Existing Data and GDPR

Existing Data and GDPR

The General Data Protection Regulation

The GDPR is something that many feel has crept up on them. It will replace the Data Protection Act in the UK and will have a number of very onerous implications for businesses.

One of the key things is legacy data. All the hours put into building sales and marketing databases may have been futile as GDPR could make them unusable.

Disclaimer: The information in this blog is for your general guidance and is not intended as, and shall not, constitute legal advice in any shape or form. If you think you need legal advice on GDPR and its impact on you and your business then you ought to obtain independent legal advice from a solicitor.

Existing Data

What will happen to the thousands of names and details of business contacts that you have compiled over your years in business? Will they continue to be the potential goldmine that they currently are, supplying you with a customer base to market directly to through emails. Is that data worth anything to you and your business after GDPR comes into force on 25th May 2018?

The answers to these questions depend upon whether or not you have obtained permission to use that data in the future. The Information Commissioners Office has very helpful guidelines to help you determine whether or not you need to update the permissions you currently hold in relation to data.

What will not constitute GDPR compliant consent?

Given that GDPR didn’t exist until fairly recently, you will be lucky if you have somehow managed to comply prior to the specific details in relation to compliance by chance. You should watch out if you have been vague about what individuals or businesses are consenting to, if consent wasn’t defined per se but formed part of a range of processing activities, if consent was a pre-condition of a service or if you used a pre-ticked box such that the individual or business would have to ‘opt-out’ of providing their consent. If any of the above apply then it is highly unlikely that the data stored as a result is GDPR compliant.

What will constitute GDPR compliant consent?

It is likely that Consent will be the most heavily relied upon lawful basis for processing data under GDPR. The consent must be given freely and the individual must receive specific information about the consent they are providing, be informed and the consent given must be unambiguous. The individual must also actively ‘opt-in’ so a pre-ticked box will no longer be compliant. The individual must be given a genuine choice as to whether or not they wish to provide their consent and they are entitled to have clear and specific information regarding what they are consenting to. Lastly, the individual must retain the opportunity to ‘opt-out’ at any stage should they so wish.

Can you renew consent?

The obvious approach here is simply to e-mail all of your contacts and ask them for renewed consent, ensuring that when you ask them you comply with the requirements as set out above but more fully in the GDPR itself. Information can also be found on the ICO website.

One should, however, exercise caution in taking such an approach. Does one even have permission to send that email campaign asking for renewed consent? Moreover, should a complaint be made about the email can one justify why the email was sent and the permission to do so? If a business does not know whether it has consent and when and how that consent was obtained, it might be a risky approach to send out emails asking for renewed consent.

It is worth noting at this stage that the ICO can provide a multitude of information to guide you and your business through complying with the GDPR. Consent is not the only lawful basis for processing personal data after introduction of the GDPR. There are five other grounds for processing and so an intimate knowledge of the GDPR is strongly recommended.


It is clear that the GDPR present real challenges for all businesses in the EU. Ensuring compliance will be key due to the harsh penalties to be imposed in the event of breaching the GDPR. The ICO has produced many excellent guidance notes which appear to be aimed at strict enforcement after25 May 2018. In other words, ignorance will be no excuse. Whilst it is key to ensure compliance, the ICO have stated that you cannot break an existing law in trying to comply with a new one and so it is obvious that one must not do anything and everything to ensure compliance to the detriment of complying with the current Data Protection Act.