London – 020 305 68855         Cornwall – 01726 247047


Frequently Asked Questions

GDPR stands for the General Data Protection Regulation.  It was introduced to protect personal data and the rights of individuals as well as to ease the flow of personal data across the 28 EU member states.

The Regulation came into effect on the 25th May 2018 and brought significant changes to data protection law.  At the same time, the government passed the Data Protection Act 2018.

Brexit will have no effect on the GDPR as it was enshrined into UK law with the Data Protection Act 2018.

Any organisation which processes and holds the personal data of data subjects residing in the EU must comply with the GDPR. 

The Regulation will come into effect on the 25th May 2018 and will bring significant changes to data protection law.

Rules for obtaining valid consent to use personal information will become much tougher when the GDPR comes into force. Therefore, companies must ensure that consent is clear, affirmative, and in plain language. Companies must also make it easy for data subjects to withdraw consent if they wish to do so.

According to the Information Commissioner’s Office (ICO), organisations are expected to:

“….. put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”


The Regulation came into effect on the 25th May 2018 and brought significant changes to data protection law.  It applies to all personal data

Personal data  means any information relating to an indentified or identifiable natural personal (“data subject”); an indentifiable natural person is who can be identified , directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

The GDPR states that personal data must be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected only for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Held only for the absolute time necessary and no longer
  • Processed in a manner that ensures appropriate security of the personal data

All of your policies and processes must reflect these principles.  We can draft all of your policies and processes and train you and your staff.

The GDPR have introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. An organisation must self-report breaches to the ICO within 72 hours of the breach.

The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.

Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.

It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon a number of factors.  According to the ICO, a company should appoint a DPO if they:

  • are a public authority (with the exception of courts acting in their judicial capacity)
  • carry out large scale systematic monitoring of individuals, such as, online behaviour tracking; or
  • carry out large scale processing of special categories of data (eg. health) or data relating to ciminal convictions and offences

The EU’s Working Party 29 has stated that a DPO must be an expert in data protection law and must not be senior management, Head of IT, Head of HR or any post that has anything to do with the processing of data. The DPO must be objective and report to board level.

Typically organisation that will require a DPO include health care providers (doctors, dentists, chiropractors, physiotherapists etc) insurance companies, private security companies, marketing companies, charities etc.

Any organisation is able to appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn’t apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.

We can act as your DPO for as little as one hour a month.


There are eight fundamental rights of individuals under GDPR. Your organisation’s data protection governance will need to encompass these rights. The rights are:

  • The right to be informed – Organisations must be completely transparent in how they are using personal data.
  • The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
  •  The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
  • The right to restrict processing – Refers to an individual’s right to block or supress processing of their personal data.
  • The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
  • The right to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  • Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.  Both will be liable if the processor has a data breach.  Controllers will not be permitted to contract with processors who are not GDPR compliant, come next May.

The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.  Explicit consent is required only for processing special categories of personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

Accountability is of primary importance under the GDPR.  You must be able to provide evidence that your organisation is compliant so a range of policies and processes are required, along with IT security.

Yes you can but you should have an expert knowledge of data protection law and General Data Protection Regulation information. We can do a data protection audit, write all of your policies and train your staff. We can also act as your DPO for as little as one hour a month. Leaving your data protection to us will allow you to concentrate on your business.


Sapphire Consulting Group Ltd is a limited company registered in England and Wales.

Registration number: 10427754. Registered office: Central Point, Beech Street, London EC2Y 8AD.

VAT Registration number: 285986235