Back
We continue to provide our legal services through the COVID-19 lockdown. Please visit our COVID-19 Hub for legal insights, or contact us directly.
Get in Touch Menu

GDPR: Useful insights from the ICO

01 March 2018

Much has been written about GDPR, but one of the more useful recent documents is entitled “Preparing for the General Data Protection Regulation – 12 steps to take now”, published by the Information Commissioner’s Office (ICO) and available at www.ico.org.uk. Some of its more useful insights are as follows.

You don’t always need to have a person’s consent in order to process (i.e. hold or use) their data. There are other legal justifications for doing so, and in some cases it’s actually preferable to rely upon these rather than upon ‘consent’. Processing is justified if it’s necessary for the performance of a contract with that person – e.g. if they’re a customer and you need that data to provide goods or services to them. Processing is also justified if it’s in your legitimate business interests, provided that it doesn’t outweigh their privacy rights. This can be more difficult to judge, but would probably not extend to marketing to non-customers.

You’ll need to provide people with more information about the legal basis for processing their data, what data may be processed and for what purpose, how long it will be stored for, and their legal rights. These are known as privacy notices. Current privacy notices won’t be adequate, but we can help you draft new ones.

Unlike now, you’ll be legally required to report data security breaches to the authorities, without undue delay, and, where feasible, within 72 hours of becoming aware of the breach. However, a breach will only need to be reported if it is likely to result in a risk to ‘the rights and freedoms of individuals’. This can be difficult to assess, but we have helped clients with this process in the past.

Any contracts you have with a ‘data processor’ such as a payroll bureau or marketing agency will need to be reviewed, as the GDPR requires you to include certain contractual terms guaranteeing data privacy. We can help you put appropriate terms in place.

Our multi-disciplinary legal teams spend all day, every day helping companies large and small with complex business decisions. Download a handy fact sheet on GDPR compliance here.

Resources to help

Related articles

Corporate & commercial issues: COVID-19 FAQ

Corporate

The global outbreak of coronavirus (COVID-19) and the government’s resulting emergency measures have had severe implications for many businesses. Read on for answers to some frequently-asked questions on corporate &…

Sophie Martyn BSc (Hons)
Associate, solicitor

Fixed price legal advice for SMEs & the Coronavirus Business Interruption Loan Scheme

Corporate

The Coronavirus Business Interruption Loan Scheme (CBILS) has thrown a much-needed lifeline to businesses experiencing cashflow difficulties as a result of the coronavirus outbreak. The eligibility criteria of CBILS was…

Chris Wills LLB (Hons)
Partner

Commercial contracts & coronavirus: What are the implications?

Commercial

As the coronavirus (COVID-19) pandemic develops, we have seen significant disruption to businesses across multiple sectors in the UK. Understandably, this has led to widespread concern about the implications for…

Sophie Martyn BSc (Hons)
Associate, solicitor
Contact us