The General Data Protection Regulation (GDPR) is a European Union regulation that will replace the current Data Protection Directive. The GDPR will apply from 25th May 2018.

The GDPR seeks to strengthen and introduce a harmonised framework for the protection of personal data. The Data Protection Bill is designed to modernise the UK’s data protection laws for the digital age. It will align UK law with GDPR. The Bill will also make provision under UK law envisaged by the GDPR and extend the GDPR’s coverage into areas where GDPR would not otherwise reach.

GDPR applies to personal data. This means any information relating to an identified or identifiable living person.

The following data will be protected by the new law (note that this is not an exhaustive list):

  • Name
  • Date of birth
  • National Insurance Number
  • Address
  • Location
  • IP address
  • Online identifiers, such as cookies
  • Race
  • Ethnicity
  • Political opinions

Whilst we do not process all of the types of personal data above, it is of upmost importance that we protect personal data and provide greater transparency on how we use personal data.

In the lead up to 25th May 2018, we will be working to ensure we are compliant with the new law, providing you with further detail on documents such as our Privacy Policy and ensuring you are kept informed of any changes.

Who does GDPR apply to?

GDPR will apply to businesses that process personal data. Depending on the circumstances, we act as a ‘controller’ and/or ‘processor’ of personal data. Therefore we have the responsibility to tell you how and why your personal data will be processed. In addition, we have the legal responsibility to ensure our records meet the requirements of the new law. We may use relevant companies to provide products and services where data may be passed to a third party to process (for example, Santander or other banking provider who provides the bank accounts for your products).

What will GDPR mean for me?

GDPR helps to provide greater protection and transparency in relation to the processing of personal data.

Processing personal data includes any activity undertaken by James Hay that affects personal data such as (but not limited to):

  • obtaining personal data in paper or electronic formats
  • recording and storing/holding the data (whether electronically or in paper)
  • organising the personal data
  • accessing the personal data held
  • altering or deleting the personal data
  • transmitting the personal data to another firm or individual
  • deleting or destroying personal data held (e.g. paper archive destruction, system record deletion etc.)
Will the UK’s decision to leave the EU affect GDPR?

No. The GDPR came into force during May 2016 and will apply from 25th May 2018, which is before the UK leaves the EU. The European Union (withdrawal) Bill is currently drafted to confirm that direct EU legislation that applies before the UK leaves the EU (which would include GDPR) shall apply on and after the UK leaves the EU. More specifically, the Data Protection Bill will also include provisions of the GDPR as part of UK law. We will review any changes to legislation and provide further updates, if required.

What personal data does James Hay process?
To enable us to administer products for our investors, we need to process personal data, including name, address, date of birth, National Insurance number and bank account details. In addition, as a company, we will also process similar personal data relating to employees of the firm.

Summary of the


When does the regulation start?

25th May 2018

What does this mean for me?

GDPR requires more transparency in terms of data capture and consent to share your data.

What personal data do we process?

We process personal data, including (but not limited to) name, address, date of birth, national insurance number and bank account details.

Will this be impacted by our departure from the EU?

The government has confirmed that the UK's decision to leave the EU will not affect the commencement of GDPR.