As summarised from ICO guidance:

Other than knowing this, it would seem that the rules around data marketing have not changed much so if you were doing it right in the first place, you don’t have too much to worry about in the grand scheme of things!

HOWEVER IMPORTANT: The GDPR and the new Electronic Privacy Regulation (ePR) (which will replace The Privacy and Electronic Communications Regulations (PECR)) are brothers. This only deals with the former (which is about privacy and the collection and processing of personal data including the rights of data subjects) BUT DON’T FORGET ABOUT the latter which is equally as important and which deals with the specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

What are your rights as a Data Subject? How do we (the business) honour your right?
The right to be informed We must provide ‘fair processing information’, typically through a privacy statement such as this describing how and why we collect and use your Personal Data.

Read more guidance from the ICO on what information we should supply you and when you should be informed (which shall differ depending on whether or not we obtained the Personal Data directly from you or a third party.

The right of access We try to be as open and transparent as We can be in terms of giving people access to their Personal Data. You are entitled to be aware of and be able to check the lawfulness of any processing of Your Personal Data. You can find out if We hold (and process) any Personal Data by making a ‘Subject Access Request’ under the Data Protection Act 2018/ EU data protection regulation 2016/679. If We do hold Personal Data about You, We will let You have a copy of that Personal Data. To make a request to access Your Personal Data that We may hold, You need to put the request in writing addressing it to the postal address provided below. Will action Your request without delay and at the latest within one month of Your request subject to any extensions granted.

Read more guidance from the ICO.

The right of rectification You are entitled to have Your Personal Data rectified if it is inaccurate or incomplete. If We have disclosed this to third parties, We will inform You. We have one month initially to rectify subject to possible extension. Where We decide not to rectify, We shall inform You of Your further rights.

Read more guidance from the ICO.

The right of erasure You have a legal and personal “right of erasure” which is also known as the “right to be forgotten”. Upon Your request, We will close Your Account and remove Your Personal Data as soon as reasonably possible from all of our records unless a lawful reason exists for Us to retain some or all of it.

Read more guidance from the ICO.

The right to restrict processing You have a right to ‘block’ or ‘suppress’ the processing of your Personal Data under certain circumstances but We are still entitled to store just enough of Your Personal Data to ensure that the restriction is respected in future.

Read more guidance from the ICO.

The right to data portability
You have the right to object to us processing your Personal Data: Unless:
based on legitimate interests or the performance of a (legal) task in the public interest/exercise of official authority (including profiling) You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; and, the processing is for the establishment, exercise or defence of legal claims.
for purposes of scientific/historical research and statistics provided that you have “grounds relating to your particular situation”. the processing is necessary for the performance of a public interest task
for direct marketing (including profiling) N.B. There are no exemptions or grounds to refuse.

Read more guidance from the ICO.

The right to object You are entitled to obtain (in a commonly used and machine readable form) and reuse Your Personal Data that You have provided to us (via consent or contract performance) and which We process by automated means for Your own purposes across different services and free of charge. We must respond to a request without undue delay, and within one month whether or not We decide to action Your request. Where We decide not to, We shall inform You of Your further rights.

Read more guidance from the ICO.

Rights related to automated decision making and profiling Subject to any GDPR exceptions, We should not take a potentially damaging decision concerning you as a result of using automated processing operations without human intervention. We must ensure that you have the opportunity to: obtain human intervention; express your point of view; and obtain an explanation of the decision and challenge it.

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict e.g. their performance at work; health; personal preferences; behaviour; or, location. When processing personal data for profiling purposes, we must ensure that the processing:

  • is fair and transparent and logical;
  • uses appropriate mathematical or statistical procedures;
  • uses appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors;
  • is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Read more guidance from the ICO.

Let us know if we can help you!

Author: Yvonne Morris



twitter: @CloudLegals


CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: