GDPR – An introduction Members  

Our practical guide to the new General Data Protection Regulation (GDPR) and Data Protection Act 2018 which have been in force from  25 May 2018.  This resources gives an overview of the requirements relevant to illustrators.  You may also wish to use the AOI's Template Privacy Policy here.

What is the GDPR?

GDPR is EU law which has been retained by the UK after Brexit and therefore remains an enforceable piece of legislation. UK law covering data protection at national level came into force on the same day, namely 25 May 2018 in the form of the Data Protection Act 2018. It widely follows provisions of the GDPR with some derogations which are not relevant for the purpose of this guidance. Both pieces of legislation must be read together for the purpose of relevant law on data protection in the UK. For the purpose of this guide we are referring to both pieces of legislation as ?UK GDPR?. The GDPR and Data Protection Act 2018 replaced the Data Protection Act 1998. If you have complied with the 1998 Act prior to 25 May 2018 it is likely that you will comply under the new laws. The key difference is that there is now a requirement for transparency, so that people are aware how you use personal data within your business and can make informed decisions in relation to their data.

Who needs to pay attention?

Any individual or legal person (e.g. incorporated companies or partnerships) that collects or processes personal data, who is established within the UK or offers goods and services to UK customers. It is irrelevant if goods and services are offered for payment or free of charge ? the UK GDPR applies in both circumstances. UK GDPR does not apply to persons who process personal data purely for personal/household activities or are employees of companies, charities or partnerships that control or process personal data. It is likely that anybody who trades either as a freelancer or multinational company is a data controller for the purpose of UK GDPR and has to pay attention. If you are controlling or processing personal data you collected prior to 1 January 2021 of individuals based in the EEA, the EU GDPR applies to you as it stood on 31 December 2020. The controlling and processing of personal data of individuals you collect from individuals outside the UK from 1 January 2021 continues to be regulated under the EU GDPR as it stood on 31 December 2020 under the Withdrawal Agreement, which retained EU GDPR as a piece of legislation enforceable under UK law.

Some key terms used in the UK GDPR

Personal data is any information that can directly or indirectly identify an individual (?a data subject?). For example, it is possible to identify an individual by a personal email address that includes the first name and surname of that person but also indirectly by an email that includes a letter and number combination that relates to one particular person, e.g. TWEEKY2580@ A data controller is any person (including a legal person) that determines the purposes for which, and the way in which personal data are processed. For example, your company may decide to send invoices to customers in the post while another company will use email addresses to send invoices via e-mail. In this case, the purpose for which you hold data is the same (namely to process an order) but the kind of data you hold (e.g. email address / postal address) and the way you process data for that purpose is different. Processing means any operation, which is performed on personal data or sets of personal data whether or not the processing is done manually or automatically. This includes collection, recording, organisation, structuring (e.g. putting