Data Protection Q&As

Q: What is GDPR?

GDPR is the toughest privacy and security law in the world and has been in effect since 25th May 2018.


GDPR applies to any organisation operating within the UK and EU as well as organisations outside of the UK and EU which offer goods or services to customers or businesses in the UK and EU. 


GDPR is a regulation and not a directive. It is legally binding and cannot be opted out of, or ignored. Fines of up to €20 million or 4% of your company’s global turnover can be levied if regulation is ignored.

Q: Why has the GDPR been introduced?

GDPR has been put in place to provide UK and EU citizens control over their personal data, ensuring the storage and handling is:


Q: What is personal data?

Personal data is information that identifies someone personally and tells you something about them such as their name, place of work, personal / work email address and / or their home address.

Q: What is an International Data Transfer Agreement (IDTA)? Why does it exist and what purpose does it serve?

An International Data Transfer Agreement (IDTA) is an agreement established between organisations that governs the transfer of data from the owner / provider to a third party. 

An example is -  the data transferred from a lead generating product, both parties become joint controllers of the data. There is a legal obligation to set out the 3rd parties responsibilities in a joint control arrangement (the IDTA).

An IDTA sets out the purpose of the data sharing, covers what happens to the data at each stage, sets standards and helps all parties be clear about their roles and responsibilities.

Q: Is an IDTA always required for organisations based outside the EU/UK?

An IDTA is not always required: