There are lots of myths surrounding the EU's General Data Protection Regulation (GDPR), including many scare stories. All UK business will need to make changes to their business processes in order to achieve compliance. 

Here we provide a practical overview of some of the key elements:

Fair and Lawful Processing

Certain information must be provided to ensure transparency, and fair and lawful processing. When personal data is collected from the data subject, a range of information should be provided, including the identity of the data processor and the purpose and legal basis for processing. Certain legal grounds may be relied upon to process personal data such as consent, performance of a contract, legal obligations and public interest. It is important that the legal basis for processing data is proportionate and legitimate. 


Consent must be freely given, specific, informed and an unambiguous indication of the data subject's wishes. It is no longer sufficient to rely on a pre-ticked box on a website, or implied consent. The data subject must make a clear, affirmative action to signify their agreement to the processing of their personal data. A specific action to tick a box on a website would be considered sufficient provided that it is accompanied by a robust and compliant privacy policy. Where applicable, the data subject must be able to withdraw their consent.

Data Subject Access

Data subjects will now have the right to access their processed personal data and to obtain confirmation that the data controller is processing their data. Data subjects can request a copy of the personal data held, and the first copy will need to be provided free of charge. This removes the £10 charge that organisations are currently able to levy under the existing Data Protection Act 1998.

Right To Be Forgotten

A data subject has the right to request deletion of their personal data, subject to certain conditions. For example, if the data subject withdrew their consent and there is no other legal basis for the data controller to continue to hold their data. In such cases, if the data controller wishes to continue to process the data subject's personal data, the onus will be on the data controller to prove that there are compelling legitimate grounds to continue to hold the data.

Data Portability

A new right under GDPR whereby the data subject has the right to obtain a copy of all personal data about them that the data controller holds, provided that the processing is based on consent and being carried out by automated means. It includes the right to have data transferred to another data controller, and data must be provided in a structured, electronic format that is commonly used and widely available. 

Breach Notifications

In the case of a personal data breach, a data controller must notify the ICO (Information Commissioners Office) without undue delay, and not later than 72 hours. The requirement to notify is only applicable if the breach is likely to result in a risk to the rights and freedoms of a living person.

Privacy by Design

A data controller is obliged to implement data protection measures by design and default when processing personal data. In particular, this is pertinent for those processing data through online services, where data collection is a core requirement of using the product. Data minimisation is important, and it is helpful to determine what data is essential, what is unnecessary and what about current products and services needs to change.

Data Protection Officers

Data controllers and processors are required to appoint a Data Protection Officer if they are a public authority, undertake regular and systematic monitoring, or processing sensitive personal data is at the core of their activities. Data Protection Officers should be professionally qualified and have expert knowledge.  

Data Processors & Contractual Requirements

A data processor processes personal data on behalf of the data controller. For example, an outsourced IT provider. The relationship should be governed by a contract that is binding on the processor and sets out; the subject matter and duration of the processing, the nature and purpose, the type of personal data and the obligations and rights of the controller. Any outsources services need to be reviewed to find out if the contract protects both the data controller and data processor.

GDPR is a large and complex piece of legislation. Whilst some key elements are outlined above, it is by no means exhaustive and each business and industry will have specific requirements. A review of all business processes and the data that is collected, stored and disposed of it key. Chaffinch Document provides document storage, secure shredding and digital scanning and conversion services which can help our clients achieve compliance with the new regulation. To find out more please call 01782 437131 or email This email address is being protected from spambots. You need JavaScript enabled to view it..