General Data Protection Regulation

GDPR Summary

GDPR is the EU’s General Data Protection Regulation and will be effective in the UK. GDPR together with the new Data Protection Bill will replace the existing data protection laws in the UK. Under the new laws there will be tougher fines for non-compliance and breaches and individuals will have more say over what companies can do with their data.

When does the regulation start?
May 25, 2018

Who will enforce it in the UK?
The Information Commissioner’s Office

What’s New?
There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines

What are the six key differences between GDPR & The Data Protection Act?

Personal Data Refined – broader definition to reflect changes in technology and the way that companies collect information about people. An example would be where individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.

Individual Rights – better control over data (consents to become informed, specific and unambiguous, data subject has a right to receive info on how the data will be used, right to be forgotten when the personal data is no longer relevant, right to transfer the data from one service provider to another).

Data Controllers VS. Data Processes – Data processor will require to have a contract with the data controller to process the data. As well as the data controller, the data processor will be liable for the security of personal data (Organizations with fewer than 250 employees do not have to maintain records of processing, whether they are a controller or a processor).

Information Governance and Security – general obligation to implement technical and organisational measures to show you have considered and integrated data protection in to your processing activities. Privacy by design also requires that controllers discard personal data when it is no longer required. Data Impact Assessment required for all large processing.

Data Breach Notification and Penalties – data controllers will be required to notify the supervisory authority of a personal data breach within 72 hours of learning about the breach, likely consequences of the breach, and what the controller has done to address and mitigate the breach. A data processor is required to notify a controller of the data breach “without undue delay.” Potential penalty up to 20 Million Euros or 4% of their global turnover (whichever is greater.)

Global Impact – The GDPR applies to the processing of personal data of subjects located in the EU, even if the controller or processor is not established in the EU.

Why does this matter to Marriotts School?


As a school, we handle a large volume of personal data on a day-to-day basis therefore extremely important that we are all aware and ready for the introduction of the new legislation.

How will Marriotts achieve compliance?

The work that is currently being undertaken to ensure our compliance is made up of Assessment to fully understand our existing personal data processing activity and focused Activity to ensure we reach compliance to GDPR.


We are:

  • Actively engaging with outside companies ensuring they are working towards being GDPR compliant.
  • Reviewing our activities and associated policies and procedures as necessary to fully comply with GDPR following a thorough assessment.
  • Carrying out necessary Privacy Impact Assessments.

The Key Terms

GDPR and other data protection laws rely on the term ‘personal data’ to discuss information about individuals. There are two key types of personal data in the UK and they cover different categories of information.

What is Personal Data?

Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it.

So, what is sensitive to personal data?

GDPR calls sensitive personal data as being in ‘special categories’ of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.

GDPR Support

If you have any further questions, please contact and we will endeavor to respond at the earliest opportunity.