Understanding GDPR

So what is GDPR all about? Jonathan Richmond, Associate Director at insight driven marketing agency, Response One, explains all.

The idea of protecting peoples’ personal data is not a new one. Both the 1998 Data Protection Act (DPA) and the 2003 Privacy Act look to do just this. However, with the explosion of digital technology a new set of data protection rules were needed – cue the General Data Protection Regulation Rules.

They mark a complete step change in data governance and although it is being introduced to cover the digital economy, GDPR will also apply to paper based systems. It is not just about consumer data either, employee data is covered, as is anything that is seen as personal data.

Data processing

GDPR requires that data be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

By far the most important of these from a marketing perspective is the second bullet point. Businesses have been gathering as much customer data as possible, at any opportunity and through often opaque practices for a long time (register to download, create an account etc.). Now, organisations will have to clearly state that they want data in order to undertake specific marketing as well as be clear about when and through which channels they will communicate. Finally, businesses won’t be able to use personally identifiable data to profile or segment customers without their specific authority.

On a corporate level, the most important is probably the last bullet point. Breaches of personal data security that would have cost an organisation £100k might now end up costing many millions if businesses don’t comply and prove that they are doing so. C-level executives and those with system responsibility, particularly in this age of The Cloud, would probably consider this the most challenging aspect.

Importantly, GDPR also requires that

“The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Meaning that it is not enough for organisations to simply comply, they must actively demonstrate this.


Our current ‘‘Ask the Experts’ GDPR report has been produced in partnership with one of our Group Companies Response One and one of our Partner organisations MyLife Digital.

Talk to us if you want to learn more. 

Back to Insights

Bench Newsletter

Register here to receive the latest Newsletter