Private and Cookie PolicyWe use cookies to enhance your experience while using our website. We will take your continued use of our website as consent to our use of cookies.






Please find below a handy guide and frequently asked questions relating to the GDPR.

What does it apply to?

Personal data is information relating to an identified or identifiable natural person. This include provisions which take into account advances in technology; therefore online identifiers, such as an IP address, are also included.  'Special categories of personal data' or sensitive data, such as sexual orientation and religious beliefs, are covered by the GDPR and includes genetic and biometric data where it is possible to identify an individual as a result of that data being processed.   

Who does it affect? 

The GDPR applies to businesses, charities and other organisations that are located in the EU, and those which are solely located outside the EU and process personal data of EU residents and sell goods to them. 

Will I need to register with the Information Commissioner? 

Most data processors will have to register with the Information Commisioner's Guide and pay an annual fee.

What consent must be given to process personal data? 

Consent must be provided by a data subject for the processing of his/her personal data. This consent must be provided by an affirmative action and be unambiguous. inactivity or pre-ticked boxes do not constitute consent to the processing of data. Organisations are required to demonstrate that data subjects have consented to the processing of their data. 

Organisations will be required to keep a record of how and when consent was provided and, generally, stop processing data in the event that consent is removed. 

An additional layer of protection has been provided for children (generally those under the age of 16, although this age can be reduced to not less than 13 should a Member State determine that this is acceptable). In these circumstances, consent is required from the person who has parental responsibility for the child whose data is to be processed. 


Organisations must show how they adhere to the GDPR's principles by, for example, demonstrating what procedures are in place to protect the data that they hold. Many organisations will currently have in place adequate measures; however, it is likely that others will be required to examine and address their current practices to ensure compliance with the GDPR. 

What rights does a data subject have? 

Below is a summary of some of the rights that a data subject has: 

There is a right of access to the data stored by a processor and confirmation of the processing of it.  Most requests should be responded to within 30 days of the initial request being made. 

If any information held is incorrect, the data subject is entitled to request that it is rectified. Where information has been disclosed to third parties, the disclosing party is also obliged to ensure that this information is rectified. 

Where there is no compelling reason for personal data to be held, a data subject has the right to request that any data be deleted. The data subject may also request that any processing of data ceases. This request must be complied with unless there are compelling and legitimate grounds for processing that personal data. 

Do I need to appoint a data protection officer (DPO)? 

If you are a public authority or carry out large scale processing of special categories of data or the systematic processing of large amounts of data for monitoring purposes, then it is likely that you will be required to appoint a DPO. 

Larger organisations may find that it is prudent for them to appoint a DPO to ensure compliance with the GDPR. 

Do I have to report all personal data breaches? 

Any breach of security which leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data is likely to be a breach of the Regulation. 

Not all breaches are reportable; an organisation will need to determine whether there has been, or there is likely to be, a significant detrimental effect upon individuals. 

What to do now? 

Organisations should consider what policies and procedures they have in place, and whether these are adequate to meet the obligations imposed upon them under the GDPR. Where appropriate, any supply contracts should be considered to ensure that adequate rights are in place, for example relating to reporting of security breaches. 

Get in Touch

With Lupton Fawcett on your side, you're taking control. Contact us today.

Enquiry Form

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

Get in Touch