Created by: Felicity Hannah | 20 May 2019

What can companies do with your data?

A consumer guide to GDPR (and it isn’t as boring as the name, we promise)

It’s been said that data is the new oil. Not everyone agrees but it’s certainly true that data is a powerful commodity that businesses are willing to pay a lot of money to get hold of.

So what is your data? It’s everything from your name, location and spending power, to the number of children you have, what kind of holidays you take and whether you use credit cards.

And that obviously has real value to businesses that want to sell to you, companies that want to keep you on their books, organisations that analyse data for commercial and political reasons and more.

Because data is so important, valuable and, let’s face it, personal, new legislation came into force in May last year – placing quite significant restrictions on how our data can be used.

If you’re wondering what companies are allowed to do with the information they hold on you and your habits, then here is a quick guide.


The name of these new rules was exceptionally dull – General Data Protection Regulation, most commonly known as GDPR. You probably remember it from a load of emails you got in 2018 asking you to sign back up to various newsletters.

This regulation is essentially the world’s strongest data protection rules and it applies in some form across Europe.

Even after Brexit, these tough new data laws will continue to apply in Britain as we have implemented a new Data Protection Act that carries most of the new rules into UK law too.

And these new rules have meant a lot of changes. Here’s a rundown of the main changes:

No more pre-ticked consent boxes

Ever made a purchase or accessed a website only to discover that you’ve been signed up for a load of marketing? Before GDPR, customers could be caught out by pre-ticked consent boxes that made it easy to sign up for stuff without realising.

Now it has to be a positive choice from you.

Withdrawing consent must be easy

If you’re receiving marketing from a company then they are storing your data – withdrawing your consent should be as easy as giving it.

That means you shouldn’t have to jump through hoops to unsubscribe from marketing if you subscribed with a single click originally. Now, most firms include an unsubscribe button at the bottom of each email.

They have to have a good reason to keep hold of your data

Firms aren’t allowed to just keep hold of information on you in case it becomes useful one day, they must have a reason they are keeping it.

Valid reasons include things like needing to contact current customers or subscribers or holding onto data to keep customers informed about safety developments.

Importantly, though, businesses must tell people why they are holding onto their data as they collect it, they can’t just stick it in a database without permission.

You have to be told when things go wrong

There have been many high profile data hacks, where major companies have been forced to admit that thieves and hackers managed to steal information about their customers.

In the past some businesses have only revealed this after the damage has been done and potentially after their customers have been approached by fraudsters using stolen data.

Now, they must inform the authorities within 72 hours of becoming aware of a data hack, while any affected customers whose unencrypted data has been stolen must now be informed “without delay”.


Get Your Free Credit Score

Download The Appit’s 100% FREE & FCA Authorised
get credit score
Get Your Free Credit Score