AF logo

What does the future hold under GDPR?

The EU’s General Data Protection Regulation (GDPR) is a major new piece of EU legislation that will come into effect on the 25th May. Replacing the Data Protection Act, GDPR aims to protect the personal data of all EU citizens and will have far reaching consequences in how businesses handle personal data, including AF.

As the world becomes more digitised, there has been an significant increase in data capture. This rise in Big Data has led to concerns around the use and storage of personal data. Therefore, the EU has introduced GDPR as a means of providing more safeguards for citizens and their personal information. Under GDPR the maximum fine is 4% of annual global turnover or €20million, whichever is greater. As such, GDPR is something all businesses, including AF, should take seriously.

Who does GDPR apply to?

GDPR is extensive in its reach as it applies to ‘controllers’ and ‘processors’ of the personal data of any EU citizens, regardless of where they are in the world, meaning it affects companies outside the EU.

Data Controllers – are those collecting and storing any personal data, whether these records are customers or prospects. The data controller might also be a data processor or pass the data to a data processor. Both are liable for the security and compliance of the data.

Data Processors – are those who have been appointed to process the data on behalf of a data controller.

What is personal data?

GDPR applies to all personal and sensitive data, both electronic and paper based, which refers to any information relating to an individual human being who can be directly or indirectly identified. There are some exemptions within this definition such as persons who are deceased or any personal information that is available publically e.g. information on companies house such as Directors of a limited company.

Some examples of data that is protected include -

Personal Data

Sensitive Data



Email Address



Race or ethnic origin

IP Address


Partial credit card numbers (with a name)



National Insurance/Passport Numbers


Under GDPR there must to be a valid lawful basis to process personal data. Valid lawful basis includes -

Consent – you have given explicit consent for your data to be processed, e.g. you ticked a box to say that you wanted to receive marketing emails. Tick boxes can no longer be pre-ticked and it must be very clear what you are giving consent to.

Contractual – if you have entered or are entering into a contract with someone, they are able to reasonably process your data to fulfil that contract.

Legal obligation – an HR team need to process personal data in order to comply with HMRC legal obligations.

Vital interests – if you are in A&E with life threatening injuries, the hospital can disclose your medical history in order to protect your vital interests.

Public task – where you need to process personal data in the exercise of an official authority or to perform a specific task in the public interest that is set in law. For example, the police force, parliamentary functions, etc.

Legitimate interests – This basis can be applied where data is used in ways that would be reasonably expected when the data was provided.

We take your data integrity very seriously and will always ensure the security of your data is paramount. Therefore, we have set up a working party to ensure AF is compliant with GDPR and updating members and suppliers on the changes that will come into effect.

Look out for further details of how GDPR will change the way we engage with members in the next edition of YourAF.

< Back to news