top of page

You are currently visiting Trowbridge Global Tax LLP


Trowbridge Global Tax

The UK GDPR includes a number of data protection principles that set out the main responsibilities of organizations. These principles are similar to those in the DPA, but with some added detail. A key change is that the UK GDPR introduces a new principle of accountability. This requires organizations to actively show how they comply with data protection principles, for example by:

  • Having effective policies and procedures in place

  • Providing comprehensive, clear, and transparent privacy policies (see below)

  • Appointing a data protection officer (DPO) where appropriate.

  • Implementing technical and organizational measures to show that they have considered and integrated data protection into their processing activities (referred to as data protection by design and default)

  • Carrying out data protection impact assessments (also known as privacy impact assessments) in certain high-risk circumstance

Other important new measures and changes introduced by the UK GDPR include:


Lawful bases for processing personal data

Under the UK GDPR, organizations have to identify and document their lawful basis for processing data. The lawful bases are similar to those previously referred to under the DPA as conditions for processing and include the consent of the data subject and where processing is necessary for the performance of a contract. Identifying lawful basis has increased focus under the UK GDPR when compared to the DPA: the basis has to be included in the organization’s privacy notice (i.e. the information given to an individual when the organization is collecting their data). It can affect the rights which individuals have.



The UK GDPR tightens the rules around consent given by data subjects:

  • Consent must be specific, informed, unambiguous, and given freely.

  • There must be a positive opt-in – consent cannot be inferred from silence, inactivity or pre ticked boxes

  • All requests for consent must be separate from other terms and conditions It must be as easy for individuals to withdraw consent as it is to provide it.

Individuals generally have more rights (see below) where an organization relies on consent as a lawful basis. Existing consents will only be accepted under the UK GDPR if they meet these new, stricter requirements.

Transfer of data

The UK GDPR imposes a prohibition on the transfer of personal data outside of the UK, other than to European Economic Area (EEA) countries or those that meet the UK "adequacy decision" requirements. These additional countries are Andorra, Argentina, Canada (partial), Faroe Islands, Gibraltar, Guernsey, Iceland, Isle of Man, Israel, Japan, Jersey, Liechtenstein, New Zealand, Norway, Switzerland, and Uruguay. Transfers to other countries may also be made where derogations apply, such as with the individual’s informed consent to the transfer or that it is necessary for the performance of a contract. However, the derogations should only be used in exceptional circumstances (e.g. for one-off transfers) unless adequate Standard Contractual Clauses are in place with the relevant organization.

Data breaches

Organizations must notify the Information Commissioner’s Office (ICO) within 72 hours of any personal data breach which is likely to result in a risk to the rights and freedoms of individuals. Individuals also need to be informed directly and without undue delay if there is likely to be a high risk to their rights and freedoms as a result of a breach.

Representation for Data Subjects in the EU

Companies without an entity, branch or another establishment in EU are required to appoint an EU representative according to Art. 27 of GDPR where services are provided to EU based individuals. We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact within the EU. Prighter gives our clients an easy way to exercise their privacy-related rights (e.g. requests to access or erase personal data).

If you want to contact us via our representative Prighter or make use of your data subject rights, please contact us or click here

bottom of page