A law firm which offers more

Call us: 0113 246 0622

Data protection Principles – GDPR Essentials – Personal Data and Processing


Welcome to the second instalment in our mini-series of blog posts on the General Data Protection Regulation.

The blogs provide background to the GPDR and include tips to help you make sure your business has robust data protection processes and procedures in place, which in turn will help ensure compliance with the Data Protection Act 1998 and the GDPR. In our last GDPR blog we summarised the essentials of the GDPR.

If Personal Data is stored in an Organised Filing System and is Processed by any organisation, the Data Protection Act 1998 and, from 25 May 2018, the GDPR will kick in.

What is “Personal Data”?

Data from which a living person (the data subject) can be identified including:

And so on…

What is an “Organised Filing System”?

What is “Processing”?

Processing means doing anything with the Personal Data, including:

If an organisation processes Personal Data, it must satisfy one of the grounds set out in the GDPR for doing so:


Has the data subject provided express, specific consent to the processing?  If so, the organisation is entitled to process that data subject’s personal data.

The next blog in this mini-series will discuss consent and the implications and requirements of the GDPR around consent in more detail.

Legitimate Interests

Does the organisation have a legitimate interest for processing the data subject’s personal data? In other words, would the data subject be surprised or upset about the data processing?

There are 2 key questions to consider:

  1. Does the organisation need to process the personal data for the purposes of its relationship with the data subject?
  2. Does the processing have a prejudicial effect on the rights, freedoms or legitimate interests of the data subject? 

Contract Performance

Is processing necessary to perform a contract with the data subject? For example, an online retailer needs to process a customer’s address and payment information to provide it with the products purchased. The data must be processed only to the extent necessary to fulfil the contract.

Legal Compliance

Is processing necessary to comply with a court order, a regulation or other legal requirement?

Vital Interests

Is processing the personal data a matter of life and death? This ground covers humanitarian crises such as tracking natural disasters or medical emergencies.

Public Interest

Is processing necessary for performing a task in the public interest or pursuant to an official authority? This ground covers, for example, a public authority investigating a crime.


Additional protections apply under the GDPR if data is processed in respect of children under the age of 16.

Special Categories of Data

If an organisation processes Special Categories of Data (“sensitive personal data” under the Data Protection Act 1998), it must satisfy additional criteria. Special Categories of Data includes religious and political views, sexual orientation, health and genetic data.

Find out more…

To find out more about how we can help you to prepare for the GDPR please visit our GDPR section or contact contact Matthew Hattersley or Florence Maxwell.

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.