Contact Kirk Rice

Kindly complete the form below to send an enquiry. Your message will be sent to one of our Accountants or Financial Planners who will respond to you within 24 hours.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service

Request Appointment

Please complete this form to request an initial appointment at our cost.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service

Kirk Rice Blog

Understanding GDPR And Its Key PrinciplesWritten on March 21, 2018 by Kirk Rice LLP

Understanding GDPR And Its Key Principles

With only 9 weeks until ‘GDPR day’, it’s vital that businesses understand the key principles of the GDPR and the potential impact on them.

In my second article, I explain the core concepts which underpin the incoming legislation. Having an appreciation for the philosophy behind the GDPR is fundamental to complying with its requirements and will help you make sense of the potential consequences for your business.

It’s well worth investing 10 minutes now to read our ‘GDPR need to knows’.

GDPR Principles – need to knows

1. Why is it needed? 7. What are the key principles?
2. When does it apply from? 8. What rights do data subjects have?
3. What about Brexit? 9. What is a lawful basis for processing?
4. Who will enforce it in the UK? 10. What constitutes a breach?
5. What does it relate to? 11. What are the penalties?
6. Who does it relate to? 12. Are there other financial risks?

1. Why is GDPR needed?

In simple terms, the existing Data Protection Act (DPA) is no longer fit for purpose. Now nearly 20 years old, the technology we currently live with simply didn’t exist then and data is now being used in ways that were not envisaged at the time.

The GDPR has been designed to be technologically neutral, meaning the same regulatory principles apply regardless of the technology used. This is aimed at ensuring the GDPR does not date in the same way the DPA has, however this does make the Regulation harder to interpret with a lack of clear and precise direction.


2. When does it apply from?

The GDPR replaces the DPA and applies from 25 May 2018.



3. What about Brexit?

Whilst the UK is still an EU member the GDPR applies to us. Post Brexit, newly proposed legislation within the Data Protection Bill will enshrine GDPR into UK law….so the principles are here to stay.



4. Who will enforce it in the UK?

The Information Commissioner’s Office (ICO) is the independent regulatory office in charge of enforcing the current DPA and the new GDPR.



5. What does it relate to?

The GDPR applies to ‘personal data’ meaning any information relating to an identified or identifiable natural person.

There are two key points here; the information must be identified or identifiable (anonymous data is outside the scope of the GDPR), and the information must relate to a natural person (not business data). Examples of personal data would include a customer’s personal name and address, an employee’s bank details, an email address used for marketing.

The subject of personal data is called a Data Subject and this does not relate to deceased individuals.

On the matter of email addresses, we understand that business email addresses which identify an individual are within the scope of the GDPR. For example, joe.bloggs@kirkrice.co.uk is a business email address, but identifies Joe Bloggs and as such, is considered personal data.

Under GDPR, special category data is personal data which requires more protection, such as biometric data, information about a person’s health, political opinions, racial or ethnic origin. Click here for more information on special category data.



6. Who does it relate to?

The GDPR applies to ‘data controllers’ and ‘data processors’.

A data controller is ‘the natural or legal person…which…determines the purposes and means of the processing of personal data’.

They determine, for example, what data is held, why it’s held, what is done with it.

A data processor is ‘a natural or legal person… which processes personal data on behalf of the controller’.

Data processing includes obtaining, recording, holding information or data, or carrying out any operation on the information or data – basically anything you can do to data!



7. What are the key GDPR principles?

Under the GDPR, there are key principles which set out the main responsibilities for businesses.

Be upfront about what you use their data for (The Lawfulness, Fairness and Transparency Principle)

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Transparency is key to ‘fairness’ and data subjects should be told, for example, what data is kept, how it’s used, how long it’s retained for etc.

Use data only for the reason it was collected for (The Purpose Limitation Principle)

Personal data shall be collected for specified, explicit and legitimate purposes. For example, data collected by a supplier when a customer buys a product, cannot be passed on to an unrelated third party unless the customer specifically consents.

Only collect data you need (Data Minimisation Principle)

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. If the data is not needed, don’t collect it!

Keep your data up to date (The Accuracy Principle)

Personal data shall be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay and reasonable steps must be taken to ensure data is regularly updated.

Don’t keep it for longer than necessary (The Storage Limitation Principle)

Personal data shall be kept for no longer than is necessary for the purposes collected. Organisations will need to decide how long it is necessary to retain information for; given the purposes it was collected for. Information no longer necessary must be securely deleted.

Keep data safe (The Integrity and Confidentiality Principle)

Personal data shall be processed in a manner that ensures appropriate security of the personal data. It must be kept secure from unauthorised or unlawful processing, accidental loss or destruction, or damage.

This is a key point and one on which the ICO will be hot. Organisation’s must take their data security responsibilities seriously, reviewing and improving their security measures such as passwords, encryption and cloud security.

Comply and demonstrate it (The Accountability Principle)

The GDPR requires organisations to demonstrate that they comply with its principles and implement measures to ensure they can demonstrate this. For example, documenting processing activities, training staff, certification schemes such as Cyber Essentials. Click here for more information on Cyber Essentials.



8. What rights do data subjects have?

Data subjects are individuals who are the subject of personal data and they have 8 rights under the GDPR.


An individual who makes a written request is entitled to be told whether or not any of their personal data is being processed and, if so, to receive a copy of their personal data along with certain information about the processing of it.


An individual has the right to have inaccurate data rectified without undue delay.

Erasure (right to be forgotten)

Individuals will have the right to request that businesses delete their personal data in certain circumstances. However, this is not an absolute right and each case would be judged on its individual circumstance.

Restriction of processing

An individual has the right to obtain a restriction of processing in certain circumstances. Where, for example, the accuracy of the personal data is contested, or where processing is unlawful and the individual opposes erasure and requests restriction instead.


Individuals will have the right to obtain a copy of their personal data from the controller in a commonly-used format and have it transferred to another controller.

Object to processing

An individual has the right to object to processing on the basis of their particular situation, including profiling (online tracing and behaviour advertising such as on Facebook).

Automated decision making, including profiling

Individuals have the right to object to significant decisions, including profiling made solely by automated means (with a few exceptions). For example, automated decision making on credit card applications.


Individuals have the right to claim compensation for damages caused by an infringement of the Data Controller or Data Processor.



9. What is a lawful basis for processing?

Businesses must have at least one valid lawful basis for a given data processing activity otherwise it may constitute unlawful processing:


The processing is necessary in order to enter into or perform a contract with the data subject. For example, processing a customer’s name and address in order to deliver goods ordered.

Legal obligation

The processing is necessary to ensure the controller meets their legal obligations. For example, processing data on an employee’s right to work in the UK.

Vital interest

The processing is necessary in order to protect the vital interests of the data subject (this essentially applies in “life or death” scenario).

Public interest

The processing is necessary for the performance of tasks carried out by a public authority. For example, local councils processing names and addresses to collect council tax.

Legitimate interest

The processing is necessary for the purposes of legitimate interests pursued by the Data Controller. For example, direct marketing to an existing customer promoting special offers.


Personal data may be processed on the basis that the data subject has consented to such processing.

Consent must be specific, written in clear and plain language and separate from other written matters. It can no longer be hidden in any small print, but must be clearly presented with no pre-ticked consent boxes. Organisations must keep evidence of the consent and special categories of data require additional explicit consent.



10. What constitutes a breach and what should you do?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. It could be caused for example by loss or theft of equipment, or a hacking attack.

Serious breaches (those which impact on the rights of the data subjects) must be reported immediately to the ICO within 24 hours where possible, but at least within 72 hours.



11. What are the penalties?

The GDPR allows fines of up to €20 million or 4% of annual turnover, whichever is higher. This is a maximum and the severity of any penalty will reflect how serious the breach is. Any enforcement action taken by the ICO would be reported on their website.

However, it is recognised that small businesses have fewer resources and pose less risk to data protection, so there may be more leniency by the ICO in relation to any non-compliance and the ICO would be likely to impose sanctions rather than penalties for any first offence. But a word of warning, if an organisation is contracting with a larger company that conducts large scale processing, it may also be subject to the harsher end of the GDPR’s regulation.

Another point to note is that both a Controller and Processor can be investigated by the ICO and fined.



12. Are there other financial risks?

If a data subject has suffered as a result of a data breach, they could make a claim against the data controller and the data processor directly. This could be in respect of material damage or non-material suffering such as distress.

Data processors also risk losing business and customers if they’re not compliant. This is because data controllers are required to ensure that data processors security measures and processes are GDPR compliant.


Hopefully, this article demonstrates the importance of understanding the key principles of the GDPR, its potential impact on your business and ultimately, the need for your business to be ready in time for ‘GDPR day’ – 25 May 2018.

If you’re interested in reading more from the ICO, click here for their Guide to the GDPR – Good Luck!

Coming in my next update……. ‘Be Prepared’ – your ‘to-do’ lists, checklists and some practical steps to help you prepare for the changes ahead. (Click here to read the first article in the series)

Would you like to receive updates on GDPR and business accounting topics?

If you want to stay up to date with topics like tax, investments, pensions and more, sign up to our fortnightly newsletter now.

Any reader interested in discussing GDPR further can call Maxine Guest on 01344 875 000 or email info@kirkrice.co.uk

Please note: information is provided for general guidance only and specific advice should be taken before acting on this information. Kirk Rice LLP is not a data protection specialist; if you require specialist advice you should contact a Data Protection specialist or a Solicitor. Please note that details may have changed since this article was published.