The Law on Data Protection changed from 25 May 2018 with the implementation of the General Data Protection Regulation (GDPR).

The General Data Protection Regulation (GDPR) is a set of rules for how organisations handle personal data, which came into effect in May 2018. It grants individuals more control over their data and requires organisations to process data fairly, transparently, and securely. Since Brexit the UK has its own version, the UK GDPR, which is supplemented by the Data Protection Act 2018.

The rights that individuals have about how their personal data is handled and stored was enhanced by the GDPR:

• the right to be informed of data processing and the lawful grounds for processing your data
• the right to request information held about you – subject access requests
• the right to have inaccuracies corrected
• the right to have information erased
• the right to restrict processing
• the right to data portability
• the right to object
• rights in relation to automated decision making and profiling

We will comply with the Data Protection Act and the GDPR principles and ensure personal data is:

• processed fairly and lawfully and in a transparent manner
• obtained for one or more specified, explicit and lawful purposes
• used in the most efficient and effective way to deliver better service
• adequate, relevant and limited only to what is required
• accurate and, where necessary, kept up to date
• not kept in a form which permits identification of data subjects for longer than is necessary
• processed in accordance with the rights of data subjects
• processed in a manner that ensures appropriate security of the personal data
• kept secure to safeguard information (including unauthorised or unlawful processing or accidental loss)