Thanks for taking part in one of our training sessions on the General Data Protection Regulation.

The GDPR doesn’t have to be boring – it’s about your rights, after all. So to help you keep some key aspects of the law fresh in mind, here’s the first in a series of training updates which will come through to your mailbox over the coming weeks.


The GDPR covers all ‘Data Subjects’ who are either nationals or residents of any country in the European Economic Area (including the UK for now…).


That’s any living individual whose data our organisation processes, whether routinely or from time to time. Basically it’s anyone who we could find on our IT systems, in our files or on any company device (e.g. mobile phone, tablet, laptop, USB storage, etc). A Data Subject could be:

A colleague:
Including all employees, agency staff and contractors who work for us – our colleagues should all be aware of their rights, and fully understand their own responsibilities to ensure our GDPR compliance.


A client, supplier or service provider:
Anyone we work with, including named individuals within a company, but NOT a company itself. Only living humans can be data subjects.


A consumer:
Anyone who uses our website or buys our products and services needs to have an appropriate privacy notice so they know we have their information and how we use it.


A marketing lead:

Anyone who we sell goods or services to, either by emailing, cold calling or through digital marketing should either be aware we have their details, or be provided a GDPR compliant consent to be added to our marketing list.

A child:

We need to be particularly careful that we have parental consent for any children’s data we hold.



Personal Data includes anything which could be used to identify a person, or which relates to an identified person. This can include:

  • Name and contact details
  • Financial information
  • Employment background
  • Training, qualifications
  • Opinions and notes about the person
  • Photographs of the person

It also includes sensitive Personal data, which is:

  • Sexuality (Sex life and orientation)
  • Health and medical information (doctor’s notes, illness records, disabilities)
  • Biometric (such as fingerprints, facial recognition)
  • Genetic (blood, DNA)
  • Ideology (religious, political and philosophical beliefs)
  • Criminal convictions (DBS checks, anything relating to criminal record)

Sensitive data needs special protection, so it requires a much higher level of authorisation to process. You should always be weary if you find you are asking people for any of these types of data and be certain you are doing so within established working practices.


Technically the law only covers any Personal Data which is processed by automated means (IE: with software) or as part of a structured filing system (like a customer relationship management system, outlook contacts, manual filing systems, etc). That means odd pieces of paper, notes you have made in writing, business cards – anything that shouldn’t be filed in a way that is organised and searchable – isn’t covered.

Thanks for taking the time to read our training refresher. We’ll be in touch again soon, and you can always browse the rest of the website for more information. If you ever have any questions about GDPR be sure to contact your organisation’s data officer (or your manager or another responsible person).