This regulation took effect in the UK on 25 May 2018. It gives individuals rights and protections with regard to how their personal data is used by organisations. Congregations must comply with its requirements as there are no relevant exemptions for charities or small organisations. The underlying data protection principles set out in the GDPR are: Personal data must be processed: 1 lawfully, fairly and transparently; 2 only used for a specific processing purpose that the data subject has been made aware of; 3 adequate, relevant and not excessive; 4 accurate and where necessary kept up to date; 5 not stored for longer than is necessary; 6 stored in a safe and secure manner.