• Startups
  • June 17, 2020

LawBite’s Countdown Checklist for GDPR | Part Two

As we edge ever closer to the implementation deadline, there are only FIVE weeks to go until the new General Data Protection Regulation (“GDPR”) comes into force. To help you prepare for compliance you can follow LawBite’s easy to digest countdown guides each week from now until enforcement on May 25th, in which we will cover each of the six key principles of the GDPR and explain what you need to do in order to get your business up to speed. This week we talk about the second key principle of GDPR. Principle 2: Data must be collected for specified, explicit and legitimate purposes.

This key principle states that data shall be collected for specified, legitimate and explicit purposes and not processed further in a manner that is incompatible with those purposes. In our previous article, we talked about data being processed in a transparent manner and transparency is a key theme running through the legislation. The Information Commissioner’s Office (ICO) itself states that the second principle aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the data is within reasonable expectations of the individuals concerned.

So what does this mean in practice, and how can you ensure your organisation is complying?

Firstly, be clear and explicit as to why you are collecting the personal data – it should only be for a specified lawful purpose. If you don’t know the answer as to why you are obtaining the data, the chances are you don’t have a lawful purpose to be doing so!

Be up front – specifying from the outset the purpose or purposes for which you are collecting the data will give clarity to your customers/clients and will help you as an organisation stay focused on what you are doing and why. Set the detail out clearly in any privacy notice you produce and make sure this is made available to individuals at the time their data is collected.

Next, remember the purpose you specify and rely on at the time of collection of data must match with the processing you undertake. When the purpose is different you must check your duties and ensure that the new use or disclosure is fair. If you are using or disclosing the information in a way that is outside what the individual concerned would reasonably expect, or would have an unjustified adverse effect on them, then it is probably unfair and so should be considered as incompatible with the original purpose. Fines against the RSPCA and British Heart Foundation demonstrates how seriously the ICO takes organisations using personal information for purposes that exceed the permissions given. When considering whether another purpose is compatible with the original one, things to look at are: any link with the original purpose; the context in which the personal data has been collected; the possible consequences of the further processing; whether appropriate safeguards are in place.

Finally, complying with your obligations to inform individuals about what you are doing with their data is only part of the story; unfair processing will still be unfair even if you have complied with other obligations. So make sure that box is ticked!

You will hear this again and again whenever GDPR is talked about but clarity and transparency are key. The ICO is very, very big on the use of clear and precise language so spell things out – think carefully about your intended audience and tailor accordingly.

Next week part 3 – the data minimisation principle…..see you next Wednesday!

To consult with Jessica, please submit an enquiry for a free 15-minute consultation or call our dedicated GDPR Hotline 0845 241 1843.

Also, we have put together a special LawBite Rescue GDPR Package for clients who need a little extra last minute help with compliance. Our LawBite GDPR Rescue Package contains 12 GDPR compliant document templates crafted by our expert data protection lawyers and written in plain English. The Rescue package templates include Terms and Conditions of Website Use, Privacy Policy for Website, Data Protection Policy, IT Security Policy, Clauses for staff agreements and Consent options for Data Processing.

In addition to GDPR templates the package contains a 30 minute GDPR audit consultation and an additional 2 hours of specific GDPR legal advice all for only £495 + VAT (versus £675 + VAT).   

 Journey further… 
LawBite’s Countdown Checklist for GDPR | Part One How LawBite works LawBite GDPR Rescue Package

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • May 01, 2022
What are Articles of Association?

Setting up a limited company is one of the most common routes entrepreneurs take when they start their business. If you have decided to take this r...

blog image
  • By LawBite Team
  • May 01, 2022
Do I need a privacy policy on my website?

The short answer is yes, all businesses that process personal data must have a detailed privacy policy. In most cases, a privacy policy will sit on...

blog image
  • By LawBite Team
  • April 13, 2022
Understanding Conflict of Interest (COI)

One thing our lawyers consistently emphasise to our clients is the importance of having well-considered and expertly drafted documentation, for exa...


LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free