GDPR and Data Protection


Disclaimer: The information provided in these FAQs is for information purposes only. It should not be construed as, nor relied upon as, legal or regulatory advice. If you are unsure of your obligations under data protection law or have other specific questions you should seek independent legal advice. Please note the Information Commissioners Officer (ICO) is the UK regulatory authority for GDPR. You can visit their website at for their contact details and their full list of advice and resources.


What is the GDPR?

GDPR stands for The General Data Protection Regulation. It is a new, European-wide law and set of rules to protect individuals’ personal information.

What does it do?

In a nutshell, it places greater legal obligations on how organisations handle personal data.

The objectives of GDPR are to:

(1) protect individuals’ fundamental right to the protection of their personal data,

(2) allow personal data to move freely between EU Member States within GDPR’s legal framework.

There can be serious penalties for failing to comply with GDPR.

When does it come into effect?

It comes into effect on 25 May 2018 at which point it will replace the Data Protection Act 1998 in the UK.

What about Brexit?

Regardless of the EU referendum result, we are still currently members of the EU and therefore the GDPR will come into effect on 25 May 2018 as a matter of law. In addition, even after we leave, the UK Government will need to maintain data protection laws that are satisfactory to the EU if we are to avoid certain legal obstacles being imposed on the UK.  Basically, it’s the law unless and until the Government makes a different law.

Who is in charge of compliance with GDPR in the UK?

In the UK, the Information Commissioner's Office in the United Kingdom is the independent regulatory office dealing with GDPR. It is a public body which reports directly to Parliament.

The ICO’s website can be found at

The ICO publishes a number of resources to help you with compliance and we have linked to some of these in these FAQs.

We are a small organisation; can the ICO help us?

The ICO has a dedicated advice line aimed at people running small businesses or charities. To access the service dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support (details correct at time of drafting these FAQs).

What information does the GDPR apply to?

The GDPR applies to ‘personal data’. There is a more complex legal definition for this but basically it means:

  • any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to a specific piece or some pieces of information.

GDPR is designed to be technology neutral to avoid becoming obsolete. Its principles apply to personal data that is processed:

  • By automated means
  • By partly automated means
  • By manual means using a structured filing system (ie a paper filing system)

So it doesn’t matter if you keep your records on paper or computer; GDPR applies.

What does Process mean?

The definition of processing is extremely wide and essentially includes almost anything you could be doing with the personal data.

It is also very important to understand that you do not physically have to be carrying out an action for it to count as processing. Just storing personal data counts as processing within the scope of the GDPR. So just having personal data stored in your archive counts as processing.

In addition, be aware that erasing or destroying personal data also counts as processing, so you cannot just destroy old records in the hope of removing an existing problem.

What do they mean by an organisation? I am a sole trader. Does it apply to me?

The guidance frequently refers to what 'organisations' or 'businesses' need to do to ensure compliance. If you are employed by a company in the course of providing your services (i.e. you are under a proper contract of employment and are paid under PAYE) then it is your employer's responsibility to ensure compliance and they should be providing you with any relevant training that you need. These FAQs are not aimed at you if you are an employee and you should engage with your employer if you have any questions.

 If you are working on a self-employed basis, either as a sole trader or through your own Director owned limited company, then you will be responsible for your compliance with GDPR. These FAQs are intended to provide information to assist you in your compliance journey.

 Larger companies and corporate organisations are responsible for their own compliance with GDPR across all aspects of their corporate activities. They will have their own dedicated internal legal and compliance resources and these FAQs are not aimed at such larger entities.     



How can I prepare?

In addition to the helpline, set out in Part 1, the ICO has a lot of other resources that can be found at

As an example, the ICO has a self-assessment tool aimed at small or what the ICO calls micro businesses: Getting ready for the GDPR 

Remember, GDPR is an evolution of the existing law. If you are already complying with the  Data Protection Act 1998, and have effective processes in place to manage your personal data processing, then you should already have the foundations in place to comply with GDPR.

Sole trader or Limited Company?

 As a small business it is very important to understand the legal entity that is providing the services and processing the personal data. Lots of small businesses start off as an individual working as a sole trader, before that individual then goes on to start a small limited company.

 This is important as Dr Smith is a different legal entity from Dr Smith Ltd. It is therefore very important to ensure you understand your legal arrangements, especially if you used to trade as an individual and have since incorporated your own company.

 One of the easiest ways to work this out will be from your invoices. If you are invoicing from the limited company, then it is supplying the services and it should be the limited company that is processing the data.

 If you are not clear of the basis upon which you are contracting with organisations and supplying services then you should investigate this urgently and if necessary take legal advice to ensure your contractual arrangements are in order. This goes beyond GDPR. If this hasn't been clarified then you may find this impacts on other important areas, for example if you hold in professional indemnity insurance have you taken out the policy in the name of the correct legal entity?

Are we a Controller or a Processor? Can we be both?

 GDPR splits organisations into 2 main categories for GDPR purposes. These are Controllers and Processors. You need to work out which one you are in order to understand your compliance obligations.

Controller -    A controller determines the purposes and means of processing personal data. As a Controller you are responsible for ensuring compliance with all elements of GDPR in respect of the personal data.

Processor -     A processor is responsible for processing personal data on behalf of a controller. As a simple example, your accountant or a payroll company could hold or process personal information to perform an action on behalf of your business. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

Remember, professionals holding their own client records, such as doctors, lawyers etc, are normally Controllers. If you are a controller, you cannot get around your obligations by using a processor (for example, by outsourcing your electronic record storage to an IT company and keeping the personal data on one of their servers, or getting your website provider to collect personal data about visitors to the site). Where you use a processor, such as an IT company or other subcontractor to whom you give access to the personal data, GDPR imposes legal obligations on you regarding the contracts you have with those processors. Basically, you still have to ensure that both your contract with the processor, and what your processor actually does, comply with GDPR. You should take legal advice if you have any doubts about your compliance in this area.Where you use a processor GDPR imposes legal obligations on you regarding the contracts you have with those processors. You should take legal advice if you have any document about your compliance in this area.

As a processor, whilst you are responsible for complying with the specific legal obligations placed upon you, you should be engaging with your Controller to ensure that the relationship between you complies with GDPR. If you believe you are working as a Processor for a Controller, and that Controller has not in any way contacted you about compliance with GDPR then you should address this urgently and take legal advice if you are not sure what to do.  Remember , it is possible to be a Controller in respect of some activities that you perform, and a processor when doing others. To use the simple example of a payroll company again, the payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies. It is a question of fact, and the onus is on you to audit your arrangements, understand the relationship, and take the required compliance steps.

My organisation has fewer than 250 people. Are we exempt from GDPR?

There has been some confusion on this point due to certain technical differences in processes that apply to smaller companies.

The reality is that if you process personal data, you have to comply with the GDPR regardless of your size.

What is a Privacy Notice?

GDPR asks for transparency in what we are planning to do with people’s data and that we are honest and tell people what will happen to their data.

A privacy notice is a document that sets out the information about how an organisation processes data. See the Patoss Privacy Notice for an example of how we approach this. For specialist teachers/assessors, this would need to cover things such as what personal data we hold, how we use it and store it, if we share it who we share it with and why, how we gain consent to hold the data, and how and when we dispose of it.

Privacy statements checklist

What to include

  • Controllers name (This is your name or your business name)
  • What personal data you are asking for.
  • What the reason is you are collecting the data, e.g. what are you going to use it for?
  • Is there a chance you may share their data?
  • Who you might share it with and for what lawful purpose
  • How you will store their data. 
  • How long you will store their data. (Be clear the time frame is from when support ends, and for children from when they turn 18). The main reason you’re keeping adequate records after the client has finished sessions is because there is a legal amount of time they can take legal action. Note the defence of legal claims is a lawful reason to not destroy records. Though still keep only for the time necessary.
  • Disposal - How you will dispose of the stored data.
  • Who to contact for more information

Your privacy notice should be introduced at the point of collecting any data, so make sure you incorporate it clearly into your normal communication processes with the individual.

Assessing my legitimate basis for processing? Do I always need consent?

No. Data Protection law says that we are allowed to process personal information only if we have a proper reason to do so. This includes sharing it outside our own organisation Consent is one lawful basis for processing, but there are others.

In the context of what we do, the law says we must have one or more of these reasons to process personal data:

  • To fulfil a contract we have with the individual, or
  • When it is our legal duty, or
  • When it is in our legitimate interest, or
  • When the individual consents to it.

You are responsible for identifying a lawful basis for processing under the GDPR.

Legitimate Interest as a basis for processing

The basis for most of our members who work as independent specialist teachers or assessors is likely to be the fulfilment of a contract. However, even though consent is not required you must tell your clients/learners what information you are collecting and how you will use it. This is why notifying individuals of your Privacy Notice must be a key part of your communication.

Legitimate Interest Assessment:

  1. Purpose: What is our legitimate interest?
  2. Necessity: Why do we need to process personal data to achieve it?
  3. Balancing of interests: Do the individual’s interests override the legitimate interest?

Remember, there is not a one size fits all approach. In the course of dealing with an individual there may be both a legitimate interest to permit processing, but also something else for which consent is required.

You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.

The ICO has also published guidance on this:   

Processing Special Categories of Personal Data

There are additional requirements for processing special categories of personal data. Whilst there are a number of different elements that are defined as special categories of personal data, most likely to arise will be information concerning the health of the individual.

 GDPR states that processing of such special category data is forbidden unless one of 12 potential categories is met. The majority of these would not apply to the activities we carry out, however the two most relevant seem to be:

  •  They have given their explicit consent
  • Processing is necessary to protect the vital interests of the individual were they are physically or legally incapable of giving consent

If you are going to be processing special categories of personal data, such as data concerning the health of the individual, you therefore need to exercise extra caution and make sure that the additional requirements for processing it are met. Because of the increased risk associated with processing such data you should consider seeking legal advice to ensure that your business is fully aware of the obligations placed upon it.

Data Retention – what should I keep and for how long

You need to decide what information is “adequate, relevant and not excessive”.

What constitutes adequate records is open to interpretation and the onus is on you to ensure compliance. Remember the GDPR requires that:

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Records would include:

  • Client name
  • Date of birth
  • Start date of sessions
  • End date of sessions
  • Number of sessions completed
  • Main presenting issues or assessment findings
  • Any specific interventions etc

If you keep support and assessment notes, they would fall under this category.

Do you keep all your clients contact information too?

Ask why would you need to, and if so for how long? What would be the legitimate reason? You most likely don’t need their mobile number to ring them, as you won’t be contacting them once finished. The number was taken for contact while they were a client. Any use of their number beyond that would not be for the reason it was collected.

So no longer than necessary would often be the length of time for legal action, unless there is another regulatory reason that you are required to retain it for a longer period.

Ask yourself, if you are beyond the period for keeping business records, or the period within which legal action could be taken, what would be your legitimate reason for keeping the records?

Remember, whatever position you decide upon based on the facts of your organisation and your processing activities, you should make sure that your Privacy Notice clearly sets it out.

Should I put a Data Protection statement in my diagnostic assessment reports under the GDPR?

As a matter of good practise, you should consider putting Private and Confidential on diagnostic assessment reports that you write. In addition, you should consider whether the assessment contains health data and is therefore special category data, and subject to additional protection. In such circumstances it may be wise to consider inserting a statement to the effect that ‘This report is private and confidential and will not be shared with third parties without your explicit consent’.

I want to know more about the rules on security under the GDPR

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

We cannot advise you on technical matters such as this as it depends on the sort of systems and processes that your business uses as well as the type of data that it holds. You should seek advice from an appropriate professional regarding the security of different systems. The ICO also publishes guidance on this in its guide to the GDPR

Where do you store the personal information you hold and what do you do to protect it?

These are questions you must answer for yourself through an audit of your records. There are a range of considerations you can look at which were highlighted in the Professional Practice Update presentation on GDPR from our 2018 Annual Conference. This is available to download from our website. Professional Practice Update presentation on GDPR

Do I or my organisation need to register under the GDPR?

The ICO’s advice is that:

“if you needed to register with the ICO under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.”

The ICO also advises that:

“This doesn’t mean that everyone has to re-register and pay the new fee on [25 May 2018]. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired.”

If you are unsure as to whether you should be registered with the ICO, If you are not sure if you need to register with the ICO you can complete the ICO registration self-assessment.

Some templates and documents you might find useful:

GDPR Presentation from Patoss 2018 Annual Conference 

Sample GDPR Data Audit template  

GDPR –privacy notice toolkit for specialist teachers and assessors

Patoss Privacy Notice