Chat with us, powered by LiveChat

The General Data Protection Regulation is a newly updated EU policy which replaced the Data Protection Directive (DPD) with an intention to improvise the protection of the personal data. This policy applies to the entities within EU as well as the non-EU businesses who are involved in marketing their products to EU.

As your trusted marketing solution partner, we help you on your GDPR compliance voyage. At Thomson Data, our entire organization works to ensure that we follow GDPR-compliant practices. At the same time, it is essential for us to help our customers and partners to make them understand the impact of this law on their businesses and also to develop a GDPR compliance process of their own.

Hence to determine your next step, we covered the essential details of GDPR and also about the preparation of Thomson Data in this page.

The European General Data Protection Regulation is an update of the Data Protection Directive 95/46/EC. This new policy came into enforcement on 25th May 2018. It is envisioned to harmonize data privacy laws across the European Union and hence protects the personal data of the EU citizens. GDPR encourages all the businesses to be transparent in the data processing activity. In the UK, the GDPR policy will replace the Data Protection Act.

The 1995 Directive for data protection and privacy lays a foundation for GDPR. The advancement of the technology in the 80s gave rise to the increased use of computers. This progression resulted in the changes in various activities such as data collection, storage, and processing. Hence to be more rigorous about data privacy, the European Data Protection Directive came into existence in 1995. This directive stated data protection principles which were used by the organizations for over two decades.

Principles of Data Protection Directive


Find as well as process the personal information of an individual reasonably.
The organizations must take necessary actions to safeguard the user’s data
One must not keep the user’s data for longer than necessary
Organizations can use it only for specified purposes in a legitimate manner
The database must include only updated and accurate information.
On request, you can give a copy of the personal data to any individual
Process the data in a way that is compatible with the intention of the collection
Ensure that the data collected from an individual is relevant and acceptable
Data subjects should be given the access to their personal data

Although the primary goal of these principles is to include the harmonization of data protection laws, it was still a directive. It led to a path for a more significant piece of legislation known as GDPR which became an enforceable law in all the member state. Also, the newly updated General Data Protection Regulation includes various provisions to strengthen the rights of data subjects. Besides, it adds harsher penalties for the violation of the law. Apart from that, one should note that this law is not applicable to legal entities and also a deceased person.

The newly updated GDPR policy applies not only to EU businesses but also to the non-EU firms who monitor or process the data of EU citizens. Also, to enhance the data privacy of an individual, the GDPR strengthens their right with many criteria’s. The individuals have all the right to know about the usage of their data, and also to rectify or delete them anytime. We will see those changes in the next section.

The newly updated General Data Protection Regulation came into existence with an intention to strengthen the previous directive. Although the critical principles of GDPR are similar to the 1995 EU Directive, it includes many changes in the policy. The notable ones that impact the businesses are listed below.

–    Rights to Access

This right of an individual was found in the previous directive as well. But, GDPR enhances this right by adding a few more criteria. The data subjects have all the right to know the processing status of their data, the place of usage and its purposes. The period to process the access request is now 30 days. Also, the organization cannot charge for processing request unless it is expensive. Besides, the company can also refuse the access request. However, they must have the apparent reason and policies in hand to prove the refusal.

–    Right to Be Forgotten

Data subjects have an exclusive right regarding their personal information. They can ask the controller to remove or delete their data anytime. Also known as Data Erasure, the Article 17 of GDPR specifies the conditions for this right.  However, the data controller must remove the individual’s personal information when it is no longer relevant to the original purpose.

–    Right to Portability

GDPR also introduces one more right for an individual regarding the data portability.  According to this right, the data subject can demand the copy of their personal information which they have provided to the organization. Also, they have all the power to transmit the data to other controllers.

–    Consent

The new law made some changes to the condition of the approvals. That is, the permission must be explicit and distinguishable in the updated policy. Also, one must provide it in an easily accessible format with an understandable language.  Hence, the organizations cannot consider the long form of terms and conditions as the request for the user’s consent.

–    Severe Penalties

GDPR introduces severe penalties for the violation of laws. That is, it can include 4% of annual global revenue or €20 Million whichever is greater. Also, the level of penalty will vary based on the type of the infringement. The Article 83(4) and Article 83(5) of GDPR lists the criteria for different levels of penalty respectively. Besides, it will not only include fines. It may come in the form of warnings, reprimands or also suspensions of data processing permanently.

–    Territorial Scope

According to the 1995 EU Data Protection Directive, the scope of the rules was applicable only within EU. But, the newly updated law includes all the entities (EU or non-EU) who market their products or services to the citizens of EU or the businesses who monitor the behavior of the individual’s in the EU.

–    Privacy by Design

According to this change, the company must give importance to data protection beginning from the designing of the system. It should be a part of the organization, and not an addition. Also, they must perform a Data Privacy Impact Assessment (DPIA) while processing the data with the help of new technologies or if they follow any risky method.

–    Accountability

The new law requires both the controllers and the processors to demonstrate their GDPR compliancy to their local supervisory authority. That is, the processes must be recorded, applied as well as reviewed regularly. Also, the employees must undergo proper training regarding the changes in the policy. Besides, they must be able to take technical and organizational measures to ensure their compliance with the GDPR.

–    Breach Notification

Under the new system, the breach notification has become mandatory in all the member states. The data controllers must report the breach to the supervisory authority within 72 hours of learning it. Also, they must inform the data subjects who will be affected by this breach.

–    Data Protection Officers

In the previous directive, the data controllers must inform about their processing activities with the local Data Protection Authorities (DPA). But, under GDPR, this method is not required. The organizations will appoint Data Protection Officers (DPO) if their fundamental operations include processing on a regular basis and systematic monitoring of data subjects widely. Also, they must nominate a DPO if they process the data related to some particular categories or criminal convictions and offenses.

–    Responsibility

Before the existence of GDPR, only data controller was responsible for any mishandling of user’s data. Whereas, in the new policy, both the data controller and the processor will be accountable for GDPR compliance. That is, the third party or other organizations who process the data on behalf of your organization will also abide by the GDPR policy and hold liable for its violations.

We Safeguard Your Personal Data


We invested in our robust security team to meet GDPR obligations
We take consent before sending any marketing emails to the customers
Our team also provides an Opt-out option along with every email
We implemented a re-permission program with email confirmations
At every point, we carry out a fair and a transparent process.
We are responsible for deleting or changing your data as per your requirement
We clean up the database regularly and also remove the obsolete data
Our team is responsible for classifying and tracking the usage of an individual’s data
We inform every individual about the usage of their data in our company
You can send us an email, and our team will process it accordingly
Our squad audited all our existing contact data to keep it accurate
Also, we follow rigid steps to protect, securely share, and revoke the access

“Fulfilling data privacy and security commitments are important to us.”

Our Expertise in Data Privacy


We review how we store as well as use data about our customers on their behalf
Also, the data is identifiable and secure regardless of its storage space
We continuously monitor our data for breaches and hence notify you if we find any
We educate our customers about GDPR and also about its rules
We utilize comprehensive technology for data, network, and application security
Our company also complies with several other standards and regulations
Our team ensures that only the authorized person can access the individuals’ data
All the information is in an encrypted format and also password-protected
It is a member of the Direct Marketing Association and follows BBB standard

With legal jargons sprinkled over the GDPR privacy law, we are here to help you with the essential definitions. Our glossary page aids you in understanding some of the frequently used terms in the GDPR.

–  Article 29 Working Party

The Art.29 WP is an advisory body. It includes the representatives from the data protection authority of each EU member state, the European Commission, and the European Data Protection Supervisor.

–  Data Breach

In the context of the GDPR policy, the data breach refers to various unlawful activities. It includes actions such as destruction, random access, misuse, etc. of an individual’s data.

–  Data Controller

It refers to the person or the organization who controls the drive and also data processing operation.

–  Data Erasure

Also known as the right to erase or to be forgotten, it is one of the fundamental rights of an individual. According to this right, the individual has full authority over their data, and they can also ask the controller to delete their data anytime.

–  Data Processor

It refers to an organization or a company that helps a data controller by processing the data based on their instructions.

–  Data Processing

In the GDPR lexicon, the term data processing refers to an operation performed on an individual’s personal information. It includes several acts such as data gathering, organizing, storing, structuring, updating, retrieving, using, erasing, and more.

–  Data Protection Impact Assessment (DPIA)

The DPIA is the documented assessment that helps the organizations to recognize, evaluate and also mitigate the privacy risks associated with the data processing operation.

–  Data Protection Officer (DPO)

DPO is a data privacy expert who works independently and also responsible for ensuring that an entity is obeying the GDPR policy.

–  Data Subject

This term indicates an existing individual whose personal information is being used by the organization.

–  Information Commissioner’s Office (ICO)

It is the supervisory authority in the UK. Elizabeth Denham is the current information commissioner in the UK.

–  Personal Data

In the GDPR context, the personal data stands for any information related to a person which directly or indirectly identifies him. It includes different identifiers such as a name, residential address, email address, identification card number, Internet Protocol (IP) address, and a few more.

–  Profiling

Any form of automated processing of individual’s data proposed to evaluate specific parts such as personal preferences, analyze work performance, economic condition, geographic location, etc.

–  Supervisory Authority

It refers to one or more public authority who is appointed by each member state to monitor the application of GDPR.

–  Third Country

It includes the countries other than the European Union. That is, at the time that the GDPR became applicable, it listed few secure third countries. They are Andorra, Argentina, Canada (lists only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the USA (only if the receiver belongs to the Privacy Shield).

–  Third Party

It refers to the agency, legal person, or any public authority. In the GDPR lexicon, the third party will not include the data controller, processor, data subject and also the other person who is under the influence of the controller to process the personal information.

+ GDPR And Its Past

The European General Data Protection Regulation is an update of the Data Protection Directive 95/46/EC. This new policy came into enforcement on 25th May 2018. It is envisioned to harmonize data privacy laws across the European Union and hence protects the personal data of the EU citizens. GDPR encourages all the businesses to be transparent in the data processing activity. In the UK, the GDPR policy will replace the Data Protection Act.

The 1995 Directive for data protection and privacy lays a foundation for GDPR. The advancement of the technology in the 80s gave rise to the increased use of computers. This progression resulted in the changes in various activities such as data collection, storage, and processing. Hence to be more rigorous about data privacy, the European Data Protection Directive came into existence in 1995. This directive stated data protection principles which were used by the organizations for over two decades.

Principles of Data Protection Directive


Find as well as process the personal information of an individual reasonably.
The organizations must take necessary actions to safeguard the user’s data
One must not keep the user’s data for longer than necessary
Organizations can use it only for specified purposes in a legitimate manner
The database must include only updated and accurate information.
On request, you can give a copy of the personal data to any individual
Process the data in a way that is compatible with the intention of the collection
Ensure that the data collected from an individual is relevant and acceptable
Data subjects should be given the access to their personal data

Although the primary goal of these principles is to include the harmonization of data protection laws, it was still a directive. It led to a path for a more significant piece of legislation known as GDPR which became an enforceable law in all the member state. Also, the newly updated General Data Protection Regulation includes various provisions to strengthen the rights of data subjects. Besides, it adds harsher penalties for the violation of the law. Apart from that, one should note that this law is not applicable to legal entities and also a deceased person.

The newly updated GDPR policy applies not only to EU businesses but also to the non-EU firms who monitor or process the data of EU citizens. Also, to enhance the data privacy of an individual, the GDPR strengthens their right with many criteria’s. The individuals have all the right to know about the usage of their data, and also to rectify or delete them anytime. We will see those changes in the next section.

+ Fundamental Changes in The New Law

The newly updated General Data Protection Regulation came into existence with an intention to strengthen the previous directive. Although the critical principles of GDPR are similar to the 1995 EU Directive, it includes many changes in the policy. The notable ones that impact the businesses are listed below.

–    Rights to Access

This right of an individual was found in the previous directive as well. But, GDPR enhances this right by adding a few more criteria. The data subjects have all the right to know the processing status of their data, the place of usage and its purposes. The period to process the access request is now 30 days. Also, the organization cannot charge for processing request unless it is expensive. Besides, the company can also refuse the access request. However, they must have the apparent reason and policies in hand to prove the refusal.

–    Right to Be Forgotten

Data subjects have an exclusive right regarding their personal information. They can ask the controller to remove or delete their data anytime. Also known as Data Erasure, the Article 17 of GDPR specifies the conditions for this right.  However, the data controller must remove the individual’s personal information when it is no longer relevant to the original purpose.

–    Right to Portability

GDPR also introduces one more right for an individual regarding the data portability.  According to this right, the data subject can demand the copy of their personal information which they have provided to the organization. Also, they have all the power to transmit the data to other controllers.

–    Consent

The new law made some changes to the condition of the approvals. That is, the permission must be explicit and distinguishable in the updated policy. Also, one must provide it in an easily accessible format with an understandable language.  Hence, the organizations cannot consider the long form of terms and conditions as the request for the user’s consent.

–    Severe Penalties

GDPR introduces severe penalties for the violation of laws. That is, it can include 4% of annual global revenue or €20 Million whichever is greater. Also, the level of penalty will vary based on the type of the infringement. The Article 83(4) and Article 83(5) of GDPR lists the criteria for different levels of penalty respectively. Besides, it will not only include fines. It may come in the form of warnings, reprimands or also suspensions of data processing permanently.

–    Territorial Scope

According to the 1995 EU Data Protection Directive, the scope of the rules was applicable only within EU. But, the newly updated law includes all the entities (EU or non-EU) who market their products or services to the citizens of EU or the businesses who monitor the behavior of the individual’s in the EU.

–    Privacy by Design

According to this change, the company must give importance to data protection beginning from the designing of the system. It should be a part of the organization, and not an addition. Also, they must perform a Data Privacy Impact Assessment (DPIA) while processing the data with the help of new technologies or if they follow any risky method.

–    Accountability

The new law requires both the controllers and the processors to demonstrate their GDPR compliancy to their local supervisory authority. That is, the processes must be recorded, applied as well as reviewed regularly. Also, the employees must undergo proper training regarding the changes in the policy. Besides, they must be able to take technical and organizational measures to ensure their compliance with the GDPR.

–    Breach Notification

Under the new system, the breach notification has become mandatory in all the member states. The data controllers must report the breach to the supervisory authority within 72 hours of learning it. Also, they must inform the data subjects who will be affected by this breach.

–    Data Protection Officers

In the previous directive, the data controllers must inform about their processing activities with the local Data Protection Authorities (DPA). But, under GDPR, this method is not required. The organizations will appoint Data Protection Officers (DPO) if their fundamental operations include processing on a regular basis and systematic monitoring of data subjects widely. Also, they must nominate a DPO if they process the data related to some particular categories or criminal convictions and offenses.

–    Responsibility

Before the existence of GDPR, only data controller was responsible for any mishandling of user’s data. Whereas, in the new policy, both the data controller and the processor will be accountable for GDPR compliance. That is, the third party or other organizations who process the data on behalf of your organization will also abide by the GDPR policy and hold liable for its violations.

+ Our Commitment to GDPR

We Safeguard Your Personal Data


We invested in our robust security team to meet GDPR obligations
We take consent before sending any marketing emails to the customers
Our team also provides an Opt-out option along with every email
We implemented a re-permission program with email confirmations
At every point, we carry out a fair and a transparent process.
We are responsible for deleting or changing your data as per your requirement
We clean up the database regularly and also remove the obsolete data
Our team is responsible for classifying and tracking the usage of an individual’s data
We inform every individual about the usage of their data in our company
You can send us an email, and our team will process it accordingly
Our squad audited all our existing contact data to keep it accurate
Also, we follow rigid steps to protect, securely share, and revoke the access

“Fulfilling data privacy and security commitments are important to us.”

+ Our Security Updates

Our Expertise in Data Privacy


We review how we store as well as use data about our customers on their behalf
Also, the data is identifiable and secure regardless of its storage space
We continuously monitor our data for breaches and hence notify you if we find any
We educate our customers about GDPR and also about its rules
We utilize comprehensive technology for data, network, and application security
Our company also complies with several other standards and regulations
Our team ensures that only the authorized person can access the individuals’ data
All the information is in an encrypted format and also password-protected
It is a member of the Direct Marketing Association and follows BBB standard
+ GDPR Glossary

With legal jargons sprinkled over the GDPR privacy law, we are here to help you with the essential definitions. Our glossary page aids you in understanding some of the frequently used terms in the GDPR.

–  Article 29 Working Party

The Art.29 WP is an advisory body. It includes the representatives from the data protection authority of each EU member state, the European Commission, and the European Data Protection Supervisor.

–  Data Breach

In the context of the GDPR policy, the data breach refers to various unlawful activities. It includes actions such as destruction, random access, misuse, etc. of an individual’s data.

–  Data Controller

It refers to the person or the organization who controls the drive and also data processing operation.

–  Data Erasure

Also known as the right to erase or to be forgotten, it is one of the fundamental rights of an individual. According to this right, the individual has full authority over their data, and they can also ask the controller to delete their data anytime.

–  Data Processor

It refers to an organization or a company that helps a data controller by processing the data based on their instructions.

–  Data Processing

In the GDPR lexicon, the term data processing refers to an operation performed on an individual’s personal information. It includes several acts such as data gathering, organizing, storing, structuring, updating, retrieving, using, erasing, and more.

–  Data Protection Impact Assessment (DPIA)

The DPIA is the documented assessment that helps the organizations to recognize, evaluate and also mitigate the privacy risks associated with the data processing operation.

–  Data Protection Officer (DPO)

DPO is a data privacy expert who works independently and also responsible for ensuring that an entity is obeying the GDPR policy.

–  Data Subject

This term indicates an existing individual whose personal information is being used by the organization.

–  Information Commissioner’s Office (ICO)

It is the supervisory authority in the UK. Elizabeth Denham is the current information commissioner in the UK.

–  Personal Data

In the GDPR context, the personal data stands for any information related to a person which directly or indirectly identifies him. It includes different identifiers such as a name, residential address, email address, identification card number, Internet Protocol (IP) address, and a few more.

–  Profiling

Any form of automated processing of individual’s data proposed to evaluate specific parts such as personal preferences, analyze work performance, economic condition, geographic location, etc.

–  Supervisory Authority

It refers to one or more public authority who is appointed by each member state to monitor the application of GDPR.

–  Third Country

It includes the countries other than the European Union. That is, at the time that the GDPR became applicable, it listed few secure third countries. They are Andorra, Argentina, Canada (lists only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the USA (only if the receiver belongs to the Privacy Shield).

–  Third Party

It refers to the agency, legal person, or any public authority. In the GDPR lexicon, the third party will not include the data controller, processor, data subject and also the other person who is under the influence of the controller to process the personal information.

Are You Ready for Next Step?

At Thomson Data, we are working with our team to address the customer needs around GDPR. You can always email us at sales@thomsondata.com or call +1 800-385-8221 for any GDPR related questions subjected to our company. Also, for any general queries, you can read the full FAQ on EU’s official website.

“Our team and our customer share the responsibilities of Data Protection Obligations.”

Disclaimer: This content is not legal advice for you to use in complying with the GDPR. So, we insist you consult an attorney for authorized advice. This website provides only the background information to help you understand how Thomson Data addresses the legal points.