As a Paycare Policyholder, you would’ve heard from us directly about our organisational General Data Protection Regulation (GDPR) plans and progress. But what does it actually mean for you, as an individual?

At Paycare, we employ some fantastic people – people who are part of an organisation which, like many others, have had to make some internal changes to ensure that we are compliant with the GDPR legislation which comes into force on 25th May 2018.

However, we’re conscious that so much of the focus of GDPR has been on how it will impact businesses and organisations, and how they are best preparing for the changes. But like you, our Policyholders, the Paycare team is made up of people who buy products and services from other brands and organisations outside of our work, and we want to know what it means for us.

We had some questions that we wanted answered, so we’ve worked on researching the answers and collating them into a handy blog post (voila!), in the hopes that it might help you to understand what it means for you – not just in terms of your dealings with Paycare, but with other organisations that you are considered a valued customer.

Psst – while it all sounds very serious in corporate communications, in our blog, we want it to be kept as simple as possible and buzzword-free. Enjoy!

Is it a good or bad thing?  

We think it’s a very good thing to happen. It has certainly caused some uncertainty and a degree of panic across the UK – mainly from firms who have to make internal changes to ensure they’re compliant. But for customers, it means we have more power over our personal data.

In real life, what will it do?  

There are many benefits of GDPR for customers – one example being our digital footprint and the use of those pesky website cookies. Under the Data Protection Act, it was common to see websites forcefully push users to accept cookies, making their website inaccessible unless they did (though we’ve never done this). Those cookies – and not the tasty, lovely kind – are then often collected, analysed and used to market products and services to us, based on our browsing habits and interests (or what they analysed to be of interest).

So that’s one example of what it means for us, but there are many others, like enabling us to:

  • More easily opt-out of communications and marketing
  • Have anything you have requested to be removed or opted out of, done so in a timely, accurate manner
  • Request to have all your data erased without delay by companies who hold your data (otherwise known as Right to Be Forgotten, or Right to Be Erased) – though in some cases for legal reasons, they may be allowed to keep ‘skeleton’ data on file
  • Only receive communications if you asked for them (or if you haven’t, again, have you removed from any marketing communications in a timely manner) unless they have reasons to consider you as a legitimate interest for the communications (read more here)
  • Request to see any of the data a company holds about you
  • To not be added to databases you weren’t asked to be part of
  • Receive market research feedback requests for a specific purchase or service (which is separate to marketing communications) – think about a product review if you’ve bought something
  • And, as a whole, you won’t be as inundated with marketing ‘spam’ as you were before – rightfully, organisations have to be more respectful of their communications with you

Why the new law in the first place?

The General Data Protection Regulation is essentially an ‘upgrade’ of the existing Data Protection Act, and was designed to align data protection laws across the continent. The aim is to make everything about personal data even more transparent, to create more trust among customers and brands, and to make it ethical and honest. To put it simply, GDPR places even more emphasis than ever before on the people who are in receipt of data, who control and process it, and how. Leading onto our next point…

Who is responsible for my data?

There are a few different titles that you may have heard, and we explain who some of these refer to…

  • Data Controller | the person who collects data and controls what is done with it
  • Data Processer | the person who receives the data from the Data Controller, and processes it to generate an output
  • Data Protection Officer | the person responsible for making sure an organisation is compliant, and the main point of contact for any queries from the Information Commissioner’s Office (ICO – a non-departmental public body which reports directly to government)

What are the consequences for those I buy from?

If you find that an organisation hasn’t dealt with any of the above requests from you in a timely manner, or to the standard you would expect, you can raise the matter with the Information Commissioner’s Office (ICO), which will look into the practices of that organisation. In some cases, if there is misconduct when it comes to GDPR, they may face a warning, guidance, restrictions, or even fines.

What do you think?

We’re sure there are more technical terms, official wording and specific phrases about GDPR that we could have used in our blog, but we wanted to share our interpretations in a format that’s more relatable and understandable.

GDPR is a big topic that is going to make headlines for the foreseeable future, and we want to make sure that we’re doing our best to support our Policyholders however we can. If you fancied reading our official statement, you can do so by visiting, or you can contact us on