UK GDPR & Data Protection Policy
How InFynd processes data lawfully, fairly, and transparently, and how we help our clients stay compliant.
Last updated: January 2025
What is the UK GDPR?
The General Data Protection Regulation (GDPR) was introduced across the European Union in May 2018 to harmonise data protection law across Europe and give greater protection and rights to individuals.
Following the United Kingdom's exit from the European Union, a UK version of the GDPR was drafted and passed into law. The UK GDPR came into effect on 1 January 2021.
Accountability
Accountability is a cornerstone of the UK GDPR and must be applied across the board by organisations. Organisations should be asking themselves:
- What data do we hold?
- Where is it stored?
- Do we have sufficient security to protect it?
- Do we have a lawful basis to process it?
Unlike the Data Protection Act 1998, the GDPR has an international reach. Organisations outside of the UK or EU that handle data relating to UK or EU citizens must comply with GDPR. Both data controllers and data processors are subject to accountability obligations.
Consent
Consent under the UK GDPR requires a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity.
Best practice is to use a double opt-in process for email marketing, where users receive an email to confirm their subscription.
Right to be Forgotten
Individuals can request deletion of personal data where:
- It is no longer necessary for the purpose it was collected, or
- They withdraw consent.
There are exemptions, such as where processing is necessary for legal claims or compliance with a legal obligation.
Data Protection Officers (DPOs)
Some organisations are required to appoint a Data Protection Officer if:
- You carry out large-scale systematic monitoring of individuals, or
- You process special categories of data on a large scale.
The DPO is responsible for ensuring the organisation complies with GDPR and liaises with the ICO.
Breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Examples include:
- A marketing list being sent to the wrong person
- Loss of unencrypted USB drives
- Hacking of databases
Reportable
Customer payment details accessed by hackers (risk of identity theft).
Non-reportable
Employee emergency contact details accidentally deleted (low risk).
If a breach is likely to result in a risk to individuals' rights and freedoms, it must be reported to the ICO.
Penalties
Under the GDPR, organisations can face significant fines:
- Up to €10 million or 2% of annual global turnover (less serious infringements)
- Up to €20 million or 4% of annual global turnover (serious infringements)
This is much higher than the previous maximum under the Data Protection Act 1998.
InFynd's Position
At InFynd, we support our clients by ensuring data is processed lawfully, fairly, and transparently. We use two main bases for processing:
1. Legitimate Interest
- Allows B2B marketing without prior consent, provided it does not override the rights of the data subject
- Operates on an opt-out basis
- Requires careful segmentation and relevance
2. Consent
- Must be freely given, specific, informed, and unambiguous
- Cannot rely on pre-ticked boxes or inactivity
- Applies particularly to B2C and sole traders
Customers' Responsibilities
Purchasing data from InFynd does not make an organisation automatically compliant. Customers must:
- Ensure their use of the data is lawful under GDPR and PECR
- Provide clear and simple unsubscribe mechanisms
- Suppress existing customers or opted-out contacts
- Screen telephone numbers against TPS and CTPS within 28 days of calling
InFynd screens data against TPS and CTPS at the point of delivery, but ongoing responsibility lies with the customer. We also provide tools such as the Data Validation Tool to help maintain compliance.
Contact
If you wish to opt out or have queries regarding our compliance, please contact:
contact@infynd.com