General Data Protection Regulation (GDPR) at a Glance
This page contains a very high level summary of some of the key elements of GDPR. More information can be found :
- Information Commissioner’s Website – Click here
- GDPR text – Click here
- Data Protection Act 2018 – Click here
Businesses will need to prove that they follow GDPR, they will need data protection policies, privacy impact assessments and relevant documents on how data is processed, or they may be subject to fines.

DATA PROTECTION PRINCIPLES
GDPR sets out seven key principles.
Personal Data must be …
- Processed Lawfully, fairly and transparently
- Collected for specific legitimate purposes
- Only collected if necessary
- Accurate and kept up to date
- Kept for as short a time as possible
- Kept secure
-
Organisations must demonstrate Compliance
- Accountability

DATA SUBJECTS RIGHTS
Be processed in accordance with the data subject’s rights.
Rights include including
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling

INTERNATIONAL DATA TRANSFERS
Personal Data must not be transferred to other countries outside EEA without adequate protection.
Transfers outside EAA prohibited unless
- EAA declares country OK
- the data exporter puts in place appropriate safeguards
- a derogation or exemption applies

LAWFUL BASIS FOR PROCESSING
Organisation must have lawful basis for processing
5 legal basis that most business will use as the lawful basis for processing
- Consent – individual has given consent for specific purposes
- Contract – Necessary for a contract
- Legal Obligation – necessary for to comply with law
- Vital Interests – necessary to protect an individual
- Legitimate Interests – of the organisation
- Public Task to perform a task in the public interest

PRIVACY NOTICES AND CONSENT
When personal data is collected we have to provide Privacy Notice
Privacy Notice clearly stating in plain language
- legal basis for processing
- why we are collecting it
- consequences of not providing it
- what it is being collected for
- how it will be processed
- who will process it
- how long we will retain it
Obtaining consent got harder as it must have genuine choice and control. It needs
- Affirmative action for acceptance
- required for all purposes
- Freely given
- No power imbalance
- Not tied to contract
- can be given both in oral or written form

PROCESSES TO BE IN PLACE
Key processes that need to be implemented
- Privacy Impact Assessments – Know risks associated with processing
- Subject Access Requests –Respond efficiently when Data subject exercises rights
- Breach Management – keep log of all breaches and notify ICO within 72hrs of discovery
- Manage Suppliers – due diligence when selecting, contracts containing necessary terms and regular auditing.
- Audit – confirm organisation is compliant with policies