GDPR & What this means for your business

GDPR – What You Need to Know

The General Data Protection Regulation, or GDPR, is about to overhaul how businesses process and handle data. From May 25th, 2018, GDPR will be enforced by data protection regulators across Europe. It’s set to change how businesses and public-sector organisations handle the information of their customers.

What is GDPR

GDPR is Europe’s new framework for data protection laws which will replace the previous 1995  data protection directive, which current UK law is based upon. The law according to the EU GDPR portal is ‘designed to harmonize data privacy laws across Europe. To protect and empower all EU citizens data privacy and to reshape the way organisation across the region approach data privacy.’

In short, GDPR is set to tighten up the rules and regulations regarding how we collect and store data, including email addresses. There are higher considerations to be had for email marketing, including:

Stricter regulations for getting consent

Put simply, you now need to be very specific and very clear when collecting opt-in data. If you are offering some form of download or lead capture, you need to be crystal clear that you are also going to be following up with people and ensure they consent to that too. If you are collecting emails through the purchasing process, for example on an ecommerce checkout page, you must have an unticked checkbox that gives you permission to follow up. Permissions as of the 25th of May must be explicit and can no longer be vague.

No more of this “ You must not untick this tick box to opt into our opt-out process for marketing communications”.

New requirements for record keeping

As part of the new data protection laws, companies must also keep records of how people opted into email lists. This information should be available within your email service provider, however it is definitely worth taking a look to see where this information is stored and a good idea to keep screenshots of web pages where you’ve had opt-in forms in the past.

Current Data

Probably one of the scariest changes for business owners. GDPR law states that all previous data collected has to have been collected using the new rules. Many companies have already started re-engagement campaigns to encourage customers to opt-in once more and get these reconfirmed to abide with the new GDPR laws.

The risk of not complying – up to €20 Million  

The fines for not complying with the new GDPR rules are hefty, 4% of annual turnover being the risk you run for not being compliant. However, authorities will be reliant on customers reporting non-compliance, so it is more likely that there will be a bigger focus on the more serious violations. If you have grown your email lists organically and never been in trouble for spamming this should not come across too scary. However, if you have ever bought or data scraped any emails unethically, then that is likely going to come back to bite you and we would strongly advice you prepare a re-opt in campaign very quickly.

Other useful tips to avoid GDPR fines include:

  • Organising your data

Store all of the data you have on your employees, suppliers and customers in an organised fashion. This way, should a person, colleague or customer contact you asking what data you hold on them, you are able to access it quickly and accurately as possible. Doing this will also be hugely beneficial should your business every be investigated.

  • Data Security

Ensure that you have measures in place so that the data you have stored is safe and there is no way that it could be leaked, hacked, misplaced or stolen. Consider things like password protection, anti-virus software on all devices, if any of your devices were stolen would there be a way to wipe the data saved on them. It’s also worth recording a document of exactly what safety measures you have in place, this will prove invaluable should you ever be investigated.

  • Don’t hold onto data unnecessarily

A big part of the new GDPR laws is that you cannot hold onto a person’s data if you are not 100% sure of what you intend to do with this data. Unless you have a reason for holding onto information, we would recommend deleting unnecessary data.

  • Processes

If a person requests what information you hold on them, the new law states that you must provide this within 30 days. Similarly, should a person request that you delete any data you have on them, you will also need to do this. It’s therefore advisable that prior to the GDPR deadline, you set up processes to ensure this can be done correctly and monitored accordingly.


Useful links

The full General Data Protection Regulation (GDPR) regulation:

ICO’s guide to GDPR:

EU GDPR – The Union’s official website:


Disclaimer: We are not legally trained. This is just our interpretation of the new GDPR regulations using the information provided in the links above and other resources. Please do your own research to ensure you are compliant with the new data protection laws.

Leave a Reply

Your email address will not be published. Required fields are marked *