GDPR – the story so far

Written by Jason Groom
  • Twitter
  • Facebook
  • Mail
  • Linkedin
Originally published
March 22 2017,
April 10 2021

The new legislation creates an onus on companies to understand the risks they create for others, and to mitigate those risks.

In short, GDPR…

  • Is EU legislation that will be the legal framework for data protection across Europe including UK
  • Comes into force 25 May 2018 and businesses will be accountable from day 1
  • Will significantly impact the way in which businesses hold, store and use personal data
  • Is more onerous than the Data Protection Act (DPA) and better reflects today’s world
  • Its “accountability principle” requires businesses to demonstrate compliance
  • Fines are significant

Key principles are that an individual’s data is

  1. Processed lawfully, fairly and in a transparent manner
  2. Collected for specified, explicit and legitimate purposes
  3. Relevant and limited to what is necessary
  4. Accurate and up-to-date
  5. Permits identification for no longer than is necessary
  6. Processed securely


Some of the major implications

  1. Data processors and controllers – processors are now required to maintain records of personal data and processing activities and are significantly more liable if responsible for a breach.
  2. Consent - has to be freely given, specific, informed and unambiguous. It now requires “clear affirmative action” and so silence, pre-ticked boxes or inactivity do not count. It must be verifiable and can be withdrawn at any time.
  3. Rights - individuals have the right to be informed of access, to rectification, to be forgotten, to restrict processing, to data portability and to object to automated decisions or where profiling has occurred.
  4. Accountability - organisations must demonstrate compliance and businesses of 250+ people must keep additional records. In addition, certain types of organisations will have to have a Data Processing Officer.

What the ICO says

“The new legislation creates an onus on companies to understand the risks they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise! The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Having the right mindset towards data protection helps to future proof a business.“

Need to know more?

We’re ISO 27001 certified and pride ourselves on being both data-savvy and data-compliant. But if you specifically want to read up more on GDPR itself, check out the ICO Guide or the DMA’s dedicated resource for GDPR-compliant marketing.


We’ve compiled a campaign GDPR checklist which you might like to use for each element of your direct marketing campaigns. DOWNLOAD CHECKLIST

Let’s stay in touch

All our latest content on GDPR, Personalisation & Innovation delivered to your inbox a few times a month.

Related Articles

Did GDPR Kill Fundraising?

Did GDPR Kill Fundraising?

As 2018 dawned, and May’s GDPR deadline approached, marketers were worried. Were we to be...

Free guide to GDPR and getting it right

Free guide to GDPR and getting it right

We expect you’ve heard about GDPR; We’ve been blogging and talking about it for over two years...

GDPR Consent and “the re-permissioning dilemma”

GDPR Consent and “the re-permissioning dilemma”

Keeping track of your customers, members and supporters is a headache, even for the smallest of...

GDPR legitimate interest and personalisation

GDPR legitimate interest and personalisation

Illegitimate is a word that fortunately seems to have fallen out of everyday usage. Legitimate...