0330 303 0236




Don’t be scared… be prepared!

At TMA we know regulatory changes can be challenging and often scary. To help support you following the General Data Protection Regulation (GDPR) we have created a Knowledge Base where you can find all the information that you need pertaining to GDPR. The Knowledge Base contains a number of useful guides, FAQs, infographics and much more.

  • The GDPR applies to ‘controllers’ and ‘processors’.
  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller.
  • If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
  • However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
  • Personal dataThe GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
  • Sensitive personal dataThe GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

Article 5 of the GDPR requires that personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that:

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Privacy Electronic Communications Regulations – PECR

As well as the GDPR, the Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.

PECR is not new but just sets out some extra rules for electronic communications. You must still comply with the Data Protection Act as well.

Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the Data Protection Act, and vice versa – but there are some differences and you must make sure you comply with both.

PECR restrict unsolicited marketing by phone, fax, email, text or other electronic messages.

You will often need specific consent to send unsolicited direct marketing especially if you do so by email or automated telephone calls. The best way to obtain valid consent is to ask customers to tick ‘opt-in’ boxes or provide a signature confirming they are happy to receive marketing calls, text or emails from you.

You should keep clear records of what a person has conducted to, and when and how you got this consent, so that you can demonstrate compliance in the event of a complaint.

Remember that the customer is entitled to withdraw their consent at any time.

A generic consent form will also cater for the requirement of ‘consent to contact for marketing purposes’.

Click here for the useful ‘obtaining consent for marketing’ checklist.

ICO news – new advice service aimed at small organisations preparing for the General Data Protection Regulation

The Information Commissioner’s Office (ICO) launched a dedicated advice line this month to help small organisations prepare for the GDPR.

The phone service is aimed at people running small businesses or charities and recognises the particular problems they face getting ready for the new law.

There is already plenty of reference material available on the ICO website to help organisations employing fewer than 250 people prepare for the GDPR, but this new phone line will offer additional, personal advice to small organisations that still have questions.

People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

In addition to the new phone service, the ICO has also announced plans to:

  1. Simplify its popular “12 steps to take now” graphic in response to calls from small businesses and is;
  2. Revising its simple-to-use SME toolkit – a resource used by around 9,000 businesses a month since January 2016.

By the end of the year, the ICO will publish a Guide to the GDPR. It expands the content of the current overview to make it a comprehensive guide along the same lines as the current Guide to Data Protection.

Click here for more informations.


Our Field Compliance Manager, Simon Lovell says you consider:

  • Have I documented what data I hold and where?
  • Is it secure? How do I know?
  • Have I got permission to contact my customers?
  • If there is a data breach, what are my reporting procedures?
  • Be disciplined with your data – give customers the option to ‘opt-out’ and record that fact
  • What if I lost my laptop or USB stick?

If you have any questions, submit them to compliance@tmaclub.com and Simon will be in touch.



The ICO have replaced their ‘Getting ready for GDPR Checklist’ with two new checklists – one for data controllers and another for data processors.

Before undertaking their self assessment checklist  to help your organisation get ready for the GDPR, you should first determine whether your organisation processes personal data as a ‘data controller’ or ‘data processor’. The definition of the two terms can be found here.

In some instances, organisations will process personal information as both a controller and a processor. When this is the case, the ICO would advise you to complete both assessments.

GDPR checklist for data controllers

Designed to help you, as a data controller, assess your high level compliance with data protection legislation. Includes the new rights of individuals, handling subject access requests, consent, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.

GDPR checklist for data processors

Designed to help you, as a data processor, understand and assess your high level compliance with data protection legislation. Includes the new requirements for data processors, the rights of individuals, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.

Other useful GDPR guidance.