GDPR Fact Sheet

Personal data

  • Data from which a living individual is identified or identifiable whether directly or indirectly
  • Sensitive data includes data relating to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex or sexual orientation, generic data, biometric data.

Six Lawful Bases for Processing Data

  • Consent – informed, freely given and verifiable
  • Contractual necessity
  • Legitimate interest of the data controller
  • To comply with a legal obligation
  • To protect vital interests
  • Public interest, Official duty

Six Principles for data processing and one Overriding Principle

  • Processing must be fair, lawful, and transparent
  • Data must be collected for a specified explicit purpose and used for that purpose
  • Data Controller must obtain data that is adequate, relevant and not excessive
  • Data controller must keep data accurate and up to date
  • Data controller must only keep identifiable data for as long as necessary
  • Data controller must not lose data, damage it or put in a physically unsafe environment


The Overriding Principle to which Data Controllers must adhere is Accountability

Data Subject Rights

  • Right of Access to data
  • Right to have data corrected
  • Right to be forgotten
  • Right of Portability
  • Right to object to processing
  • Right to be notified of their rights
  • Restrictions on automated decision taking which have a significant effect
  • The requirement for parental consent for data processing decisions by children under the age of 13

Reporting obligations

  • Data breaches must be reported by data controllers to the ICO as soon as reasonably possible and within 72 hours of becoming aware if the breach is likely to result in a risk to the rights and freedoms of natural persons
  • The ICO may require data controllers to communicate any breach to those affected by it unless the breach is likely to have a high risk for the rights and freedoms of data subjects, appropriate technical and organisation protection were in place at time of the incident, or it would be disproportionate to do so.



  • Tier One organisations – fewer than 10 staff or turnover less than £632,000 - £40 per year
  • Tier Two organisations – fewer than 250 staff or turnover less than £36 million - £60 per year
  • Tier Three organisations –more than 250 staff and turnover greater than £36 million -  fees of £2900 per year


  • Infringement of certain provisions such as rights of data subjects or lack of consent have maximum fine of €20 million or 4% of worldwide turnover, whichever is the higher,
  • Infringement of other provisions have maximum fine of €10 million or 2% of worldwide turnover, whichever is the higher.
Although correct at the time of publication, the contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.