What is GDPR? UK & EU Data Protection | Paytia

What Is GDPR?

GDPR stands for General Data Protection Regulation. It's the EU data protection law that came into force in May 2018, and it governs how organisations collect, use, store, and share personal data of anyone in the EU or European Economic Area. It also catches organisations outside the EU that sell to, or monitor, people inside it. The UK's own version — UK GDPR, sitting alongside the Data Protection Act 2018 — is functionally the same after Brexit.

In plain terms: GDPR gives people real control over their personal information, and puts clear obligations on the organisations holding it. It's the most influential piece of data protection legislation in the world. Brazil's LGPD, California's CCPA, India's DPDP Act — they all borrow from GDPR's playbook.

Key Principles of GDPR

The whole regulation rests on seven principles. Get these right and most of the detail follows naturally.

• Lawfulness, fairness, and transparency — you need a legal basis to process personal data, and you have to be straight with people about what you're doing
• Purpose limitation — collect data for a specific, legitimate purpose and don't quietly use it for something else
• Data minimisation — only collect what you actually need. Hoarding data because it might be useful one day is not allowed
• Accuracy — keep records accurate and up to date
• Storage limitation — don't keep data longer than you need it
• Integrity and confidentiality — protect the data with appropriate security measures
• Accountability — be able to demonstrate you're doing all of the above

What Counts as Personal Data?

GDPR's definition of personal data is broad on purpose. Anything that can identify a living person, directly or indirectly, counts. The obvious stuff — names, email addresses, phone numbers — but also IP addresses, location data, cookie IDs, and voice recordings. If you can work out who someone is from it, it's personal data.

Then there's "special category data," which gets extra protection: health information, racial or ethnic origin, political opinions, religious beliefs, biometric data, sexual orientation. Processing any of that requires meeting stricter conditions on top of the normal rules.

Individual Rights Under GDPR

The rights individuals get under GDPR are where the regulation has real teeth:

• Right of access — anyone can ask for a copy of all personal data you hold about them. You've got 30 days to respond.
• Right to rectification — they can ask you to correct anything inaccurate.
• Right to erasure — the "right to be forgotten." In certain circumstances, they can ask you to delete their data entirely.
• Right to restrict processing — they can ask you to stop using their data while a dispute gets sorted.
• Right to data portability — they can request their data in a portable format and move it to another provider.
• Right to object — they can object to certain types of processing, particularly direct marketing.

Why GDPR Matters for Businesses

The fines are the part everyone remembers. Regulators can hit you for up to €20 million or 4% of annual global turnover, whichever is higher. The big enforcement actions — Meta, Google, Amazon — have all run into hundreds of millions of euros. Beyond the fines, a breach brings reputational damage, customers heading for the door, and potential class actions from affected individuals.

The real work of GDPR isn't paying lawyers — it's knowing your own data. What personal data do you hold? Why do you hold it? Where is it stored? Who has access? How long do you keep it? Plenty of organisations who started the GDPR exercise grudgingly found that simply mapping their data improved their wider operations. You can't protect what you don't know about.

GDPR and Telephone Payments

Phone payments raise a few specific GDPR problems. The moment a customer reads out their card details, you're processing personal data. If the call's being recorded — and most contact-centre calls are, for FCA or quality reasons — the recording now contains personal data including the card number, the cardholder's name, possibly their address.

Under GDPR, you need a lawful basis to record those calls and store the personal data they contain. You have to tell callers the call is being recorded and why. You have to store the recordings securely, restrict who can access them, and delete them when they're no longer needed.

Recordings with card data in them are the worst of both worlds — GDPR and PCI DSS pulling against each other. PCI DSS wants the data protected (or, ideally, not there at all). GDPR gives the individual a right to have it deleted, which can clash with other record-keeping rules you're under. We've seen UK contact centres tie themselves in knots trying to satisfy both.

DTMF masking cuts the knot. If the card number never enters the recording in the first place, you don't have to secure it there, you don't have to manage access to it, and you don't have to delete it on request. The hardest GDPR-PCI overlap simply goes away.

Practical Considerations

• Map your data. You can't comply with GDPR if you don't know what personal data you hold, where it lives, how it moves, and who can see it.
• Have a lawful basis for every type of processing you do. Consent is one option, but it's not the only one — legitimate interest, contract, legal obligation, and a few others are all valid.
• Write privacy notices people can actually understand. If your customers need a law degree to work out what you're doing with their data, you're failing the transparency test.
• Build a process for handling data subject requests. The 30-day clock starts the moment they ask, not the moment you get around to it.
• Train your staff. GDPR isn't an IT problem. Everyone who handles personal data — agents, support, marketing, HR — needs to know what they're doing.
• If you process serious volumes of personal data, appoint a Data Protection Officer. For many organisations it's a legal requirement, not a nice-to-have.