A Guide to the General Data Protection

Regulation (GDPR)
Business Information Factsheet
BIF536 · July 2022

Introduction
The General Data Protection Regulation (GDPR) came into force in May 2018 and remains in force as the
UK GDPR following the UK's departure from the European Union. It requires organisations to comply
with data protection principles that give individuals greater control over their personal data. This
includes a requirement that organisations (including all businesses and not-for-profit organisations)
must have a lawful basis for any processing of personal data that they carry out.

This factsheet explains what is considered to be personal data under the GDPR and what is meant by
'processing' data. It explains the six lawful bases for processing personal data and the data protection
principles that organisations must comply with.

The factsheet also outlines when an individual's consent is needed for organisations to process their
personal data, and what is considered under the GDPR to be valid consent. It summarises individuals'
rights in relation to their personal data, and gives examples of the types of actions that organisations
can take to ensure that they comply with the GDPR.

What is personal data?

'Personal data' means any information relating to an identified or 'identifiable' person. Even where the
information held by an organisation does not include the names of individuals, it is still considered to
be personal data if it is possible to use the information to work out the identity of the individual it
relates to.

Examples of the types of information that might make it possible to identify an individual include:

Date of birth.

Postal address.

IP address.

A computer cookie.

Any 'anonymised' identifier that can be traced back to an individual, such as an account code or an
online username.

BIF536 · A Guide to the General Data Protection Regulation (GDPR) Page 1 of 5

© Cobweb Information Ltd, 2024
 Lawful bases for processing personal data
'Processing' personal data refers to any operation that can be carried out on the data, such as collecting,
recording, organising, storing, altering, accessing, using, sharing or destroying it.

Under the GDPR, organisations can only process personal data if they have one or more of six 'lawful
bases' for doing so.

The six lawful bases for processing personal data are:

Consent: Where an individual has explicitly agreed to an organisation's request to process their
personal data for a specific purpose, the organisation has a lawful basis to process the data for that
purpose.

Contract: Where an organisation has a contract with an individual (including unwritten verbal
contracts), they have a lawful basis to process that individual's personal data to the extent that is
necessary for the performance of the contract. This lawful basis also applies when an individual asks
an organisation to carry out a pre-contract service, such as providing a quote, and the organisation
needs to process personal data to do what they ask.

Legal obligation: This applies to processing that an organisation is legally required to carry out, for
example keeping employee records for statutory purposes such as taxation, right to work checks
and criminal record checks.

Legitimate interests: If an organisation or a third party has a 'legitimate interest' that makes the
processing of an individual's personal data necessary, there may be a lawful basis for processing it.
This is the most flexible lawful basis, and legitimate interests can, in principle, cover a wide range of
data processing activities relating (for example) to fraud prevention, IT security and certain types of
marketing.

However, when using legitimate interests as a lawful basis for processing personal data,
organisations are legally required to balance their interests against the individual's rights. If the
individual would not reasonably expect the processing, or if it would have more than a minimal
impact on the individual's privacy, legitimate interests are unlikely to provide a lawful basis for
processing personal data. Legitimate interests cannot provide a lawful basis for certain marketing
activities that require consent under the Privacy and Electronic Communications Regulations 2003.

Vital interests: This applies where the processing is necessary to protect someone's life, for
example, disclosing an individual's medical records to hospital staff during a medical emergency.

Public task: This usually applies only to public authorities, but it can also apply to other
organisations if they are exercising official authority or carrying out a specific task in the public
interest that is laid down by law.

Consent

BIF536 · A Guide to the General Data Protection Regulation (GDPR) Page 2 of 5

© Cobweb Information Ltd, 2024
 Because consent is only one of six lawful bases for processing personal data, it is not always required. It
is more likely to be necessary for organisations that are processing sensitive personal data, such as
religious or political beliefs, ethnicity, sexual orientation and medical information. The Information
Commissioner's Office (ICO) provides guidance about when organisations should seek consent at
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-
basis-for-processing/consent/.

Where consent is required, organisations must follow strict rules designed to ensure that they seek it in
a way that gives individuals genuine choice and control over the types of processing that they agree to.

An individual's indication of consent must involve a positive action (an opt-in). The GDPR prohibits pre-
ticked opt-in boxes. When seeking consent, organisations must provide clear information about the
data processing that they intend to carry out. If they process data for more than one purpose, they must
explain and obtain consent for each purpose separately.

Data protection principles in the GDPR

Under the GDPR, organisations that process personal data must comply with the following data
protection principles:

Transparency, fairness and lawfulness in the handling and use of personal data. Organisations must
ensure that the individuals whose data they process have easy access to information about the
processing they carry out and their purposes for doing so.

Limiting the processing of personal data to the purposes that they have stated.

Ensuring that personal data is adequate, relevant and limited to what is necessary for the purposes
for which it is processed.

Ensuring that personal data is kept accurate and up to date.

Retaining personal data only for as long as is necessary for the purposes for which it was originally
collected.

Ensuring the security of personal data.

In addition to these principles, the GDPR introduced a new principle of accountability, which requires
organisations to take responsibility for what they do with personal data, and to be able to demonstrate
that they process it in accordance with the principles listed above.

The accountability principle makes a significant difference to the way that organisations must manage
data protection issues. It requires them to be able to provide evidence to the ICO, when requested, that
they have assessed the data protection implications of the processing that they carry out and have
taken appropriate data protection measures. They must also be able to provide evidence that they
continue to review their data processing and update their data protection measures as needed.

Individuals' rights

BIF536 · A Guide to the General Data Protection Regulation (GDPR) Page 3 of 5

© Cobweb Information Ltd, 2024
 The GDPR gives individuals several rights in relation to their personal data, including:

The right to be informed about data relating to them and to access that data.

The right to have inaccurate or incomplete data corrected.

The right to have data erased in certain circumstances.

The right to withdraw consent for their data to be processed.

Complying with the GDPR

The GDPR does not set out a list of specific data protection measures that must always be put in place.
Instead, it requires organisations to take measures that are "risk-based and proportionate". For example,
an organisation that processes large amounts of sensitive personal data requires a more extensive data
protection framework than a smaller organisation that processes minimal personal data.

The following are some examples of data protection measures that organisations can take to ensure
they can demonstrate their compliance with the GDPR if requested to do so by the ICO:

Creating a written data protection policy.

Displaying a privacy notice on their website, explaining in clear and intelligible language the data
processing they carry out, and regularly reviewing it to ensure that it continues to be accurate.

Regularly reviewing and updating data security measures (such as protection against cyberattacks
and malicious software).

Appointing a data protection officer. This is mandatory for certain organisations that carry out
extensive or sensitive data processing, and it may be good practice for other organisations
depending on the scope of their data processing.

Carrying out a data protection impact assessment before beginning any new data processing
activity, to identify and minimise the data protection risks that it presents. This is mandatory for
certain categories of processing that involve a high risk to individuals, but is good practice for all
data processing activities.

Ensuring that data processing activities, reviews and decisions are fully documented.

For more information about the data protection measures that organisations should consider taking to
comply with the GDPR, go to https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/accountability-and-governance/.

Personal data security breaches

All personal data security breaches should be recorded, and serious breaches must be reported to the
ICO within 72 hours. For more information, and to report a breach, go to https://ico.org.uk/for-

BIF536 · A Guide to the General Data Protection Regulation (GDPR) Page 4 of 5

© Cobweb Information Ltd, 2024
 organisations/report-a-breach/.

Data protection and the European Union

The GDPR was originally introduced into the UK as part of European law. However, it was retained in UK
domestic law when the UK left the European Union (EU). This means that the data protection principles,
rights and obligations that organisations must comply with under the GDPR remain the same as they
were before Brexit.

Organisations that transfer personal data between the UK and the EU can continue to do so freely.
However, they should be aware of possible changes in the future. The ICO provides information about
data protection requirements relating to the transfer of personal data between the UK and the EU. Go
to https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/overview-data-
protection-and-the-eu/.

Useful resources
'Guide to the UK General Data Protection Regulation (UK GDPR)'
ICO
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

'UK GDPR Resources'

ICO
https://ico.org.uk/for-organisations/gdpr-resources/

'SME Web Hub - Advice for All Small Organisations’

ICO
https://ico.org.uk/for-organisations/sme-web-hub/

Related factsheets
BIF003 A Guide to the Data Protection Act 2018
BIF410 A Guide to the Privacy and Electronic Communications Regulations (PECR)

DISCLAIMER While all reasonable efforts have been made, the publisher makes no warranties that this information is
accurate and up-to-date and will not be responsible for any errors or omissions in the information nor any consequences
of any errors or omissions. Professional advice should be sought where appropriate.

Cobweb Information Ltd, YBN, 7 & 8 Delta Bank Road, Metro Riverside Park, Gateshead, NE11 9DJ.
Tel: 0191 461 8000 Website: www.cobwebinfo.com

BIF536 · A Guide to the General Data Protection Regulation (GDPR) Page 5 of 5

© Cobweb Information Ltd, 2024