Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Environmental policy Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
COVID-19: Business legal help COVID-19: Individual legal help Protect intellectual property Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Evict tenants
Get divorced Apply for probate Make a lasting power of attorney Bespoke legal drafting
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
COVID-19: Business legal help COVID-19: Individual legal help Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /site/gb/en
  2. Legal guides
  3. Getting ready for GDPR

Getting ready for GDPR

The General Data Protection Regulation (GDPR) strengthens data protection across the EU by reinforcing the existing rules and sets out a new legal framework to protect data privacy. It applies to all EU member states, including the UK. Companies that do not comply with the GDPR will be subject to significant fines, so make sure your business complies.

The GDPR applies to businesses that store or handle personal data, ie information relating to individuals who can be identified from that data. People handling personal data can either be 'data controllers' or 'data processors':

  • The controller is the person who says how and why personal data is processed, eg a city council operating CCTV cameras.

  • The processor is the person who acts on the controller’s behalf, eg IT services.

Ask a lawyer if you are unsure whether the GDPR applies to your business.

The GDPR reinforces the established principles governing data protection. These principles include processing data lawfully, obtaining valid consent from individuals you are collecting data from, and making sure the rights of individuals are protected (ie the right to object to their data being processed).

Lawful processing

When collecting personal data, you must make sure the data is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • kept for no longer than is necessary
  • kept safe and secure
  • not transferred outside the European Economic Area (EEA) without adequate protection

Consent

The new law makes it more difficult to obtain a valid consent from individuals whose data is to be collected. To be valid, consent must be freely given, specific (ie limited to a specific purpose), informed and unambiguous. It must consist of a clear affirmative action, therefore silence, pre-ticked boxes or inactivity don't constitute valid consent. In addition, consent to process 'sensitive personal data' or data that comes within the 'special categories of personal data' (ie information about racial origin, political opinions, religious beliefs, health, sexual orientation or criminal records) and consent to transfer personal data outside the EU must be explicit.

Individuals can also withdraw their consent at any time and consent must be as easily withdrawn as it was given (eg if data subjects simply ticked a box to express their consent, they should be able to withdraw the consent as easily).

Individuals' rights

The GDPR provides new rights for individuals, including :

  • The right to erasure (or 'right to be forgotten'): individuals have the right to ask companies holding data about them to erase that data upon request, if there's no compelling reason to continue processing the data.
  • The right to access data: data processors must comply with a request to access data without delay, and at the latest within one month of the request (this can be extended to two months if the request is too complex). However you can refuse to respond to the request if it is manifestly unfounded or excessive.
  • The right to data portability: when data processing is carried out by automated means, individuals have the right to access their personal data in a machine-readable format, ie in a way that is portable and safe.

Breach notification

All organisations must report data breaches to the relevant supervisory authority and if the breach is high risk, to the affected individuals. Data breaches are breaches of security that lead for example to the destruction, loss, alteration or unauthorised disclosure of personal data. If feasible the breach must be reported within 72 hours.

The GDPR requires you not only to comply with data protection principles, but also to demonstrate that you comply with them, through the implementation of specific policies and procedures. Follow these few steps to make sure your business complies with the law:

  • Evaluate whether the GDPR applies to your business.
  • Make sure you process data lawfully, ie that personal data is stored and handled responsibly and securely, and is not kept longer than necessary. This might involve applying suitable security measures. For example if you own a mobile application, your developers should encrypt and secure any data that moves between your app and the server, in addition to adequate hashing of user passwords.
  • Review your existing process to obtain consent from data subjects and ensure consent is valid. You should keep some form of record of consent (ie how and when consent was given, and by whom).
  • Update/develop a clear Privacy policy in which you’ll indicate what personal data is being collected, the purpose for collection, and how individuals can access data.
  • Consider how you will deal with individuals' requests to delete their data and make sure you are able to erase data if someone requests you to do so.
  • Ensure you offer a proper process for individuals to withdraw consent at any time and notify them of their right to do so.
  • Appoint a Data Protection Officer within your business to be responsible for ensuring data protection compliance.
  • Prepare for the new data breach reporting requirements. You may need to appoint a specific person or to set up a dedicated unit within your business to deal with data breaches.

Individuals or businesses that do not comply with the law will be subject to a fine of up to 4% of their total global annual turnover or 20 million euros. Supervisory authorities will also have a wide range of powers, including the power to audit businesses, to issue warnings and to issue temporary or permanent bans on data processing.

Follow us

We use cookies to provide the best experience