The General Data Protection Regulation (GDPR) is a law that governs how organisations process personal data
Following Brexit, there are now two GDPRs: the EU GDPR and the UK GDPR.
The EU GDPR supersedes the EU Data Protection Directive 1995 and all member state law based on it. It applies to organisations that process or control the processing of EU residents’ personal data, wherever the organisations are based.
The UK’s post-Brexit version of the EU GDPR is the UK GDPR. It is substantially similar to the EU regulation and places similar obligations on data controllers and processors.
These are summarised below.
For the sake of clarity, we refer to “the GDPR” to mean those requirements common to both the UK and EU versions of the Regulation. Where the two laws differ, we use the regional prefixes.