General Data Protection Regulation

25 April 2018

Are you ready?

Clock with GDPR on label

What is the General Data Protection Regulation?

The increased rate of technological developments and globalisation have brought new challenges for the protection of personal data. GDPR has been introduced to reflect changes in technology since the Data Protection Act was introduced.

This article is provided for information purposes and is general and educational in nature. Nothing in this article constitutes legal advice. You are free to choose whether or not to use it and it should not be considered a substitute for seeking professional legal help in specific circumstances.


The Information Commissioner’s Office (ICO) has issued a raft of guidance that firms can draw from to base their preparations on and further guidance following the consent consultation can be expected shortly.
In a nutshell, organisations need to keep records of personal data that they hold/process, keep records of how and when consent was given and what the individual was told, show where the data is going and what it’s being used for, and protect the data they hold.
GDPR has six key principles, which are covered in article 5 of the ICO’s guidance, as follows:
“Article 5 of the GDPR requires that personal data shall be:
  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 
These six principles are covered by article 5(2), referred to as the accountability principle, which, “requires that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” 
Businesses need to have a clear understanding of what ‘affirmative consent’ means so that they can ensure their marketing activities are GDPR compliant: they will need to ensure they can demonstrate they have ‘affirmative consent’ for each and every one of their new business prospects, whether these be personal or commercial.
It came into effect on 25 May 2018. 
There are a few key steps you should be taking now:
  • You need to make sure that decision makers and key people in your organisation are aware that the law is changing. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under GDPR.
  • It would be useful to start looking at your organisation’s risk register, if you have one.
  • Implementing GDPR could have significant resource implications, especially for larger and more complex organisations.
  • You should raise awareness of the changes that are coming and not leave preparations until the last minute.
  • Consider employee awareness training. RWA’s ‘My Development Zone’ is a useful online learning platform with a full GDPR pathway that employees can undertake. 
For more details on the accountability principle and what is required, please visit:
If you would like further support to help you strength test your GDPR compliance then RWA can also assist you with an initial healthcheck and with further high level process implementation support. 
GDPR is a compulsory requirement for any business handling personal data which relates to living EU citizens. To clarify, GDPR documentation refers to ‘personal data’ as being “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier [email, IP address, mobile device ID, etc.] or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”1
Understanding how the GDPR defines ‘personal data’ is vital for every business. For example, a business email address that has a personal name – for example, – meets the definition of personal data, as it has an individual’s name in it. And as such, a business will need to understand on what basis it is processing this data. 
Further, how will businesses approach ‘consent’ should an existing client not renew their business? Traditionally, the broker will view this ‘lost’ client as a new prospect for the future. But how will they ensure they have ‘affirmative consent’ to continue to market their services to a client they no longer hold?
GDPR is a golden opportunity to review the information you hold and embed solid GDPR policies and procedures. If done correctly, these changes will not only ensure that your business is compliant, but they also have the capacity to deliver commercial gains for your business.