Skip to content Go to accessibility help
We use cookies to keep our websites easy to use and relevant to our users’ requirements and to enable us to learn which advertisements bring users to our website. Select Accept below if you wish to proceed or How to change your cookies for instructions on how to manage your cookie settings. Find out more about our Cookie Policy.


Do you always know how your data is being used and protected by the companies you’re giving it to? Many of us don’t. As technology develops and data sharing becomes more common, data protection is becoming more and more important. That’s why new legislation known as GDPR (General Data Protection Regulation) is being enforced on the 25th May. This will replace the existing Data Protection Act.

Find out below what exactly this means for you as a customer.

What is GDPR and why do we need it?

As technology develops and our private data is being used and shared in countless new ways, people are understandably becoming increasingly worried about security.

There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.

Different countries in the EU follow different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules!

In the UK, companies are still following the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect our data from breaches and hacks.

This is great news, considering huge companies like XBOX, Gmail, Uber and Three all experienced major data breaches last year. In fact, the UK government reports that 46% of all UK businesses have identified at least one data breach or cyber attack in the last 12 months, and that bigger companies (those making a profit of over £2million a year) are the most likely to identify a breach.

What data does it protect?

When people talk about technology and digital developments, there’s always a focus on data. But what data do they mean? GDPR aims to protect any personal data a company holds about you – including your name, address, email address, images, social networking accounts, IP address or medical history.

It will also cover more sensitive data such as your sexual orientation, your genetics, your political views or any trade union memberships.

Read our Fair Processing Notice for more details on how we use and manage your personal data.

How will it affect UK businesses?

Essentially, GDPR will affect everyone in all 28 EU member states, from businesses big and small, to customers and consumers.

When it comes to implementing GDPR, the biggest changes will be seen by businesses rather than consumers – since they’re the ones who will have to adjust the way they handle data to align with the new legislation.

There are hefty penalties for those who don’t comply, including a fine of up to €20 million or 4% of the company’s total profit. Any data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e the people the data concerns) they’ll have to inform their customers too.

How will GDPR affect me?

While businesses will have to make changes to their data policies in preparation for the new regulations, consumers don’t have to do anything in particular to prepare.

That said, individual consumers will probably still notice some changes. You’ll probably find that when you buy products online or sign up to newsletters, there will be more obvious checkboxes relating to how the company can use your data – for example to send you emails, or share data with a third party.

However, GDPR also gives you a number of ‘rights’ when it comes to your data, including:

The right to be informed – you have a right to know how your data will be used by a company.

The right to access your personal data – you can ask any company to share with you the data they have about you!

The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.

The right to erasure – this means that you have the right to request that a company deletes any personal data they have about you. There are some exceptions, for example, some information can be held by employers and ex-employers for legal reasons.

The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure a company is complying to rules, you can restrict any further use of your data until the problem is resolved.

The right to data portability – this means that if you ask, companies will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with other companies, such as your bank details when applying for a loan.

The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.

Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.

Whether or not you exercise your new rights is up to you – the main thing to remember is that they’re there if you need them.

Our Fair Processing Notice

Like all UK and EU companies, we will also be moving to GDPR to make sure your data is as safe as possible.

Our Fair Processing Notice explains how we use your personal data, describes the categories of personal data we process and for what purposes. We are committed to collecting and using such data fairly and in accordance with the requirements of the GDPR.

This is a summary of our Fair Processing Notice. You can read the full version here. This will become effective from 9 May 2018.

Who we are

Clydesdale Bank PLC trades using the brands Clydesdale Bank, Yorkshire Bank and ‘B’. Our Fair Processing Notice explains your privacy rights and how we gather, use and share information about you. You can get in touch with our Data Protection Officer by email at or by post at Group Data Protection Officer, Group Risk, Level 3, 51 West George Street, Glasgow G2 2JJ. See sections 1 and 2 for more details.

Your rights

You have the right to object to how we process your personal information. You also have the right to access, correct, sometimes delete and restrict the personal information we use. In addition, you have a right to complain to us and to the data protection regulator. Find out the best way to be in touch with us at:

Section 3 gives you more information about your privacy rights.

How we gather personal information

In addition to the information you provide to us directly, we collect personal information in a number of ways for example from third party credit reference agencies and from looking at how you have used other products and services we offer. Sometimes for your safety and for legal reasons we collect personal information by recording and monitoring calls and from CCTV. We also record calls for training and quality control. See section 5 for more details about how we gather personal information.

How we use your personal information

We use your personal information to provide you with products and services (including credit checks), to comply with the law and enforce our legal rights (including debt recovery), and to improve and market our products and services. Sometimes we use automated processes to make decisions about you and to profile you. Sometimes we need to use sensitive personal information such as medical details to make available products you have requested and to give you the best service. Find out more about how we use your personal information in sections 6 and 7.

Our products and services

We need some personal information before we can provide our products and services to you, for example to allow us to check your identity. In some cases we won’t be able to provide products and services to you if we don’t have all the personal information we need. Find out more in section 7.

Sharing and transferring personal Information

We share personal information with our suppliers and other third parties where needed to provide you with the best service. We also share personal information with regulators, other banks and law enforcement. Sometimes we transfer personal information to other countries outside the UK for these purposes, where suitable protection is in place. Sections 9 and 10 will give you further details about this.

Keeping personal information

We keep your personal information securely for as long as we need to for the purposes described in section 11 of the Fair Processing Notice.

Your consent

Sometimes we need your consent to use your personal information (for example for marketing). We won’t always need consent to use personal information – for example if we need it to meet regulatory requirements or to perform a contract with you. Where you have given us consent, you have the right to withdraw it at any time. See sections 12 and 13 for more details.

Our partners

We want the best for our customers and sometimes we work with other companies to offer you the best products and services. With your consent, we or our partners will contact you to let you know about products or services from our partners where we think that will save you money or make your life easier. See section 6 ‘How we use your personal information’, clause 6.10 for more information about our partners.

You are here:  Personal Banking  >  Ways of banking  >  Help and support  >  GDPR Hub