Whitgifts - General Data Protection Regulation (GDPR) at a Glance
Contacts Header

General Data Protection Regulation (GDPR) at a Glance

This page contains a very high level summary of some of the key elements of GDPR. More information can be found :

  1. Information Commissioner’s Website – Click here
  2. GDPR text – Click here
  3. Data Protection Act 2018 – Click here

Businesses will need to prove that they follow GDPR, they will need data protection policies, privacy impact assessments and relevant documents on how data is processed, or they may be subject to fines.


GDPR sets out seven key principles.

Personal Data must be …

  1. Processed Lawfully, fairly and transparently
  2. Collected for specific legitimate purposes
  3. Only collected if necessary
  4. Accurate and kept up to date
  5. Kept for as short a time as possible
  6. Kept secure
    Organisations must demonstrate Compliance

  1. Accountability


Be processed in accordance with the data subject’s rights.

Rights include including

  1. the right to be informed
  2. the right of access
  3. the right to rectification
  4. the right to erasure
  5. the right to restrict processing
  6. the right to data portability
  7. the right to object
  8. rights in relation to automated decision making and profiling


Personal Data must not be transferred to other countries outside EEA without adequate protection.

Transfers outside EAA prohibited unless

  1. EAA declares country OK
  2. the data exporter puts in place appropriate safeguards
  3. a derogation or exemption applies


Organisation must have lawful basis for processing

5 legal basis that most business will use as the lawful basis for processing

  1. Consent – individual has given consent for specific purposes
  2. Contract – Necessary for a contract
  3. Legal Obligation – necessary for to comply with law
  4. Vital Interests – necessary to protect an individual
  5. Legitimate Interests – of the organisation
  6. Public Task to perform a task in the public interest


When personal data is collected we have to provide Privacy Notice

Privacy Notice clearly stating in plain language

  1. legal basis for processing
  2. why we are collecting it
  3. consequences of not providing it
  4. what it is being collected for
  5. how it will be processed
  6. who will process it
  7. how long we will retain it

Obtaining consent got harder as it must have genuine choice and control. It needs

  1. Affirmative action for acceptance
  2. required for all purposes
  3. Freely given
  4. No power imbalance
  5. Not tied to contract
  6. can be given both in oral or written form


Key processes that need to be implemented

  1. Privacy Impact Assessments – Know risks associated with processing
  2. Subject Access Requests –Respond efficiently when Data subject exercises rights
  3. Breach Management – keep log of all breaches and notify ICO within 72hrs of discovery
  4. Manage Suppliers – due diligence when selecting, contracts containing necessary terms and regular auditing.
  5. Audit – confirm organisation is compliant with policies

Get in Touch

Let Whitgift Security help you secure your online business now
Contact us
Scroll Top