Since GDPR came into force in May 2018, individuals your business deals with have the following rights¹ regarding the information you have about them:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.
As a business you have the duty under law to comply with and protect these rights. Working together with the GDPR’s transparency requirements, there are provisions actively promoting accountability and governance where our UK legislation has previously been implicit.

It’s not just about IT & Marketing

These rights don’t just apply to customers or prospective customers whose personal details you might collect or otherwise acquire (eg through a marketing list) in the course of dealing with them. They also apply to everyone else including job applicants, temporary workers, employees and contractors or any member of the public.

The data doesn’t have to be digital either. The Act covers data held in physical form like business cards and correspondence.

Anyone in your organisation or acting on behalf of it, who can be defined as a “Data Controller” OR a “Data Processor” has legal liability if there is a breach.

Although GDPR extends liability to processors for the first time, if you are the Data Controller you are still liable if they are responsible for the breach.

According to the Information Commissioner’s Office (ICO),
“A controller determines the purposes and means of processing personal data.

A processor is responsible for processing personal data on behalf of a controller.”


What are your responsibilities?

As a business, you could find yourself operating both as a data controller and as a data processor. For instance, you might be the decision-maker who employs or contracts others to process personal data or you might, in some industries and professions, process data on behalf of your clients as a contractor. And then, when you instruct your staff to fulfil the requirements of your client’s brief, you are in the role of data controller again.

A data controller is responsible for, and must be able to demonstrate, compliance with the 6 GDPR principles². The data must be:

  1. Processed lawfully, fairly and transparently – you must deal with the data ethically.
  2. Collected for specified, explicit and legitimate purposes – you must explain why you are collecting the data you’re collecting.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed – you must only collect what you need for the purposes you’ve set out.
  4. Accurate and, where necessary, kept up to date – you must update and delete old and inaccurate data.
  5. Only stored for as long as is necessary for the purposes you collected it for (with some exceptions).
  6. Subject to adequate security from team members to server locations.

What are the lawful bases for processing?

There are six available lawful bases for processing most of which require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis. 

At least one of these must apply whenever you process personal data³:

  1. You must identify and document your lawful basis before you begin processing.
  2. Your privacy notice should include your lawful basis and the purposes of the processing.
  3. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
  4. If you are processing special category and/or criminal conviction data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
The individual has given clear consent for you to process their personal data for a specific purpose. The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. The processing is necessary for you to comply with the law (not including contractual obligations). The processing is necessary to protect someone’s life. The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individuals personal data which overrides those legitimate interests⁴.

GDPR & Employers

Employees have all the same rights as any individual under the GDPR and this means that all employers will have to:

  1. Ensure and demonstrate compliance.
  2. Only collect personal data that is adequate, relevant and necessary.
  3. Remove names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered).
  4. Be open with employees about processing their data and allow them to monitor that processing.
  5. Improve data security features.
  6. Identify and limit any detrimental effects of data processing on individual privacy.


Don’t be hazy about GDPR

Tiger Law can help you work it out and make the changes you need.

Audit your data management, processes and storage including your website.

Advise on and action necessary compliance measures.

Review and amend your Privacy and Terms & Conditions notices.

Redraft or supplement your Employee Handbook (in partnership with our sister company Tiger HR)

Review and, if necessary, redraft your contracts with contractors, suppliers and employees.

Review and, if necessary, redraft your contracts with contractors, suppliers and employees.

Training and Communications for senior officers, employees and external partners.

Call: 01233 227 355

Zealds House, 39 Church St, Wye, TN25 5BL

Leave a comment


Information on this website is for the general purpose of highlighting potential issues and is not advice specific to any particular situation.

If, after reading our content, you have concerns about your protecting your business, please contact us for a chat and we will help you to review what you have in place and whether there are any gaps in your filing cabinet.

Registered Office
Main House Turkey Court Turkey Mill Business Park Maidstone Kent ME14 5PP
Mon - Fri: 9.00 am - 5.00 pm
Turkey Court Turkey Mill, Business Park, Main House, Ashford Rd, Maidstone ME14 5PP

Tiger Law Ltd is a limited company incorporated in England, registration number 10618637, registered address: 150 Bridge Street, Wye, Kent, TN25 5DP. Details of the Principal and her professional qualifications are open to inspection at our registered office. Tiger Law Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA No 637189) and our professional code of conduct can be accessed here.

 Tiger Law , 2023 © All Rights Reserved 

 Tiger Law , 2023 © All Rights Reserved