Skip to content

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a law that covers how your data is stored and used.

In some older notes, you may see it referred to as the Data Protection Act - this name changed in 2018, and you should use GDPR instead.

You need to know about the implications of GDPR - for individuals and businesses/organisations.

The data subject is the person whose data is being stored - for example, in the school register database, pupils are the data subjects, as the data is about them. The person in control of the data is called the data controller.

There is a declared purpose - what the data is being used for.

For example, in a school, the declared purpose might be that we store the register data to check attendance.

That is the declared purpose of our database.

You need to know six implications (consequences) of GDPR:

  • Data must be processed lawfully, fairly and transparently (this means being open about it)

  • Data must be used for the declared purpose only

  • Only the data needed for the declared purpose should be collected.

  • Data must be accurate

  • Data must not be kept for longer than necessary

  • Data must be held securely

Example

For the 2019 youth club question, you would have to identify two implications and link them to the youth club.

Note - they would have to be implications for the youth club, not the members.

For example:

  • They must only collect data needed for running the club

  • They must only use the data for the declared purpose (running the club)

  • Data must be deleted if members leave the club

  • Data cannot be shared without the members’ permission

You would receive one mark for each implication.