What has changed with GDPR?

Transparency. Accountability. Security.

Many of the concepts and principles underpinning the previous EU data protection directive and national data protection legislation remain the same. 

GDPR strengthens existing rights and provides for a number of new rights in order to give individuals more control of the use and storage of their personal data by organisations.

GDPR has also increased the penalties for data protection breaches, giving much more legal impact to the rules introduced in the older data protection legislation.

GDPR aims to streamline and simplify EU Data Protection Regulations, providing a single set of rules for all organisations that process data in the EU.

It's all about trust.

Broader scope

GDPR broadens the definition of personal data.  Personal data now includes any information that identifies an individual including names, photos, ID numbers, computer IP addresses.


GDPR provides elevated protection for certain Special Categories of Personal Data by expressly prohibiting their processing, unless at least one of ten conditions apply.

Special Categories of Personal Data include personal data that reveal:

  • race and ethnicity;
  • political, religious, or philosophical beliefs, including union membership;
  • health, sex life, and sexual orientation; and, 
  • genetic and biometric data (for the purpose of uniquely identifying an individual).

Even if you or your business is not located in the EU, but  you process the data of people who reside within the EU or who are EU Citizens, you must comply with the new GDPR regulation.


New and enhanced rights for individuals

One of the core principles of GDPR is transparency.

Articles 13 and 14 of the GDPR specify the information about which individuals have the right to be informed. This information should be included in an organisation's ‘privacy information’ notices.

What information must you provide?

  • The name and contact details of our organisation.
  • The name and contact details of our representative (if applicable).
  • The contact details of our data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The legitimate interests for the processing (if applicable).
  • The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if applicable).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained from the individual it relates to).
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).

When must you provide this information?

When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data


If you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:

  • within a reasonable period of obtaining the personal data and no later than one month;
  • if you use data to communicate with the individual, at the latest, when the first communication takes place; or
  • if you envisage disclosure to someone else, at the latest, when you disclose the data.

Clear and understandable language

The principle of transparency requires that any information and communication relating to the processing of personal data must:

  • be concise
  • be easily accessible
  • be easy to understand
  • be intelligible
  • be age appropriate
  • use clear and plain language.

GDPR provides an individual with the right to access his or her personal data.

The right of access extends to include not only a right to a copy of the personal data undergoing processing but also access to:

  • information about the purposes of processing
  • the categories of data processed
  • the recipients – particularly those in third countries or international organisations
  • the envisaged storage period
  • existence of relevant data subject rights
  • right to lodge a complaint with the Data Commissioner
  • the source of the data
  • specific information about any automated processing; and,
  • where data are transferred to a third country or international organisation, information about the appropriate safeguards to be applied.

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

An individual can make a request for rectification verbally or in writing. The data controller has one calendar month to respond to such a request. 

Even though a data controller may have taken steps to ensure that the personal data was accurate initially, this right imposes a specific obligation to reconsider the accuracy upon request. 

This right is closely linked to the data controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).



Also known as the "right to be forgotten".

GDPR provides individuals with a general right to request the erasure of their personal data in the following circumstances:

  • when their data is no longer necessary for the purposes for which it was processed
  • when they withdraw their consent (where this is the legal basis of the data processing)
  • when they wish to object to the legitimate interest-based processing of their data and the data controller does not have an overriding legitimate interest
  • when they wish to object to the processing of their personal data for direct marketing processes
  • if their personal data has been processed unlawfully in the first instance.

This is not an absolute right and there are a number of exceptions where it does not apply.

Most notably, GDPR provides that the right to erasure does not apply where data are processed for research purposes where:

  • the Article 89(1) safeguards have been met; and,
  • in so far as the erasure of the personal data is likely to "render impossible or seriously impair the achievement of the objectives of that processing".

However, the significance of the research restriction on the right to erasure is reduced when consent is the lawful basis for processing under data protection law. If consent is the lawful basis for processing, then a withdrawal of consent will have the result that data needs to be erased even if this is likely to render impossible or seriously impair the achievement of the objectives of that processing. This is because there will no longer be a lawful basis to hold the data.


Individuals have the right to request the restriction or suppression of their personal data. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

This is not an absolute right and only applies in certain circumstances.

When processing is restricted, the data controller is permitted to store the personal data, but not to use it.

An individual can make a request for restriction verbally or in writing. The data controller has one calendar month to respond to a request.

This right has close links to the right to rectification (Article 16) and the right to object (Article 21).


Notification obligation regarding recctification, or erasure of personal data or restriction of processing

Data controllers must communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with GDPR Article 16 (right to rectification), Article 17 (right to erasure) and Article 18 (right to restriction of processing) to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

The data controller shall inform the data subject about those recipients if the data subject requests it.

Notification in the event of a data breach

In the event of a data breach, the GDPR also introduces the duty on all organisations to notify the affected individuals without undue delay, if the breach is likely to result in a high risk of adversely affecting the affected individuals’ rights and freedoms.


This is a new right introduced by GDPR.

Data portability allows the individual to obtain their personal data held by the data controller in a structured, accessible format and to reuse their data for their own purposes across different services.  Data portability also includes the right to have this data transferred to an other data controller at the request of the individual.


The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.

The data controller must tell individuals about their right to object.

An individual can make an objection verbally or in writing. The data controller has one calendar month to respond to an objection.

When does the right to object apply?   

Individuals have the absolute right to object to the processing of their personal data if it is for direct marketing purposes.

Individuals can also object if the processing is for:

  • a task carried out in the public interest
  • the exercise of official authority vested in you; or,
  • the legitimate interests of the data controller or those of a third party.

In these circumstances the right to object is not absolute.

If the data processing is for scientific or historical research, or statistical purposes, the right to object is more limited.


Individuals have a right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects (or similarly significant effects) concerning the individual.

The most common example of automated processing given that falls under this category is the use of automated processing for the purposes of determining an individual's credit rating. 

This is not an absolute right.


This does not apply:

  • if the personal data is being used for the purposes of the performance of a contract between the individual and the data controller.
  • where the data processing is authorised through legislation and the individual's rights and freedomes and legitimate interests are safeguarded.
  • where the individual has explicitly consented to the data processing.



Consent has always been a cornerstone of data protection regulation.

GDPR maintains and enhances this position by requiring consent to be

  • specific
  • granular
  • clear
  • prominent
  • opt-in
  • documented; and,
  • easily withdrawn.

More detailed information on the GDPR's consent requirements is provided on these webpages by clicking here


Any individual who has suffered damage as a result of infringement of the GDPR has the right to receive compensation from the data controller and/or the processor.

Under the previous EU Data Protection Directive, liability for compensation is limited to data controllers only.

Whilst the previous EU Data Protection Directive refers only to the right to compensation for "damage", the GDPR makes clear that compensation may be recovered for both pecuniary and non-pecuniary losses.

This means that an individual who has suffered a data breach can sue for emotional distress or reputational damages without having to demonstrate an economic loss.



This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

It is intended to be general guidance for educational and informational purposes only.

It is not legal advice.