The GDPR defines ‘personal data’ as any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

Any organisation that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye colour, political affiliation, and so on. Even if an organisation is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.

Data controllers are a person or organisation who (alone or with others) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A data controller can be the sole data controller or a joint data controller with another person or organisation. However, when services are provided directly by private hospital, voluntary hospitals, agencies or private contractors, the private hospital, voluntary hospital, agency or private contractor may be the data controller.

Data processors are those that processes personal data on behalf of the controller. This does not include an employee of the controller who processes data during the course of their employment. A data processor can be held liable if they are responsible for a data protection breach.

Processing in relation to personal data is any operation or set of operations performed on personal data including – collecting, recording, organising, structuring, erasing, destroying, altering, combining, disclosing or sharing the data.

• Lawful, Fair and Transparent: Personal Data processed lawfully, fairly and in a transparent manner in relation to individuals;
• Purpose Limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
• Data Minimisation: Personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• Accuracy: Personal data must be kept accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Storage Limitation: Personal Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
• Confidentiality and Integrity: Personal Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
• Accountability: The [Data] controller shall be responsible for, and be able to demonstrate compliance with the data protection principles

“Most of our database is made up of historical quotations or previous customers but under GDPR, just because they have gotten a quote from us or bought from us doesn't actually give us the right to use their data for marketing purposes. Is this correct?”.

Answer: When you originally sold, quoted or marketed products or services did you offer an opt-out at point of sale?

If the answer is yes, you may be able to rely on ‘soft opt-in’.

If you did not offer an ‘opt-out’ then you will need consent. If you cannot reference an affirmative opt-in or consent then you do not have the data subject’s permission, therefore you cannot send marketing emails.

Fig 1: Legitimate Interests Assessment

Remember, it’s PECR (Privacy and Electronic Communications Regulations) that regulates e-marketing NOT GDPR. Legitimate Interests IS NOT a lawful basis for electronic marketing under PECR.

Opt-in has to be specific, informed and freely given and if you are relying on the ‘soft opt-in’ you can only use it for marketing/promotion of your OWN products/services. So an opt-in is the cleanest way to start a new list.

See here some useful links in relation to PECR: Statutory Instrument 336 of 2011 (Ireland) and ICO (UK) Guide to PECR

The GDPR introduces direct obligations and potential liabilities on the Controller AND Processor. The GDPR requires a legally binding contract between the Data Controller and the Data Processor(s).

There are Compulsory details that must be included:

• The subject matter and duration of the processing;
• The nature and purpose of the processing;
• The type of personal data and the categories of data subject; and
• The obligations and rights of the controller

Compulsory terms:

• The processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
• The processor must ensure that people processing the data are subject to a duty of confidence;
• The processor must take appropriate measure to ensure the security of processing;
• The processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
• The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
• The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
• The processor must delete or return all personal data to the controller as requested at the end of the contract; and
• The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

• The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
• The purposes of your processing
• A description of the categories of individuals and categories of personal data
• The categories of recipients of personal data
• Details of your transfers to third countries including documenting the transfer mechanism safeguards in place
• Retention schedules
• A description of your technical and organisational security measures

Should we document anything else?

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:

Information required for privacy notices, such as:

• The lawful basis for the processing
• The legitimate interests for the processing
• Individuals’ rights
• The existence of automated decision-making, including profiling
• The source of the personal data
• Records of consent
• Controller-processor contracts
• The location of personal data
• Data Protection Impact Assessment reports;
• Records of personal data breaches

Information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:

• The condition for processing in the Data Protection Bill
• The lawful basis for the processing in the GDPR
• Your retention and erasure policy document