The Data Protection Act 2018 and the General Data Protection Regulations (GDPR) have applied in the UK from 25th May 2018. The UK’s decision to leave the EU will not affect this.
The rules apply to ‘personal data’ and make it clear that information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR cover ‘data controllers’ and ‘data processors’. A data controller says how and why personal data is processed and a data processor acts on the controller’s behalf.
The accountability principle states explicitly that it is your responsibility to demonstrate that you comply.
If you are a data processor, the rules place new specific legal obligations on you and you have significantly more legal liability if you are responsible for a breach.