The EU General Data Protection Regulation (GDPR) was supposed to close up the loopholes that existed in local data protection regulations of the EU member states. It has even been described as a super law that would forever protect the citizens of the member states.

Britain has had for many years the Data Protection Act (1998) that was supposed to do this anyway but did it.
One of my superiors used to say that for every problem there is a quick simple and usually wrong solution.
The GDPR, by contrast, took a long time to put in place, (well it would with 27 signatories all having to examine it in minute detail). The trouble was the devil was not so much in the detail when it came to finding problems but rather the review allowed the legal people to spot the errors, without fixing them. In other words leaving a get out clause that a coach and horses could drive through.

So you can be refused access to essential information regarding (for example) a relatives financial or medical condition, even if you have their permission.
But DVLA still sell your details to private clamping firms even when they may be breaking the law in clamping people illegally as another example.
It appears regardless of endless examples of where the act is used in ways outside its ambit the one exact reason it was written in the first place is clearly not enforced and there must be a clause they are using to wriggle out of what the law was written for.

This is a law pretty well not be applied as written.
There is a rule of statutory interpretation called ‘The mischief rule’ ie when not sure the judge looks to see why the law was written.
I can answer that, “To prevent third parties accessing our private information without consent or legal authority”.

Selling an insurance claimant’s details on is a typical example of this, if the judges have apparently found a reason not to enforce this there must be some collusion (or corruption perhaps) in the findings in favour of government or private groups.

So for example the DVLA :
Government passed an Act that supercedes certain protection under the DPA and GDPR. When DPA was passed they did not forsee the huge uses that databases could be put to for security and law enforcement. As with terrorism the Government is very keen to remove all privacy protection from the vast number of law abiding citizens in the hope that a few lawbreakers will be apprehended.
It will give the powers that be the benefit of the doubt in saying that possibly it was mainly intended for police and vehicle taxation checking. But they eventually realised there was a source of extra cash from the clampers paid for by motorists.

The reasoning: DVLA manages a vast amount of data to help keep Britain’s motorists moving safely and legally. DVLA provides information to the police, local authorities and controlled release to third parties who offer a host of practical motoring benefits. DVLA acts responsibly and in accordance with legislation in all data release matters. (Allegedly)

A further clause in the act was made to be able to release non-personal information.
Some of the non-personal information is available for commercial re-use or academic research. This re-use is strictly controlled under the Information Fair Trader Scheme (IFTS). IFTS is the best practice model for public sector bodies wishing to demonstrate compliance with the Re-use of Public Sector Information Regulations 2005.
IFTS ensures that re-users of public sector information can be confident that they will be treated reasonably and fairly by public sector information providers and that information released meets with legislative requirements and best practice. The main themes are improving transparency, fairness and consistency of approach.

In other words:- It is okay to sell or give way your data without your explicit permission as long as you have the ability to review it and demand changes (but not deletion) in order to correct inaccuracies, of this information, both held for and distributed to interested parties.

Sounds like a plan!