GDPR

Last Updated : 01 September 2024

UK GDPR & Data Protection Policy

What is the UK GDPR?

The General Data Protection Regulation (GDPR) was introduced across the European Union in May 2018. The legislation was intended to harmonise data protection law across Europe, and give greater protection and rights to individuals.

Following the United Kingdom’s exit from the European Union, a UK version of the GDPR has been drafted and passed into law. The UK GDPR came into effect on 1 January 2021.

Accountability

Accountability is a cornerstone of the UK GDPR and must be applied across the board by organisations.

Organisations should be asking themselves questions such as:

  • What data do we hold?
  • Where is it stored?
  • Do we have sufficient security to protect it?
  • Do we have a lawful basis to process it?

This demonstrates that the organisation has complied with the UK GDPR and can prove this.

Unlike the Data Protection Act 1998, the GDPR has an international reach. Organisations outside of the UK or EU that handle data relating to UK or EU citizens must comply with GDPR.

Both data controllers and data processors are subject to accountability obligations.

Consent

Consent under the UK GDPR requires a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity.

Best practice is to use a double opt-in process for email marketing, where users receive an email to confirm their subscription.

Right to be Forgotten

Individuals can request deletion of personal data where:

  • It is no longer necessary for the purpose it was collected, or
  • They withdraw consent.

There are exemptions, such as where processing is necessary for legal claims or compliance with a legal obligation.

Data Protection Officers (DPOs)

Some organisations are required to appoint a Data Protection Officer (DPO). This applies if:

  • You carry out large-scale systematic monitoring of individuals, or
  • You process special categories of data on a large scale.

The DPO is responsible for ensuring the organisation complies with GDPR and liaises with the ICO.

Breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Examples:

  • A marketing list being sent to the wrong person
  • Loss of unencrypted USB drives
  • Hacking of databases

Not all breaches need to be reported.

  • Reportable breach: customer payment details accessed by hackers (risk of identity theft)
  • Non-reportable breach: employee emergency contact details accidentally deleted (low risk)

If a breach is likely to result in a risk to individuals’ rights and freedoms, it must be reported to the ICO.

Penalties

Under the GDPR, organisations can face significant fines:

  • Up to €10 million or 2% of annual global turnover (less serious infringements)
  • Up to €20 million or 4% of annual global turnover (serious infringements)

This is much higher than the previous maximum under the Data Protection Act 1998.

InFynd’s Position

At InFynd, we support our clients by ensuring data is processed lawfully, fairly, and transparently.

We use two main bases for processing:

1. Legitimate Interest

  • Allows B2B marketing without prior consent, provided it does not override the rights of the data subject
  • Operates on an opt-out basis
  • Requires careful segmentation and relevance

2. Consent

  • Must be freely given, specific, informed, and unambiguous
  • Cannot rely on pre-ticked boxes or inactivity
  • Applies particularly to B2C and sole traders, where consent is required

Customers’ Responsibilities

Purchasing data from InFynd does not make an organisation automatically compliant. Customers must:

  • Ensure their use of the data is lawful under GDPR and PECR
  • Provide clear and simple unsubscribe mechanisms
  • Suppress existing customers or opted-out contacts
  • Screen telephone numbers against TPS and CTPS within 28 days of calling

InFynd screens data against TPS and CTPS at the point of delivery, but ongoing responsibility lies with the customer.

We also provide tools such as the Data Validation Tool to help maintain compliance.

Contact

If you wish to opt out or have queries regarding our compliance, please contact:

📧 contact@infynd.com

Useful Links

Talk to an expert
Custom B2B Contact Lists
Email Campaign Management
AI Powered Outreach
Cold Email Automation
Lead Scoring and Segmentation
Marketing Funnel Setup
Healthcare Data
Multi-Touch Campaigns
Social Media Automation