Whilst the GDPR provides most of the picture in terms of how personal data must be handled from 25 May this year, you may be aware that the Data Protection Bill is still making its way through Parliament. The Data Protection Bill will provide much of the detail of the law, including any exemptions on which data controllers can rely. The answers to your questions are dependent on the provisions of that Bill.
At present, the registrar of companies relies on the exemption at s34 of the Data Protection Act 1998 to make information publicly available. That exemption means that the registrar does not need to comply with the vast majority of the DPA in operating the public register. That makes sense because the Companies Acts set out the rules around accuracy of data, when data can be amended and removed, and how long it should be kept.
The current draft of the Bill appears to contain an equivalent exemption. Based on the information we currently have, we do not anticipate major changes in the way the registrar collects, records and outputs personal data on the register. As I have said, the vast majority of the rules that govern the way personal data is managed on the register are found in the Companies Acts. The Companies Acts are not changing.
I am unable to comment on how GDPR might impact on private organisations’ use of the personal data output by Companies House once obtained. As data controllers of personal data once it is obtained from the public register, third party organisations will need to consider how the new legislation impacts their use of the data.
I’m sorry I can’t give you a more definite response.