GDPR FAQs

Does data protection legislation apply to B2B?

Yes. Business personal data is still personal data and needs a lawful basis for processing and appropriate security measures to protect it, as well as a cradle to grave approach for information assurance and records management. 

Do I need to register and pay a fee to the ICO?

Probably yes, but there are some exemptions. There are three tiers of fees, £40, £60 and £2,900. Most organisations and sole traders will fall into Tier 1 and Tier 2. The fine for non-payment is £4,000.

My Privacy Notice forms part of my T&Cs and people need to agree to it, don’t they?

No. A Privacy Notice never forms part of any T&Cs, and it is never agreed to/consented to or otherwise. See my blog post here and get in touch if you would like me to review and feedback.

Have a question for the experts at Garden City Assurance?

Is Cookie data personal data?

Cookies, beacons, trackers (including social media widgets) on websites and in emails fall under PECR 2003, and any of these technologies that are not classed as Strictly Necessary need a persons consent before they are dropped onto a device. That law has been around since the update to PECR in 2009. ’Strictly Necessary’ is something that would cause the site to break if it were not used. Marketing and tracking cookies aren’t essential, regardless of how much your marketing team tell you they are.

Is Consent always needed to process personal data? 

Not at all. There are six lawful bases for processing non-sensitive personal data, Consent is just one. Given that it must be as easy to withdraw consent as it is to give it, can you imagine trying to withdraw your consent with HMRC? The other 5 lawful bases are: Contract, Legal Obligation, Vital Interests (life and death), Public task, Legitimate Interests.

Are all these GDPR and PECR requirements new legislation?

Not entirely. There are a few new areas such as the right to data portability and a few others, but the requirements aren’t so dissimilar to the DPA98. Rights were strengthened and timescales for Rights fulfilment were shortened to one month from 40 days amongst other changes. If you were processing personal data correctly under the old legislation, the chances are you didn’t need to do too much when GDPR and DPA18 came in apart from document things to evidence your accountability.

Need help with GDPR
or other compliance issues?

Scroll to Top