Legal Services


What will stay the same


Most of these will remain the same as the Data Protection Act (DPA) 1998:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation (adequate, relevant and limited to what is necessary)
  • accuracy 
  • security
Personal Data

The definition of personal data in DPA 1998 and GDPR is broadly similar. Both are broad in definition and pervasive in terms of scope.

Codes of Conduct

The ICO has published a series of Codes of Conduct to help organisations comply with data protection legislation, and these remain useful and relevant guidance:

  • Anonymisation
  • Audits
  • CCTV
  • Data processing
  • Data sharing
  • Employment
  • Encryption
  • Marketing
  • Personal data online
  • Privacy by design
  • Privacy notices
  • Security
  • Subject access

Consent still forms an important part of data protection, but the definition has changed under GDPR.  See further information on Consent.

Sensitive Personal Data

Sensitive personal data categories remain the same. e.g. information on an individual’s:

  • racial or ethnic origins
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • health
  • sexual life
  • offences

Under the GDPR some additional categories of data have been added, see the What will be new section.

Breach Notification

This has been voluntary under the DPA1998, but the GDPR makes this mandatory.


The obligation for us to protect personal data remains, but it is enhanced under GDPR.

Fair Processing Notices (FPNs)

These are ‘privacy notices’ that you often see on forms, sometimes called ‘collections texts’ or ‘small print’. They are a key part of ensuring that processing is fair.

Data protection by design and default

See the What will be new section.

Privacy Impact Assessment (PIA)

This is good practice under DPA 1998, but not mandatory

Subject Access

Under the DPA 1998, individuals are entitled to access the personal data we hold on them within 40 calendar days. Under GDPR this right remains but the time for response is reduced to 30 calendar days.

Data Portability

See the What will be new section.


See the What will be new section.

Right to erasure (to be forgotten (RTBF)

This provision only applies under DPA 1998 if there is substantial damage or distress to an individual. With such a high threshold it was in practice rarely used. The GDPR lowers the threshold and will make this right easier to apply.

Under GDPR, RTBF is a much broader right that allows individuals to request the deletion or removal of personal data in certain circumstances without concern for the threshold of damage or distress.

Other Individual Rights

See the What will be new section.

Data Protection Officer (DPO)

There is little formal responsibility for DPOs under the DPA 1998, but the GDPR introduces several new responsibilities to the role.

Contracts with Processors and Contractors

These were a requirement in the DPA 1998, but have been expanded under GDPR.