At the recent FSB workshop in Keswick about GDPR, Rianda Markram (Head of Content and Training, LHS Solicitors) shared some of the key points about GDPR. Here are some of what we think are probably the most important bits (full slides available further down this page).

GDPR Principles

Personal data must be collected and processed:

  1. Lawfully, fairly and in a transparent manner
  2. For specified, explicit, and legitimate purposes
  3. Adequately, relevant and limited to what is necessary
  4. Accurately and kept up-to-date
  5. Kept in a form which allows identification of individuals for only as long as necessary
  6. Securely by implementing appropriate technical and organizational measures

GDPR Accountability

  • Data controllers must comply with the principles
  • Demonstrate compliance with principles and GDPR requirements
  • Together, this forms the concept of accountability under the GDPR


The GDPR requires that consent be:

  • Freely given, specific, and informed and unambiguous
  • An affirmative action or statement
  • Explicit for certain types of data processing, including, but not limited to, sensitive personal data processing and cross-border data transfers
  • Presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form
  • Provided in clear and plain language
  • Must provide the right to withdraw consent

Breach Notification

  • Data subjects have a right to know when their personal data is hacked, stolen or lost and their privacy is threatened
  • Notify data breaches to ICO without undue delay and where feasible within 72 hours
  • Unless breach unlikely to result in risk to individuals
  • Processors must inform controllers of a breach
  • You must provide justification to ICO for failure to comply

Legal Bases for Processing Data

At least one of these must apply whenever you process personal data:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests


  • Check that processing is necessary for the relevant purpose
  • Must determine the purpose and lawful basis before you process data and document it
  • Get it right first time – you should not swap to a different basis without good reason
  • Include this information in your privacy notice
  • Processing of special categories of data, need both a lawful basis and an additional condition for processing
  • Processing of criminal convictions or data on offences, need both a lawful basis and either legal authority or official authority for the processing

Rights of Data Subjects

(Make sure you know these so you don’t breach them!) The main rights for individuals will be:

  • Access to their data
  • To have information erased
  • To have inaccuracies corrected
  • To object to/restrict processing

Actions to consider to avoid falling foul

  • Map what data you hold, how you store it and who you share it with
  • Draft policies and procedures
  • Train your staff on your new policies and procedures
  • Obtain and keep evidence of all your decisions
  • Regularly review and update your policies and procedures
  • Complete checklists on Legal Hub and ICO

Request a Quote

Have a project in mind?

We’re more than happy to discuss and provide a no-obligation quotation.