GDPR is here !

Can you demonstrate that you comply?

The GDPR provides greater rights to individuals in relation to the privacy of their personal data. It imposes greater accountability on organisations to demonstrate that they are complying with the legislation. Organisations must ensure that they are open and transparent about what they will do with the data, must ensure it is accurate and up to date and must take appropriate steps to keep it secure. They must not collect excessive personal information or share it without authorisation and they must not keep it for any longer than is necessary. 

Important things about the Data Protection Legislation

Transparency and Accountability – Being Open and Honest

Organisations need to be more open and transparent with people and must tell them exactly what they

will be doing with their personal information. Businesses will need to keep careful records and account

for their actions and provide a detailed Privacy Notice prior to processing personal data. This notice

includes information such as explaining who you are, why you need the information, what you are

going to do with the information, who will have access to the personal data, how long you are going to keep it and the individual’s rights.


GDPR has six defined principles plus the  accountability principle, which is central to demonstrating compliance. This can be shown through having appropriate policies and procedures in place, together with contracts between Controllers and Processors, Data Sharing Agreements, Privacy Notices and appropriate training for staff.


Many organisations have been sending out emails in the hope of customers signing up to consent for their information to be retained or used for further marketing. However, depending on whether the customer purchased a product or service, the organisation might be able to rely on the “soft opt in” rather than seeking new consent that may not be provided. 

In addition, consent is not the only lawful basis for processing personal data. Organisations should consider whether consent is appropriate or if they can rely on legitimate interests or one of the other lawful bases for processing.

Subject Access Requests

Individuals are entitled to request an organisation to provide details of the personal information held about them. Strict rules and time limits apply on how to process these requests, known as Subject Access Requests (SAR). Under the GDPR, an organisation has up to one month to provide the necessary information (subject to exceptions). It is important that staff recognise a SAR and act appropriately and organisations have suitable systems in place to deal with a SAR expeditiously.

New Systems - Privacy Issues Addressed Early

When an organisation proposes to introduce new systems, any impact this may have on the privacy of personal information must be considered carefully and needs to be formally documented in a Data Protection Impact Assessment.

The Right to be Forgotten

Individuals have a number of rights under the GDPR and one of these is the ‘right to be forgotten’.  However, this is a fundamental right and not an absolute right. Organisations will still need to balance this right against other rights and obligations, including their own legal requirements to retain information.

Data Processors – New Liability 

Under the GDPR there is additional responsibility on Processors and they can be held directly liable for their own data protection mistakes and can face monetary penalties from the ICO. As such, data processing contracts should be reviewed to ensure that they explain the roles and responsibilities of both parties.

Monetary penalties

The GDPR has increased the monetary penalties available to the ICO. There is a two-tier system. Tier 1 has a maximum penalty of up to €10,000,000 or 2% of global turnover, whichever is the greater, for breaches of obligations including maintaining written records, implementing technical and organisational measures and in relation to the appointment of Data Protection Officers.

Tier 2 has a maximum penalty of up to €20,000,000 or 4% of global turnover, whichever is the greater, for breaches of the principles and data subjects' rights.

For further information, advice and assistance Contact Us

Copyright 2016 | Privacy Notice

The information on this website should not be treated as legal or other advice and South Coast Data Protection Consultants Ltd will not be liable in contract, tort or otherwise if you rely on the information without seeking professional advice.