GDPR…attack of the acronyms!

2018/05/25 00:00:00

Download the whitepaper before it's too late!

What is GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy regulation. It is aimed at strengthening and aligning protection of personal data of all European residents. The regulation covers acquiring, storing and usage of personally identifiable and sensitive data. It enforces rights for individuals to acquire their own personal data, have it corrected or removed. The regulation gives European residents more control over their own personal data. GDPR comes into force across Europe from 25th of May, 2018.

Who does GDPR apply to?

The regulation applies to all companies that gather, store and process data of European citizens. This also includes companies that might be based outside of the European Union. Any company that processes European citizen data is required to provide reasons for acquiring and processing data, document the processing process, ensure appropriate data handling security and discard or anonymise the data after the reasons for processing no longer apply.

Learn more about GDPR from illuminate online

Why GDPR is a force for good

Phil Young

Seven GDPR guiding principles

  • null
    Lawfulness, fairness and transparency: Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
  • null
    Purpose limitation: Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • null
    Data minimisation: Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • null
    Accuracy: Data must be accurate and kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay  
  • null
    Storage limitation: data must be kept in a form which permits identification of data subjects for no longer than is necessary
  • null
    Integrity and confidentiality: data must be processed in a manner that ensures appropriate data security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage  
  • null
    Accountability: The data controller must be responsible for, and be able to demonstrate compliance with all of the above principles

Watch the replay of the MiFID II webinar with Phil Young

Nucleus' most recent white paper, MiFID II - a guide for financial advisers has been prepared in partnership with Phil Young of Zero Support.

On this webinar Phil discusses the white paper and the context and purpose of MiFID II, how the FCA plan to interpret and apply it to the UK and how it will affect advisers, and what actions they will need to take to meet the changes in this legislation.

Your GDPR jargon glossary

Personal data

GDPR is broadening the definition of what constitutes personal data compared to that in the data protection act (DPA). As well as traditional personal data such as email, contact details, any identification numbers, IP addresses and locations are now included.

Each person to which the personal data refers is known data subject

Senstive personal data

Again GDPR has broadened this definition compared to that of the DPA. The main difference is the inclusion of biometric data as senstive personal data. Sensitive data also includes religion, political beliefs, sexual preference, race and ethnicity.

Data processor

A data processor carries out operations on personal data either manually or automated. This includes collecting, recording, organising, storing, changing, retrieving and sending data. It also covers restricting and destroying data.

Nucleus is a data processor of both adviser data and client data. An adviser firm is a data processor client data.

Data controller

A data contoller is a person or company who decides the purpose any personal data is to be processed and the way it will be processed. This can be one person or jointly with other people.

Nucleus is the data controller for the adviser and client data that we hold. Adviser firms are the data controllers for the client data that they hold.


Consent must be freely given, specific and informed. It must constitute an unambiguous indication of an individual's wishes. GDPR makes it clear that pre-ticked boxes or failure to opt out will not constitute valid constent.

Lawful grounds for data processing

GDPR defines the lawful grounds for data processing to be:

  • Consent of the data subject
  • Necessity for the performance of a contract
  • Legal obligation
  • Necessary for vital interests of the data subject
  • Necessity for the performance of a task in the public interest
  • Legitimate interests of a data controller such as the data subject being a client or recieving a service from the data controller
Right to be forgotten

This enables an individual to request the deletion or removal of personal data where there is no compelling reason for it's continued processing. The controller must carry out this request without delay.


This is the automated processing of personal data for evaluation, analysis or prediction. Consent must be obtained and the right to challenge and object included.

What about Brexit?

Brexit is unlikely to have a significant impact on GDPR. Not adopting regulations equivalent to GDPR means the European Commission could reject the UK's application for adequacy status. This is required for the free flow of information between the UK and EU without the need of separate contractual arrangements.

So while GDPR could be amended or watered down post Brexit, it's best to assume this will not happen in any material way. The UK's own data protection bill clearly indicates a UK intention to replicate GDPR post-Brexit.

Download our GDPR whitepaper