What is GDPR?

On 28 May 2018 General Data Protection Regulation (GDPR) will come into force for all EU countries with its aim being to strengthen the rights of EU citizens regarding how their personal data is collected, processed and stored by any organisation. GDPR will replace the current Date Protection Framework under the EU Date Protection Directive.

The new law provides a consistent data protection framework with enhanced rights for individuals and greater accountability and transparency. GDPR applies to personal data and data controllers, and processors are faced with a number of tasks to ensure their business is compliant with the new regulations.

GDPR brings with it new obligations and requirements which all businesses, regardless of size, must comply with or face severe fines.

Safeguarding data and handling it responsibly is a key part of being compliant with the new Data Protection requirements.

Key Considerations for Data Handling:

  • Organisations to consider privacy at the initial design of a process
  • Only collection the minimum amount of personal data required
  • Operate within legal boundaries and be accountable
  • Keep data up to date and accurate
  • Don’t share data unnecessarily (internally or externally)
  • Don’t keep data (physical or electronic copies) longer than absolutely necessary

What is Personal Data?

This is any information (identifiers) relating to an identified or identifiable natural person (data subject), i.e. information or data that can identify, directly or indirectly, an individual.

Examples of identifiers include name, address, date of birth, email address, telephone number, CCTV image or their physical, physiological, genetic, mental, economic, cultural or social identity.

What is Sensitive Personal Data?

This is a special category of personal data which can identify an individual’s race or ethnicity, political opinion or affiliation, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life or orientation and genetic or biometric information.

Six Principles of GDPR

Personal information (data) must be:

  1. processed lawfully, fairly and in a transparent manner
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary for the purpose for which they are processed
  4. accurate and up to date where necessary and inaccuracies rectified as quickly as possible
  5. kept (or kept in a form which permits identification of individuals) for no longer than is necessary
  6. processed in a manner that ensures appropriate security of the personal data and in line with the data subject’s rights

Please note that the Data Controller is responsible for, and must be able to demonstrate, compliance with these principles.

Who is Responsible for Data?

Businesses that are responsible for data are known as “Data Controllers”. As a retail business you will almost certainly be a Data Controller and as such, determine the purposes and means of processing personal data.

A “Data Processor” is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

An individual business may use an external processing company or appoint a separate data controller and processor.

Data Processing

This is quite broadly defined and can include the storage, collection, alteration, retrieval, use, disclose and transmission of data as well as the sorting and analysis of that data.

Processing can only be carried out under an appropriate lawful basis as set out in Article 6 of GDPR. At least one of these must apply whenever you process personal data:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

4. Vital interests: the processing is necessary to protect someone’s life.

5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)


Third Party Contracts

Data Controllers are accountable and responsible for data protection even if the processing is done by third parties.

You might from time to time have a legitimate need to share data with other entities and in these circumstances it is important to identify who may be capable of utilising data, for which your business is ultimately responsible, in such a way that gives rise to a breach. These other entities may become joint Data Controllers with your business and common examples of other entities that a retail business might come into contact with include:

1. Suppliers

2. Marketing companies

3. Professionals such as solicitors and accountants.

4. Businesses that you outsource employee matters to such as wages and HR.

In these circumstances it is advisable to enter an agreement with other Data Controllers to ensure that they exercise the appropriate level of care with your business’s data and properly identify how each party complies with their obligations.

Existing contracts with third party suppliers will need to be reviewed and addressed to meet GDPR requirements. New contracts must have these requirements built in from the start.

Consequences of inaction include breach of contract with suppliers and customer and penalties/fines for non-compliance.

Contracts must contain a data processing agreement addressing:

  • Right to audit
  • Obligation to cooperate with investigations
  • Processing instructions
  • Duty of confidentiality
  • Appropriate technical and organisational measures
  • Proving the controller with evidence to demonstrate compliance

What is a Data Breach?

It is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Examples of a breach include:

  • loss or theft of documents/equipment holding personal data, for example, folders, laptops etc
  • human error – emailing or posting to the incorrect address
  • incorrect access controls allowing unauthorised individuals to view information they shouldn’t
  • security breaches e.g. hacking or other intrusion
  • records being destroyed within their retention period
  • HR records left on a desk and viewed by employees
  • confidential email addresses disclosed to others when sent in the ‘To’ field
  • papers containing personal data being stolen or left on the bus

What to do if you suffer a data breach

Under GDPR there is a duty on all organisations to report certain types of personal data breach to the Information Commissioner within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

In the event of an information loss or breach, it is vital that you have robust policies and procedures in place to manage the incident effectively. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.

You should conduct an assessment of the breach as soon as possible to ensure that you are able to recover any data lost, or stop any further breaches. Your policy should also cover steps to investigate how the breach occurred so that you can learn from it and improve your processes for the future.

You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

When reporting a breach, you must provide:

  • a description of the nature of the personal data breach including, who and how many individuals are concerned and the type of records that have been breached
  • the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Rights of Data Subjects   

GDPR introduces improved rights for individuals about the information that you may hold about them.

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision-making and profiling

Data Access Requests (DAR)

A Data Access Request refers to an individual’s right to obtain a copy of their personal information that is storing or being process within an organisation. A request must be processed within 30 days.

Individuals have the right to have inaccuracies in their data corrected.


  • Must be received in writing
  • Can come from any individual data subject
  • May arrive addressed to anyone in your organisation
  • May refer to the Data Protection Act, GDPR, or may not
  • Can be very specific or very broad in scope

Privacy Statements

Your business should have a Data Protection Policy and processes to ensure compliance with the GDPR principles. A Privacy Statement or Notice must be provided to individuals setting out how you collect data, store it and use it. The Privacy Notice should also provide details of data subjects’ rights and how to contact the organisation with a complaint or query regarding their data.

The notice should use clear, concise language that is easily understood by adults and children.

Data Audit

Start by documenting all personal data you hold and consider how you hold it, secure it, process it, the lawful basis for processing it, retention period and how you destroy records when appropriate.

This will make it much easier to manage the personal data you hold, reply to subject access requests and ultimately ensure you comply with the GDPR.

Staff Training

It is important that all staff understand principles of data protection, what is considered a breach, their duties with regard to data protection and the consequences of a breach.

Like health & safety, we all have a part to play in our organisations to ensure that personal and sensitive data is protected, so providing staff awareness training should be a priority.

What you need to do NOW

ICO recommends you take 12 steps to comply with GDPR:

  1. Awareness – ensure that all key decision makers in your business are aware of the GDPR and their responsibilities.


  1. Information you hold – do a data audit to ascertain and record what personal data you hold including HR records, patient data, financial data, etc. Identify the lawful basis for having or processing that information, how you keep it secure, who you share it with and how long you keep it.


  1. Communicating privacy information – review and update privacy notices in line with the GDPR.


  1. Individuals’ rights – review your policies to ensure that you are upholding individuals’ rights including how you delete information or provide information to a data subject.


  1. Subject Access Requests – review your procedures for handling information requests under the new guidelines.


  1. Lawful Bases – review your data and indentify the lawful basis for processing it, updating your privacy notices as appropriate.


  1. Consent – review how you seek, record and manage consent and update if necessary


  1. Children – where you offer services to children, you may need to put systems in place to verify individuals’ ages and to obtain parental consent for data processing activity.


  1. Data Breaches – ensure your procedures cover detection, reporting and investigating a personal data breach.


  1. Data Protection by Design and Data Protection Impact Assessments – familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance on how and when to implement them in your organisation.


  1. Data Protection Officers - designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.


  1. International - If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. ICO’s Article 29 Working Party guidelines will help you do this.