has now the consultation period, the Article 29 Working Party has adopted final guidelines on automatedindividual decision-making and Profiling and personal data breach notification.

9 These have been addedto the have published our Guide to the data protection have updated the page on Children to include the Guide level content from the detailed guidance onChildren and the gdpr which is out for public 2018We have published more detailed guidance on have expanded the page on personal data have also added four new pages in the lawful basis section, covering contract, legal obligation, vitalinterests and public 2017We have published detailed guidance on Children and the gdpr for public consultation. The consultationcloses on 28 February sections on Lawful basis for processing and Rights related to automated individual decision makingincluding profiling contain new expanded guidance.

10 We have updated the section on Documentation with additional guidance and documentation templates. We have also added new sections on legitimateinterests, special category data and criminal offence data, and updated the section on Article 29 Working Party has published the following guidance, which is now included in the Transparency It is inviting comments on these guidelines until 23 January consultation for the Article 29 Working Party guidelines on breach notification and automated decision-making and profiling ended on 28 November.