Confused about the GDPR? Surely not… With so many blogs and training courses everyone is an expert… Do you really understand GDPR and the rules for you, the ‘Data Subject’?

So when GDPR comes into force (in May 2018) our data will be better controlled and handled……..right?

However, based on the many businesses and people we talk to, it is clear that there is still a huge lack of understanding about data, the GDPR and why it needs protecting…

For this reason, it’s more than wise that we all as data subjects grasp and understand for ourselves what GDPR is, and what is happening to OUR data. Only then can we begin to understand the true consequences for our organisations.

At the very heart of the new legislation is the very simple basic principle that organisations / businesses who use our data for their own legitimate interests should be doing this securely, legally and with our full knowledge.

However, it seems to me that increasingly our data is being used without our knowing or understanding, especially when we enter our details online. It is therefore imperative that we become the guardians and custodians of our own data.

Watch out when entering your data online

It is unfortunately true, that we have all become so very trusting of organisations and businesses who ask us so innocently for our data online. They expect us to have read the pages of small print in their T&Cs or data privacy policy. They even ask us to click the boxes that say either we ACCEPT the terms or ‘that we have read the T&Cs’. But so trusting are we that, in my experience, we accept or agree to these terms without ever having read them!

So, this means we do not know what we have allowed the data controllers to do with our data. Whilst for many businesses, aside from perhaps some behavioural analytics on how we use their website, or some legitimate direct marketing, there maybe no intentions to make gains from our data. BUT as they have it in their possession can we be certain? What we do know is that perhaps we are giving away our details too easily, without challenge and without knowledge as to how it will be used or processed. All on the basis of  trust.

The GDPR and the rules for you, the ‘Data Subject’ – nothing is free.

Now my late mum always said that nothing in life comes for free. But online we get so many free apps or offers. We expect free wifi in bars, restaurants, hotels and even the train. So, are they really free? Unless you have read the T&Cs or Data Policy or have been told what happens to your data then you cannot really know. My experience is that these free apps / offers tend use and sell our data so while we get something for nothing they make money out of our personal data and without us really knowing.

A fair trade? In my opinion, unfair if we do not know they are selling it or who they are selling it too……..and we wonder why we get so much trash email!!

A very recent example explains yet further about how we give data and, without challenge do not know, what happens to it:-

The GDPR and the rules for you, the ‘Data Subject’ – my local car dealership

My car recently went into the car dealership for some work; they needed it for a couple of days so I organised for a loan car.  This is a major reputable car manufacturer / retailer who asked me to bring my drivers’ licence as it was needed for the user car insurance. On collecting the vehicle, I handed over my licence and the very friendly chap wandered off to take a photocopy.

On his return, I said “why have you taken a copy of my drivers’ licence”

“it’s our policy and needed for the insurance”

My follow up question “so what happens to the copy after I return the user car”.

“It will just stay in your customer file probably collecting dust”

At the same time this was happening I clocked another of the car dealership staff photographing my car.

“Why is he taking pictures of my car?”

“We need this to evidence to show any damage ahead of us doing the work” …

”so, what happens to the photographs….? “

You get the gist

Now as I challenged he did say that they would delete the records if I so desired……. but let’s be clear he didn’t know why this data was being taken or stored nor if it would be latterly used. He was just doing what he had been asked to do.

How the GDPR changes the rules for you, the ‘Data Subject’

The GDPR will change this. It will expect that I need to be told these things by the car dealer. Therefore the guy I met would need to be trained to explain fully to me, as a customer, the what’s, why’s and how’s they will manage, protect and process my data. However, can we trust or do we believe this will happen in all cases?

That is why it’s better for us as data subjects to look after our own interests and to drive the change that the new regulations provides, ensuring the businesses we trust with our data are meeting the new legal requirements. In doing, so the risks of our data being stolen from that car dealer for identity fraud or other purposes is much greatly reduced.

My advice is therefore to challenge and understand what is happening with your data now….. Why do they need my Date of birth or my gender for an online purchase? What will you do with my records after I accept? Make sure you ask and they will advise

AND definitely make sure you start to read T&Cs before ticking the AGREE boxes (even if you only dive into the data privacy or policy). It’s not great bedtime reading but will keep you safer so you can at least sleep at night!!!



If you would like to find out how we can help your organisation to prepare for the forthcoming regulations, then please email us at or give us a call on 01926 80071.