GDPR law: what you need to know

Home | Insights | Workplace Insights | GDPR law: what you need to know
An icon of a lock with a key symbol on top of a navy background with connection lines, symbolising GDPR.

The General Data Protection Regulation (GDPR) has revolutionised the collection and storage of personal data in the EU since it’s introduction in May 2018. When it was introduced, it had major repercussions for many small and medium enterprises.

The regulation’s main aim is to give individuals control of their data once more; giving them the right to know how any company is handling personal data. For the purposes of the legislation, personal data is classified as information held about a living individual, which can identify who they are.

The regulation

The regulation can be broken up into seven key principles:

• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object

These principles apply to three main areas: consent, data privacy, and data protection officers. Failure to comply can result in fines of up to €20 million or up to four per cent of total global revenue of the preceding year, whichever is greater.


Since the introduction of GDPR, businesses have had to ensure that consent is freely given with an affirmative and clear action. Instead of asking consumers to tick the box if they don’t want to hear from a company, SMEs must now ask consumers to tick the box if they do want to receive marketing material.

On the other side of the coin, withdrawal of consent is now required to be as simple as possible. Consumers must be informed that they have the right to withdraw consent at the time of signing up, and businesses must make this process as easy as possible. Furthermore, when withdrawn, an individual’s details must be permanently erased, not just removed from the relevant databases. Essentially, individuals now have the right to be forgotten, so data records must be as up to date as possible, with inaccurate entries corrected without delay.

In collecting and storing data, companies must also provide a clear trail of consent in case of audit, with screen grabs or saved consent forms.

Data Privacy

One of the most striking changes found in the GDPR in comparison to older laws is the requirement of businesses to prove they have a legal basis to store and use any gathered data, and provide details of where their data is stored. Reasons for processing data must be specific, explicit and have a legitimate purpose.

The regulation recognises four lawful bases for processing:

1. Explicit consent – individual must proactively supply consent through a positive opt-in
2. Compliance with a legal obligation – for example, to process right to work checks
3. Entering into a contract with an individual to supply goods and services or fulfil an obligation – for example, an employment contract
4. Legitimate interests, unless outweighed by the individual’s rights and interests. Businesses must prove they have genuine reasons to process personal data without consent by satisfying the following criteria:
a. Organisations must need to process information for its own legitimate interests or for those of a third party to whom it may disclose the data.
b. The legitimate interests must be balanced against the individual’s – processing must not prejudice the rights and freedoms, or legitimate interests, of the individual. If in conflict, the individual’s interests will take priority.
c. Any processing must be fair, transparent, accountable and must comply with all the data protection principles.

Companies can now only hold data that is necessary for the purpose of processing, keeping retention periods to a minimum. SMEs must also know exactly where their data is located.

Data Protection Officers and Breaches

One of the most effective ways to ensure full compliance to the GDPR is to hire a data protection officer (DPO). In fact, the regulation states that a DPO must be appointed for all public authorities or any businesses whose core activities involve the systematic monitoring of large amounts of personal data.

A DPO is responsible for implementing any data protection strategies and is accountable for maintaining all documentation that proves full compliance with the GDPR. The regulation doesn’t specify any necessary credentials, but suggests that anyone employed as a DPO have expert knowledge of data protection law and practices. They can be employed on a permanent basis or under a service contract, and can be shared by a group of businesses, proving equal accessibility. A DPO should report to the highest management level and be located in the EU.

In the event of a data breach, companies must inform the relevant authorities within 72 hours, providing extensive details of the problem and proposing mitigation strategies.

Tiger Recruitment can help source temps with a data background to cleanse and tidy databases and delete records, or contracted data protection officers to help companies remain GDPR compliant.

Get in touch today to find out how we can help.

Author Tiger Contributor Tiger Recruitment Team

Sign up for the latest workplace insights.

Are you: