Privacy - Our approach to privacy and the EU's General Data Protection Regulation (GDPR)


Our approach to privacy and the EU's General Data Protection Regulation (GDPR)

Our benchmark for operations around the globe

As a world leader in customer data science, we place privacy at the heart of our business. We have extensive privacy-related polices, processes and controls in place and have adopted GDPR as our benchmark for operations around the globe.

We have reviewed our governance, policies and practices to ensure they meet GDPR standards. Our business-wide programme follows the principles outlined below:

Best practice

We have adopted GDPR as our global standard. Every client we work with around the world will benefit.

It's our clients' data

We will always respect our clients' wishes with regard to use of their data, whether acting as a data processor or data controller.


We maintain the highest standards when it comes to our security measures and continually review our security practices.


We consistently minimise the amount of identifiable data and other sensitive data types we hold.


We only process data that is necessary for us to provide services to our clients.


We hold data only for as long as we need it. We will always agree retention rules with our clients.

Individual rights

We have stress-tested all of our solutions to ensure we have the capability to honour all individuals' rights under GDPR e.g. the right to erasure and to portability.

Supply chain

We will be transparent with clients about our supply chain. We always expect our suppliers to meet the same rigorous standards that we set for ourselves.

Our client relationships

Our practices are there to help make clients' data compliance as simple as possible.

Ten facts about GDPR

  • 1. Start date

    It came into effect on 25th May 2018.

  • 2. Evolution, not revolution

    It is a refresh of existing EU data protection laws, updated for the digital age.

  • 3. Forget “PII” (Personally Identifiable Information)?

    GDPR applies to any information relating to identifiable people, known as “personal data”. This definition is now much broader than it was under the Data Protection Act and includes digital identifiers such as emails, cookies and device IDs, circumstances where individuals can be singled out and pseudonymous data. Consequently, the concept of anonymity has been narrowed.

  • 4. Service providers are regulated

    GDPR applies to service providers (processors) who process data on behalf of others (controllers). Before GDPR, only controllers had legal obligations.

  • 5. Data is global, so GDPR is global

    GDPR applies to any organisation that processes personal data in any EU state, sells goods or services in the EU or monitors individuals located in the EU.

  • 6. Accountability and transparency

    GDPR requires justification for the processing of personal data, such as genuine customer consent or a legitimate business interest. Mere interest is not enough.

  • 7. Power to the people

    GDPR introduces new rights for individuals, such as a right of erasure and a right to portability. People now have far greater control over use of their data than ever before.

  • 8. Profiling is covered

    GDPR expressly covers the profiling of individuals. For example, individuals have the right to opt out of direct marketing and (importantly) all related profiling.

  • 9. Consumer awareness of data privacy issues is increasing – GDPR reinforces this trend

    Individuals have the right to know how their data is used, and EU regulators also have new audit powers.

  • 10. The consequences of making mistakes are greater than ever

    The statutory fines under GDPR (up to 4% of global turnover) have been grabbing headlines, but perhaps more interesting is the power consumer interest groups now have to enforce rights on the behalf of individuals.

How we're helping our clients with data privacy

In addition to ensuring that we continue to meet the highest data privacy standards, we’re committed to helping our retailer and brand clients with their own data compliance.

We have a proven track record in helping organisations bring together and manage enterprise scale offline and online data assets to create value for customers. As a data processor, we build in privacy safeguards from the start; minimising your compliance challenge whilst maximising your return on investment.

We offer solutions for mapping, inventorising and organising your data assets through to systems issues such as pseudonymisation, applying retention periods across disparate assets or the erasure of individual customer’s data.

Contact us to find out how the global expertise of our data consultants could help to solve your technical data challenges.

The latest related insights from
our global experts

Ready to get started?

Speak to the dunnhumby team today

Contact us