0800 458 0146

GDPR in a nutshell

Here is the full guide:


Disclaimer – This is a  short summary and is not intended to replace the full guide.  Each Organisation must assess GDPR and how their circumstances apply.  We recommend undertaking training or seeking professional advice if in doubt after assessing the full guide.

What is personal data:

personal data”  shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The definition is – deliberately – a very broad one.  In principle, it covers any information that relates to an identifiable, living individual.  However, it needs to be borne in mind that data may become personal from information that could likely come into the possession of a data controller.

There are different ways in which an individual can be considered ‘identifiable’.  A person’s full name is an obvious likely identifier.  But a person can also be identifiable from other information, including a combination of identification elements such as physical characteristics, pseudonyms occupation, address etc…

In a Nutshell

  1. To be allowed to contact customers going forward (Let existing contacts know about your new policy and how to access it, you can continue to contact them) {see below}

New clients must opt in by ticking the opt-in box themselves.  Correspondence must have an easy unsubscribe ability. {see below}

  1. Set a time scale for when customer data will no longer be processed and destroyed.
  2. Allow a customer to be forgotten –delete their data if requested (can be verbally or by email). {see below} (Rare exceptions)
  3. You must allow people to correct errors in their data.
  4. Tell your customers clearly what you do with their data and how long it will be kept.
  5. Keep your contacts data safe – in certain circumstances, you have the obligation to report if someone’s data may have been viewed by an unintended (unauthorized) person/organisation.


A little more information


  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Explicit consent requires a very clear and specific statement of consent
  • Keep your consent requests separate from other terms and conditions.
  • Name any third party controllers who will rely on the consent.
  • Make it easy for people to withdraw consent and tell them how.

Using data without explicit consent:

to process someone’s personal data without explicit consent: {see full guide}

  • to fulfil your contractual obligations to them; or
  • because they have asked you to do something before entering into a contract (eg provide a quote)
  • The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply.

Right to be forgotten:

  • The GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.

Right to be informed:

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

And finally, the comprehensive guide to fully assess your own situation.

Disclaimer – This short summary and not intended to replace the full guide.  Each Organisation must assess GDPR and how their circumstances apply.  We recommend undertaking training or seeking professional advice if in doubt after assessing the full guide.

More information: