GDPR and Data Handling Basics

In everyday business operations, personal data appears constantly: client contact lists, employee records, prospect databases, meeting notes that mention individuals, support tickets, and form submissions. The key question to ask when you encounter data is: "Could this information identify a living person?" If yes, GDPR applies to how you store, access, share, and delete it.

For most client-facing work, the lawful basis is contract — you need the data to deliver what you've agreed to. For marketing to prospects, legitimate interest or consent applies depending on the channel and relationship. For employee data, a mix of contract and legal obligation typically covers payroll, tax, and employment records. If you're creating a new process that involves collecting or using personal data, check the lawful basis before starting — not after.

Data minimisation means only collecting and keeping what you actually need. Before adding a field to a form, ask whether you'll genuinely use the data. Before copying a data set for analysis, ask whether the analysis requires all the columns. Before retaining records past a job completion, check the retention policy. Holding data you don't need is a liability — it increases your exposure in a breach and your obligations under a SAR.

If you discover or suspect a data breach — accidental disclosure, lost device, wrong email recipient, unauthorised system access — report it to your data protection contact or line manager immediately. Don't wait to assess the severity yourself. The 72-hour reporting window to the ICO runs from when your organisation becomes aware, not from when you personally decided it was serious. Speed matters.