GDPR and data protection in the UK

The General Data Protection Regulation (GDPR) which came into force in May 2018, created a new and higher standard of compliance than applied previously for organisations collecting and using customer data. Whenever you collect and use identifiable personal data about customers (like name, email, address and preferences) you need to stay compliant with the law.

During the Brexit transition period which lasted from January 2020 to 1 January 2020 (EU Exit Day), the GDPR applied to UK organisations as it had done since its implementation in May 2018. As with many other EU laws, the principles and regulations of the GDPR were transposed into what is now known as the UK GDPR. From Brexit Day, the EU GDPR ceased to apply to UK personal data; however, it continues to apply to EU personal data processed by UK-based organisations.

If you don’t comply with the UK GDPR, you can be fined by the regulator (the ICO - Information Commissioner’s Office)  – up to 4% of your turnover. Or, even more worryingly, the ICO can issue a ‘Stop Now’ order, which prevents you from collecting or using personal data at all, either permanently or until you have complied with their requirements.

As a business owner (or as the person responsible for data protection in your organisation), you understand the importance of safeguarding your customers' data and complying with the GDPR. However, navigating the complex world of data protection can be daunting, and that's where our highly experienced data protection lawyers step in to offer practical and tailored legal solutions.

Why you need GDPR lawyers for your business

The world of data protection is constantly evolving, and the legal landscape can be challenging to navigate. That’s why you need expert guidance to ensure your operations comply with data protection laws. Our GDPR lawyers offer a range of services that will safeguard your business and put your customers' minds at ease:

Operational guidance on GDPR

Understanding GDPR in theory is one thing, but knowing how it affects your day-to-day operations is another. Our data protection solicitors will provide clear and concise guidance on how GDPR applies to your specific business, ensuring you remain compliant in all aspects of your operations.

GDPR health check

We offer a comprehensive GDPR health check that assesses your business's data protection practices. This check highlights areas that need improvement and provides you with an actionable plan to enhance your data protection measures.

Identifying Data Controller or Data Processor status

Determining whether you are a 'Data Controller' or 'Data Processor' is vital, as different obligations apply to each role. Our expert data protection lawyers will help you identify your status and ensure you fulfil the correct responsibilities.

Setting up contracts between Data Processors and Data Controllers

Having legally sound contracts between Data Processors and Data Controllers is crucial for GDPR compliance. Our data protection lawyers will assist you in setting up robust contracts that protect both your business and your customers/and or partners.

Reviewing and drafting Employment Contracts with GDPR in mind

GDPR has implications for Employment Contracts too. Our legal team will ensure your Employment Contracts align with data protection laws, providing you with peace of mind.

Policy preparation for GDPR compliance

Creating essential policies, such as Data Protection Policy, Privacy Policy, Cookie Policy, Security Policy and Retention Policy, is critical for GDPR compliance. Our data protection lawyers will draft and review these policies to ensure they meet all legal requirements.

Handling Data Subject Access Requests

Dealing with Data Subject Access requests can be time-consuming. Our GDPR solicitors will guide you through the process, making sure you respond appropriately and within legal timeframes.

Dealing with suspected data breaches

In the unfortunate event of a data breach, our team will support you in handling the situation professionally, mitigating potential risks and ensuring compliance with data breach notification requirements.

Data Impact Assessment support

A Data Impact Assessment is a vital process that helps your business identify and mitigate potential risks associated with processing personal data. Our GDPR lawyers will guide you through a thorough and tailored Data Impact Assessment process designed specifically for your business.

Gaining compliant consent from customers

Obtaining valid consent from your customers to collect and use their data is essential. Our lawyers will advise you on how to gain compliant consent to protect your business and your customers.

Access to legal document templates

We understand the value of your time. To streamline GDPR compliance, we provide access to legal and business document templates, helping you set up GDPR contracts efficiently.

Your partner in GDPR and data breach claims

At LawBite, we go beyond just ensuring GDPR compliance. We offer a broad spectrum of legal services, including handling data protection claims. In case of data breaches or data protection violations, our team of dedicated data breach solicitors will work tirelessly to protect your business from financial loss and reputational damage.

Understanding your business

We’re committed to making legal services accessible and user-friendly for businesses like yours. Our customer-centric approach means that we value your satisfaction above everything else. We strive to build lasting relationships with our clients based on trust, transparency and exceptional service.

If you're looking for expert GDPR solicitors who truly understand the needs of your business, LawBite is here for you. Book a free 15 minute consultation with one of our lawyers to discuss your data protection requirements and take the first step towards GDPR compliance and enhanced data protection for your business.

talk to a lawyer

Talk to a Lawyer

Book a Call
get started

Essentials Plan

Join for Free
 

Expert legal advice in 3 easy steps

LawBite is committed to delivering high-quality legal advice with no hidden extra charges. Our straightforward legal advice process will help get your legal matters resolved quickly and cost-effectively.

View our pricing
enquire

1. Make an enquiry

Book a free call with one of our friendly lawyers, solicitors or mediators at a time that suits you. Our platform will immediately match you with the right legal expert.

speak to your lawyer

2. Speak to an expert

On your call, they'll assess your requirements and provide you with the next steps and a breakdown of the work required.

get your quote

3. Get a fixed-price quote

Our team will then send you a no-obligation, fixed-price quote. When you accept your quote, we'll get started on your legal work.

Frequently asked questions

LawBite is the modern way for SMEs to get the high quality legal advice they need, but faster and cheaper.

As we look to revolutionise the traditional legal process, this may raise a number of questions on how we operate to provide your business with legal advice for your business that is; easier to access, clearer to understand and more affordable.

We have brought together the most frequently asked questions from our customers.

In the UK, the GDPR replaced the Data Protection Act 1998.

The GDPR is an EU wide piece of legislation that (once passed by the EU institutions) directly applies and is enforceable at national level. This means that the nation state (for example the UK) doesn’t need to introduce national legislation to bring the GDPR into force. This means that the rights protecting individuals which are set out in the GDPR (for example on subject access).

However the UK (and other member states) have passed supplementary national legislation (such as the Data Protection Act 2018) to deal with national issues such as additional powers for the state or the regulator (ICO in the UK) as well setting out the powers and responsibilities of the national regulator (such as the power to levy registration fees). So the GDPR and the DPA2019 effectively sit along side each other.

The GDPR requires organisations who process personal information (known as “personal data”) relating others to keep that data safe, and to only process the data if they have lawful grounds to do so.

In summary, the GDPR obliges organisation who processes personal data to protect that personal data and only process it if they have lawful grounds to do so (including being transparent about what data is held and why and what is done with it, only processing the data for the purpose for which is was collected, only processing – collecting- the minimal amount of data needed for the lawful processing and making sure that the organisation has appropriate technical and organisational measures in place to protect .

Yes. All organisations (which includes sole traders, charities, partnerships and limited companies) who process personal data must comply.

If processing personal data is not a “core” part of business (integral to the business) and the activities does not create any risks for individuals’ personal data, then an organisation might be exempt from some of the GDPR obligations this must be viewed on a case by case basis.

Personal information should be kept for no longer than it is needed. Organisations will need to be able to justify why (and how) they hold persona data and for how long.

Ideally organisations will implement a Data Retention Policy which set out standard retention period where possible. If data can be anonymised, it might be acceptable to keep that data for longer than usually appropriate but organisations should have carried out a data privacy impact assessment (a risk assessment) to assist them reaching the decision to retain data for the relevant period and to document how the organisation reached that decision.

GDPR is trying to achieve protection for individuals’ personal information. It is also trying to achieve minimum standards of protection for that information across the European Union.

The GDPR applies to all organisations (which includes sole traders, charities, partnerships and limited companies) who have a branch in an EU member state or if the organisation is based outside the EU, then if that organisation either “processes” personal data in the European Union or if customer, employees, users etc are based in the EU. “Processing” includes if the data is in transit, stored, or otherwise.

The six principles governing the processing of personal data under Article 5(1) of the GDPR are:
1. Lawfulness, fairness, and transparency, which means that :
  • there must be a lawful basis to process personal data and 
  • that, among other things, organisations must be open with individuals about the data held by them and what processing is carried out.
2. Purpose limitation, which means that:
  • an organization should only collect personal data for specified, explicit, and legitimate purposes; and
  • should not process the personal data in a manner that is incompatible with those purposes, except under limited circumstances.
3. Data minimization, which means that personal data should be:
  • adequate;
  • relevant; and
  • limited to what is necessary for the purpose of processing.
4. Accuracy, which means that personal data must be:
  • accurate and kept up-to-date; and
  • corrected or deleted without delay when inaccurate.
5. Storage limitation, which requires that the organization keep personal data in identifiable form only for as long as necessary to fulfill the purposes the organization collected it for, subject to limited exceptions.
6. Integrity and confidentiality, which requires that the organization secure personal data by appropriate technical and organizational measures against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.
Article 5 of the GDPR requires a data controller to both:
  • Comply with the six principles when processing personal data (Article 5(1), GDPR); and
  • Demonstrate that compliance with all six of the principles (Article 5(2), GDPR).


There is no “one-size fits all” answer, and each organisation has to not only process personal data lawfully etc but they must also be accountable for the way that they process data (for example by keeping records of actions and decisions taken etc).  Organisations can demonstrate that they are complaint by complying with the 6 GDPR Principles, by being “transparent” with individuals (the data subjects) and being accountable for that compliance.  

The GDPR imposes many different obligations on organisations that includes the organisations having to demonstrate compliance with the GDPR’s requirements including:

  • establishing and maintaining a comprehensive data protection compliance program;
  • appointing individuals responsible for overall data protection matters (for example a Data Protection Officer:
  • Rolling out policies and operations;
  • Providing staff training on GDPR;
  • Implementing appropriate technical and organizational measures (“TOMS”), for example carrying out Privacy Impact Assessments;
  • determining and documenting a lawful basis for each instance of processing personal data (including satisfying any additional requirements if processing Sensitive or Special Personal Data)
  • keeping records of data processing activities;
  • being transparent with Data Subjects by providing them with information about the processing that is taking place with their Personal Data (including Privacy Notices);
  • making sure that the rights of individuals are protected, for example following out Subject Access Requests in the timescales set;
  • making sure that arrangements with joint controllers, data processors and international transfers of data comply with the minimum standards set out in the GDPR.
 
Supplementary legislation made along side the GDPR (The Data Protection (Charges and Information) Regulations 2018 ) provides that every organisation that processes personal information to pay a fee to ICO (unless exempt).  This fee is between £35 and £2,900 per year (depending on size and turnover). Details of organisation published on public register (see https://ico.org.uk/for-organisations/data-protection-fee/).  Failure to do so may result in a fixed penalty and ICO has started to issue fines for non payment of the fee to organisations across a range of sectors including business services, construction, finance, health and childcare.
Individuals have the right to know what organisations are doing with their personal information, who that information is shared with, how long it is stored for etc.  

They also have various rights of access to that information including:

  • Access
  • Rectification
  • Erasure (‘Right to be Forgotten’)
  • Restriction of processing
  • Portability (in a format to enable transfer)
  • Object to processing
  • Automated decision making, including profiling.