The General Data Protection Regulation (GDPR) is a new EU law that came into effect on 25 May 2018 to
replace the Data Protection Act. The new regulation applies to all organisations, large and small, including

Under the new regulations individuals must know that their personal data is being collected, why it is being
processed and who it will be shared with. Organisations must publish this information on their website and
within any forms or letters sent to individuals.

The scope of the regulations includes paper based records as well as electronic files.

Personal data can only be collected, used and retained if there is a legal basis for its collection.

Explicit consent is required from an individual for non-contractual interactions.

Consent is not required when there is a contractual relationship but an individual still needs to be made aware that
personal details will be collected, used and retained

All organisations must keep a record of how and when an individual gives consent to store and use their
personal data. Consent means active agreement. For consent to be valid, it will need to be freely given,
specific, informed and an unambiguous indication through a statement or clear affirmative action, such as
actively ticking a box.

Where a contractual arrangement exists the documentation must refer to the Data Protection arrangements.
Under the new regulations individuals will have the right to:

- obtain access to their personal data

- obtain confirmation that their data is being processed for its intended purpose.

- have personal data rectified if it is inaccurate or incomplete.

- withdraw consent at any time, easily and quickly ie to be forgotten

The Information Commissioner's Office has the right to audit the data protection arrangements within any
organisation. Non-compliance can attract heavy fines. Security breaches can lead to imprisonment as well
as fines.

The Hall's Data Protection Policy can be accessed by clicking on the button below.