• If your organisation processes personal data, what steps has it taken to familiarise itself with the GDPR and the enhanced rights of individuals?

    If your organisation processes personal data, it must ensure that its policies and procedures provide for the following rights and where applicable, how requests will be dealt with including a timeline:

    The right to be informed

    The GDPR requires organisations to supply the following information to individuals:

    • identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer
    • purpose of the processing and the lawful basis for the processing
    • the legitimate interests of the controller or third party, where applicable
    • any recipient or categories of recipients of the personal data
    • details of any proposed transfers of personal data to third countries or international organisations and the existence of an adequacy decision by the European Commission, or where applicable, the appropriate safeguards
    • the period for which the data will be stored or criteria used to determine the retention period
    • the existence of each data subject’s rights
    • the right to lodge a complaint with the Information Commissioner
    • whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
    • the existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
    • the categories of personal data (where data is not obtained directly from the data subject)
    • the source the personal data originates from and whether it came from publicly accessible sources (where data is not obtained directly from the data subject)
    • the right to withdraw consent at any time

    The information provided must be:

    • concise, transparent, intelligible and easily accessible, and
    • written in clear and plain language, particularly if addressed to a child.

    The right of access

    The right of access to an individual’s own personal data existed under the DPA but organisations must provide more information than was previously required and reply within one month from the date of receipt of the request.

    The right to rectification

    The GDPR requires organisations to ensure that personal data is accurate, kept up to date and is erased or corrected without delay when it is inaccurate.

    The right to erasure (right to be forgotten)

    This is a new right giving individuals the right to request organisations to delete their personal data in certain circumstances.

    The right to restrict processing

    This is a new right giving individuals the right to restrict data processing in certain circumstances.

    The right to data portability

    Individuals have a new right to obtain a copy of their personal data from the data controller in a commonly used and machine readable format and have the right to transmit that data to another controller.

    The right to object

    Individuals have the right to object to the processing of his or her personal data including profiling unless the data controller can demonstrate legitimate grounds for the processing which override the individual’s rights.

    Where personal data is processed for direct marketing purposes, individuals have the right to object to processing for such purpose.

    Rights in relation to automated decision making and profiling

    Individuals will have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects on the individual or similarly affects the individual. Organisations that engage in profiling activities will need to consider how to implement appropriate consent mechanisms to continue these activities.

    The right to be notified of a data security breach

    Where the personal data breach is likely to result in a high risk to the rights and freedoms of an individual, the data controller must notify the individual without undue delay.


    The new Data Protection Bill was published in September 2017 and is currently making its way through Parliament. It is too early to know what form the final Data Protection Bill will take and it may differ from the GDPR in some respects. Brachers will continue to monitor the situation and highlight any points where differences are likely to have a material effect.

    How can we help?

    For further information and advice on the GDPR please contact our specialists:

    Erol Huseyin or Julie Alchin in our Commercial team

    Catherine Daw or Antonio Fletcher in our Employment team

    This content is correct at time of publication

    Can we help?

    Take a look at our Commercial Law, Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you

  • Key contact:

    Get in touch

    Please fill out the below form or alternatively you can call us on 01622 690691

      By submitting an enquiry through 'get in touch' your data will only be used to contact you regarding your enquiry. If you subscribe to any of our newsletters, you can unsubscribe any time using the link in the email. Please view our privacy statement for more information