Clarkslegal LLP - Solicitors in Reading and London

Data Protection

GDPR - Question of the week

12th February 2018

Does the GDPR apply only to EU nationals?

No.  The GDPR will apply to all data controllers and processors established in the EU. It also applies to some non-EU business insofar as they either offer goods or services to data subjects in the EU (irrespective of whether payment is received) or monitor data subjects' behaviour insofar as their behaviour takes place within the EU.  Therefore even if the individuals are not European, if the organisation is based in the EU and/or processes data in the EU, the GDPR will apply.

5th February 2018

Will the GDPR also apply if the data is pseudonymised, or anonymised?

Pseudonymised data is still considered personal data under the GDPR, and the additional information used to pseudonymise must be kept separate, and be subject to technical and organisational measures which ensure the original individual the data is attributable to cannot be identified. Anonymised data is the only exempted type of personal data within the GDPR’s scope.

29th January 2018

Will the GDPR apply after Brexit?

The Government has announced that it intends to remain bound by the provisions of the GDPR even after Brexit.  With this in mind, the Data Protection Bill is currently working its way through Parliament so that there will be national law reflecting the GDPR (and expanding on this). 


22nd January 2018

Is data protection an IT or HR issue?

Data protection and preparing for the GDPR in general is more than an issue for a single department. While HR may process a lot of personal data in their day to day activities and IT teams will be responsible for the security of data stored online, you will need input from across the business (including IT, HR and Legal) to ensure GDPR compliance.

We recommend that you allocate a team to be responsible for preparing for the GDPR from a wide range of sectors in your business. This committee can then allocate the required tasks to ensure all elements are covered.


15th January 2018

Can we rely on consent when the GDPR comes in?

Yes, although your existing consents may need to be updated. Under the GDPR consent will need to be a clear affirmative action. Pre-ticked boxes will not suffice and the consent forms need to make it clear what may happen to the individuals’ data. The consent needs to be set out in clear and plain language. If relying on consent, you must keep a record of the consent.

In addition, under the GDPR, it must be as easy for an individual to retract their consent as it is to give the consent. We recommend you set out in the consent notices how an individual can retract their consent.

In employment contracts, consent is unlikely to be a legitimate ground for processing, due to the imbalance of power between the parties.

Although consent will be harder to rely on under the GDPR there are various other grounds of lawful processing which you may want to consider, such as processing being required for an organisation’s “legitimate interests” or processing being necessary for an obligation under employment law. Again, such grounds for processing should be documented.

8th January  2018

Does the GDPR apply only to EU nationals?

No.  The GDPR will apply to all data controllers and processors established in the EU. It also applies to some non-EU business insofar as they either offer goods or services to data subjects in the EU (irrespective of whether payment is received) or monitor data subjects' behaviour insofar as their behaviour takes place within the EU.  Therefore even if the individuals are not European, if the organisation is based in the EU and/or processes data in the EU, the GDPR will apply.