Article Text

Download PDFPDF
Background and current data protection legislation
  1. Adele Picken
  1. Information Governance, Royal College of Paediatrics and Child Health, London WC1X 8SH, UK
  1. Correspondence to Adele Picken, Royal College of Paediatrics and Child Health, London WC1X 8SH, UK; Adele.Picken{at}

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.


In May 2018, the European Union (EU) General Data Protection Regulation (GDPR) became EU-wide law. The regulation does allow for individual countries to make their own interpretations in certain areas. In the UK, GDPR has been supplemented by enacting the Data Protection Act (DPA) 2018 to provide additional detail.

Information about the current guideline

It is now over a year since this has been in force, but how does this complex piece of legislation relating to personal data affect you?

GDPR sets out the requirements for data controllers and data processors on how to handle personal data (box 1). It also includes additional measures required when processing special category data and criminal offence data. The law covers all processing of personal data, except where it is used for purely private use, such as taking holiday photos. However, if you shared these publicly via social media, for example, on Twitter, these would potentially be covered by GDPR as you are no longer intending them just for personal or private use.

Box 1


The General Data Protection Regulation (GDPR) definitions are similar to those of the Data Protection Act (DPA) 1998. The only major changes are that sensitive data have now become special category data, and criminal offence data have their own category instead of being part of the sensitive data category. GDPR definitions are as follows:

Data controllers: entities (a person or a group of individuals, such as a committee or an organisation) that make decisions about how and why to process personal data.

Data processors: those who process personal data on behalf of controllers. They do not make any decisions and can only follow the instructions of the data controller. They will often be providing a service, such as collecting and collating survey results on behalf of another organisation.

Data subject: the individual who is the subject …

View Full Text


  • Funding The authors have not declared a specific grant for this research from any funding agency in the public, commercial or not-for-profit sectors.

  • Competing interests None declared.

  • Patient consent for publication Not required.

  • Provenance and peer review Commissioned; internally peer reviewed.

Linked Articles