GDPR Snapshot – What you need to know

GDPR Overview

The EU General Data Protection Regulation (GDPR) replaces the EU Data Protection Directive and the deadline for compliance is 25 May 2018.

The GDPR introduces a single legal framework across the EU for handling personal data. Whilst many of the EU Directive’s core principles and obligations remain unchanged under the GDPR, the GDPR does impose new and additional requirements.


The six principles under Article 5(1) of the GDPR requires that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary
  • Processed in a manner that ensures appropriate security.

Article 5(2) of the GDPR also introduces the accountability principle and this is probably the most significant change. It requires data controllers to demonstrate that data processing activities comply with the GDPR’s requirements. Therefore, it’s not enough to just be compliant, you must also be able to demonstrate that you’re compliant.

Lawful Basis

You must have a valid lawful basis in order to process personal data and you must determine your lawful basis before you begin processing.

There are six available lawful bases including:

  • Consent – where the individual has given clear consent; consent requires a positive opt-in and must be unambiguous and the GDPR specifically bans pre-ticked opt-in boxes
  • Contract – where the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
  • Legal obligation – where the processing is necessary for you to comply with the law
  • Vital interests – where the processing is necessary to protect someone’s life
  • Public task – where the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
  • Legitimate interests – where the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests

Data Subjects’ Rights

Chapter III of the GDPR outlines data subjects’ rights including:

  • The right to receive certain information in a concise, transparent, intelligible and easily accessible form;
  • The right to obtain confirmation as to whether or not personal data concerning him or her are being processed and access to the personal data;
  • The right to obtain, without undue delay, the rectification of inaccurate personal data;
  • The right to obtain the erasure of personal data which is also known as ‘the right to be forgotten’ and enables individuals to request the removal of personal data where there is no compelling reason for its continued processing;
  • The right to obtain restriction of processing if the accuracy is contested or unlawful;
  • The right to receive the personal data and the right to transmit that data to another controller;
  • The right to object to processing of personal data; and
  • The right not to be subject to a decision based solely on automated processing.

Steps to take

The steps you may need to take are as follows:

  • Make sure that decision makers and key people in your organisation are aware of the GDPR
  • Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit
  • Review your current privacy notices and put a plan in place for making any necessary changes
  • Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format
  • Update your procedures and plan how you will handle requests within the new timescales and provide any additional information
  • Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it
  • Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard
  • Make sure you have the right procedures in place to detect, report and investigate a personal data breach

How we can help

At KBL, we have a team of experts on hand to assist with all aspects of privacy compliance related legal support, whether that’s ensuring your businesses’ policies and agreements are compliant or preparing a GDPR policy to be issued to employees, outlining their rights as data subjects but also detailing their responsibilities when processing personal data . For advice and assistance contact Mairead Platt.