GDPR and the SEC Group: Frequently Asked Questions

As you will no doubt be aware, GDPR took affect on 25th May 2018. We already operated in accordance to existing data protection laws however we've worked hard to ensure that the SEC Group is GDPR compliant.


As a business-to-business organisation we didn't take a relaxed "doesn't matter" attitude towards GDPR and your data. Because your data is exactly that, yours. So we've put together this FAQ blog to help you understand how we collect, process and use your personal data. And if you have any more questions, we have a dedicated Data Protection Representative, so get in touch to find out more.


The legal bit. The below does not constitute legal advice about GDPR or data protection law. If you have queries relating to your own organisations data protection compliance, you should engage with a data protection expert. 

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a new European Union Regulation (Regulation (EU) 2016/679) concerned with the protection and free movement of personal data and the rights of individuals, including children. It replaces the EU Data Protection Directive (95/46/EC) from 1995 and the UK Data Protection Act 1998, which was enacted to bring British law in line with the above Directive.



2. What does the GDPR affect?

The GDPR covers the processing of all personal data, not just marketing data. It applies to organisations located within the EU and organisations outside of the EU, that process the data of EU data subjects (i.e. you!)



3. But we voted Brexit, surely it doesn't apply?

The UK government has confirmed that when the UK leaves the EU on 29th March 2019 that GDPR will be adopted into UK law, so from the 25th May 2018 all businesses have to be GDPR compliant.



4. What is personal data?

Any information related to a person or “Data Subject”, that can be used directly or indirectly to identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. It is also important to remember that data points which by themselves cannot identify a person but can when combined all become personal data.



5. But my business data isn't personal?

If you think that, then great, however, GDPR does not distinguish between what is commonly known as business-to-consumer (B2C) or business-to-business (B2B). Although the SEC Group is a business-to-business organisation, we still have to comply with the GDPR and treat your data in accordance with this new law.


Back to the Top ^

GDPR is the EU General Data Protection Regulation which comes to affect on 25th May 2018. It affects the processing of all personal data, including your business contact details.

6. How does the SEC Group process my data?

The SEC Group needs as part of its business activities to gather, store and use information about data subjects. These could include prospects, customers, suppliers and networking associates. Under GDPR, there are 6 legal bases for processing data. Following a significant data audit, the SEC Group currently processes data under the following basis:


  • Article 6(1)(b) – Contract
    • Where we need to perform a contract we have entered into with you
  • Article 6(1)(c) – Legal Obligation
    • Where we need to comply with legal obligations
  • Article 6(1)(f) – Legitimate Interests
    • Where it is necessary for our legitimate interests (or those of a third party) and your interests and the fundamental rights do not override those interest. One form of legitimate interest is Direct Marketing.


More information on how we process your data can be found in our Data Management Policy and Privacy Notice, which is available upon request.



7. What data does the SEC Group hold on me?

As a business-to-business organisation, we hold very little data on you, particularly that which could be classed as sensitive. The data that we will hold, we will ensure is processed in accordance with GDPR. This will include to process it lawfully, fairly and transparently, as well as for specific, legitimate purposes and confined to what is necessary.


We therefore are likely to hold the following data on you:


  • Personal contact details such as name, job title, address, telephone numbers and email addresses
  • Gender (e.g. Mr, Mrs, Dr.)
  • Enquiry details
  • Unique IDs (generated by systems such as our ERP and digital marketing software)


If you are a supplier or contractor that is a sole trader, we may hold your tax and bank details.

Back to the Top ^



8. But it is all about consent! You need my consent to process my data!

To put it bluntly, no! There are a lot of myths surrounding GDPR and the necessity to need consent in order to process your data. But this isn't true.


GDPR sets out under Article 6 that personal data can be processed using the following lawful basis:


  • Article 6(1)(a) – Consent
  • Article 6(1)(b) – Contract
  • Article 6(1)(c) – Legal Obligation
  • Article 6(1)(d) – Vital Interests
  • Article 6(1)(e) – Public Task
  • Article 6(1)(f) – Legitimate Interests


The above lawful basis are not in any order of importance. Therefore, any basis can be used for any processing , providing we comply with the accountability principle in Article 5(2). See question 6. How does the SEC Group process my data? on how we process your data.



9. GDPR, B2B Direct Marketing & PECR

As a business-to-business organisation, we thought we'd also let you know how we are able to process your data, specifically for Direct Marketing purposes. Firstly, Direct Marketing is specifically identified as a form of Article 6(1)(f) – Legitimate Interests in GDPR, providing a Legitimate Interest Assessment (LIA) is carried out (our assessments are available on request).


Secondly, a law called PECR in the UK will still apply and sit alongside GDPR. The EU ePrivacy Directive was transposed into UK law as PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003). Currently, PECR provides a defined exclusion from opt-in requirements for B2B communications.


The EU are intending to replace the ePrivacy Directive with the Regulation on Privacy and Electronic Communications (RPEC). However until RPEC is added to the UK statute book, PECR will continue to apply, regardless of the implementation of GDPR.


So in conclusion, until such time as The Regulation on Privacy and Electronic Communications adopted into law, the UK’s PECR remains the de facto legislation that governs consent requirements for marketing communications. Within the UK, B2B telemarketing, direct mail and email marketing need to offer an opt-out, and do not require an opt-in.


We appreciate that is perhaps a lot to take in, but, do contact us if you have any further questions.



10. I have some questions. What do I do?

As defined in GDPR, the SEC Group does not require to appoint an official Data Protection Officer. However, as we are committed to your data privacy, we have appointed a Data Protection Representative. This representative is the first point of contact where all personal data queries should be directed. At present our Data Protection Representative is Dean Kahl. You can contact him on the office switchboard at 01438 731992 or using the contact form below.


Back to the Top ^

Contact us with your data privacy queries...
If you have any queries relating to our GDPR compliance, the personal data we process or wish to obtain copies of our official data privacy documentation, please submit a form enquiry and we'll get back to you...

Please read our Privacy Notice and Cookie Policy to find out how we will process and use your data.