We know that Data Protection isn’t exciting or going to be high on the list of your things to do, but with a new law being implemented on 25th May 2018, it’s something we all need to get to grips with.

What is this law?

This is the new General Data Protection Regulation or GDPR, as it is often better known.  It is a regulation that has been implemented by the EU and basically gives your customers more protection over their personal data.

Despite it being an EU regulation, it does mean that it automatically becomes a UK law and therefore MUST be complied with. Even after Brexit the Government have said that it will be transferred properly to UK law.

Therefore, you cannot ignore it.

Why does it affect me?

If you collect any data or information about your customers, use it for marketing or share it with anyone then it applies to you. This includes any personal data including name, address, telephone number, email address or date of birth.

It doesn’t matter if you have 1 client or 10,000, if you still collect any personal data it affects you.

OK, so do I need to delete everything?

The simple answer is no.

You are allowed to keep data on your customers if there is a legitimate business reason including keeping records for tax purposes, or customer safety for example.  It could be argued that you should keep records because of the kind of treatments that are being carried out on your customers.

Can I still market to my customers?


BUT and it is a very big but, you must have consent from each of your clients to be able to send them any marketing. You must NOT assume that your customers are happy to hear from you. We have all been annoyed when we have received emails from companies when we don’t want to.

Your messaging to your clients has to be clear and transparent and you must explain why you are collecting that data and what you are going to use it for. You must also record that the customer has given their consent.  Perhaps this would be a good opportunity for you to update your customer records and ask them to re-sign a consent form, that has a box on it specifically relating to marketing consent.

I use an email marketer, does that matter?

No. Marketing is marketing.

Using Mailchimp or Constant Contact or Infusionsoft or any other similar type of company that sends out your marketing emails for you can actually make your life easier. You should be able to set up an email sequence that will mail everyone on your mailing list and ask them to confirm that they want to still receive emails from you.

I store everything in the cloud, is that included?

Storing data in the cloud is fine, however it would be wise to make sure that your passwords are as secure as they can be.

You would need to make sure that whichever company you use, whether it be GDrive, Dropbox, Mailchimp or any other provider that holds your data can demonstrate that they are GDPR compliant.  This is especially important as all of the companies mentioned in this blog are based outside the EU and some companies may not be aware of the regulation changes.

Does this mean my customers have extra rights?

Yes, the main purpose of this legislation is to protect consumers more.

Customers have the right to know what information you hold on them and what you are doing with the data.

If they request to see the data you must supply it within one month and must not charge for providing it.

Customers can withdraw their consent to be marketed to or for you to hold any information on them. Part of this can be easily solved by having an unsubscribe button on your emails.

If they ask for their data to be removed, it can be, but importantly does exclude billing data if they owe you money.

Is there anything else?

Unsurprisingly yes!

It is recommended that you document what information you are collecting, why you are collecting it, how and where you are going to use the information.

GDPR also affects the information that you keep on your staff and also may affect some wording in staff contracts. We would recommend that you consult an HR expert to ensure that they are up to date.

It would also be worth checking the privacy policy on your website to see if it needs updating in regards to GDPR.  Your privacy statement should outline exactly how you deal with customer data and how it will be used. If it is not clear and you do not manage the data in accordance with your policy, you are increasing the risk of breaking the regulations.

Make sure that your staff are all aware of the new regulations and that they know what to do, including if a breach happens.

What happens if there is a data breach?

Under GDPR a data breach ranges from anyone unauthorised viewing data that they shouldn’t be, to your computer being hacked, to having your laptop stolen.

Regardless of how minor the breach is, it is best to record it and inform the Information Commissioner’s Office (ICO). It is always better to own up as you could result in a bigger fine or an investigation if you don’t.

You also have only 72 hours from being made aware of a breach to informing the ICO.

What happens if I don’t comply?

Failing to comply with this law could result in fines of up to €20million or 4% of your global turnover.

Whilst it is unlikely that you will get the full fine, making sure that you have done everything you can is in yours and your company’s best interest.

This all sounds rather scary!

All changes can be scary but if you break it down into bite sized chunks, everything will get done in the end. The important thing is not to ignore the change as ignorance has no defence in law!

In a nutshell you must ensure that in relation to customer information:

  • You process it securely
  • Is updated accurately and regularly
  • Is limited to what you actually need
  • Is only used for the purpose for which it was collected
  • Is only used for marketing if the customer has given you consent to do so

Where can I get more information?

Information Commissioner’s Office