The General Data Protection Regulation (GDPR) is the new EU data protection regulation which will come in to play in May 2018.

It will essentially strengthen our consumer rights surrounding how personal data is collected, used and shared, putting us in control of what companies do with our details.

According to the Information Commissioners Office, our data will be:

Processed lawfully, fairly and in a transparent manner in relation to individuals;

Collected for specified, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

Accurate and, where necessary, kept up to date

Kept in a form which permits identification of data subjects for no longer than is necessary

Processed in a manner that ensures appropriate security of personal data

Although the UK is set to leave the EU, this legislation will still apply as any organisation which does business with EU member states, or holds the data of EU citizens and will need to ensure they are compliant with the GDPR.

It will also apply to businesses based in the US, India, Australia and China, should they carry out business within the EU.

But what will be different and how will we benefit as a consumer?


One big change we’ll notice is the way that organisations communicate with us about how they use our data. Consent statements and policies will be less complex so that we can understand what they really mean.

Consent will also be obtained in a clear and affirmative way. In addition, we will not be forced to give consent for further use of data when signing up to services.

Clarity will be most important when collecting data from children (those under 13 in the UK but under 16 elsewhere). Cleverly designed pictorial representations may also be introduced to help us understand how they plan to use their data.

Consumer rights

Exercising the right to object to direct marketing will be easier under this new regulation.

We should be able to understand these rights clearly because data controllers will have to publicise them whenever they communicate with us. We should also receive the right to object to communications and this will need to be visibly outlined.

Data breaches

A data breach is when sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. It can lead to identity theft and so these attacks need to be taken seriously.

The new regulation will require companies to inform you of any breaches to data, particularly if they are a high risk to the rights of individuals.

Misuse of data

Finally, you’ll be glad to hear that tougher penalties will be given to operators who are responsible for nuisance calls and text.

This will also apply to legitimate data users and so reduced communications programmes could be implemented by many well-known brands.

The arrival of the GDPR may seem complex but the main outcome will be the fact that we have more control over where our data ends up and we can demand to know how it is being used.

You may have already seen organisations implementing clearer privacy notices, and whilst some are yet to come on board, the pressure from consumers and privacy activists will see the bar raised ahead of the regulation being officially brought into play next year.