Strategy, Legal & Operations

What is the GDPR and what does it mean?

Have you got questions about the General Data Protection Regulation, which came into force on 25 May 2018? Are people in your business asking “what is the GDPR” or “what does the GDPR mean for our company”? To answer those questions and more, we have put some answers together to help your business with the legislation.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s new data protection legislation, which replaced the EU Data Protection Directive.

The EU has worked on bringing data protection legislation in line with how data is used today. For example, the internet and social media didn’t have as big as an effect on personal data as they did when the current legislation was brought in. The new legislation will reflect this.

What does the GDPR mean?

The GDPR means individuals will have more say over what businesses and organisations can do with their personal data. There are tougher fines for those businesses that don’t comply with GDPR or don’t report data breaches.

Those fines could be as much as 4% of annual turnover or €20m, whichever is greater. In the UK, the Information Commissioner’s Office (ICO) will be tasked with investigating data breaches or wrongdoings as far as the GDPR is concerned. It will also potentially issue fines.

What is the Data Protection Bill?

The Data Protection Bill is the UK government’s new data protection legislation and it was published on 13 September 2017. It will implement most of the GDPR legislation into UK law once it’s been passed by Parliament.

The bill is currently making its way through the House of Commons and House of Lords and they need to approve any amendments before the bill can become an Act of Parliament. Once passed, the Data Protection Bill will replace the Data Protection Act 1998.

As an EU piece of legislation, the GDPR’s data protection rules will be harmonised across the EU – although there is some flexibility on how countries implement GDPR, which is where the UK government comes in with the Data Protection Bill.

What does GDPR stand for?

GDPR stands for General Data Protection Regulation.

When does the GDPR come into force?

On 25 May 2018, the GDPR came into force across all EU member states.

The GDPR was approved by the EU Parliament on 14 April 2016, following four years of preparation and debate. That approval required the EU member states to agree to the final text of the new legislation. However, businesses were given two years – until 25 May 2018 – to prepare for the changes. And from that date onwards, GDPR must be put into practice.

According to research undertaken by Sage (as part of our GDPR customer survey in October 2017, which featured 100 respondents), 57% of UK business lack awareness of GDPR, while 60% didn’t know what it meant for their business.

Will GDPR affect my business?

In a word, yes. Even if your business is completely au fait with the Data Protection Act 1998, the requirements of the GDPR surpass it, so you’d still have to take the necessary steps to be compliant.

What is a data controller?

The person, public authority, agency or other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. If you are collecting personal data for your own use and purposes, you are the controller and fully liable for being compliant with the GDPR, including all security.

What is a data processor?

A person, public authority, agency or other body who processes personal data on behalf of a controller (other than employees of that controller). If you are processing personal data on behalf of another organisation, you are the processor and must only act on the instructions of the controller organisation. The GDPR now imposes direct obligations on data processors, not just data controllers.


Need help with meeting your GDPR obligations and making sure your businesses processes are working in the correct way? Here's what you need to know.

Find out more
GDPR is coming - are you ready?

What is personal data?

This includes but isn’t limited to a name, an identification number, location data, or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Three things your business should do now

Our Sage Business Experts shared some useful tips as they were preparing for the GDPR, which you will find useful if you need help with the GDPR. Here’s what they had to say:

Nicky Larkin, founder and managing director of Goringe Accountants: “If you realise GDPR is going to be a big requirement for your business – and obviously it’s tight now because of the deadline – use an external consultant.”

Keith Tully, a partner at Real Business Rescue: “Don’t panic. There is a wealth of information to help you and your business prepare, much of which is completely free.”

Steve Johnson, owner of Graphite Web Solutions: “The ICO website has a great checklist for data controllers that should help businesses step through the questions you need to consider.”

Three articles you should read now on the GDPR

We have written a series of articles that will help you and your business with the GDPR.

Implementing GDPR: Lessons learned from UK businesses

Want to get more insights from businesses on the GDPR? Download this guide, read the stories of the business owners and get up to speed today.

Get your guide