In a nutshell, (and in case you’ve heard a lot about it already) GDPR it is a new data protection regulation put in place by the ICO, that will alter how businesses and public-sector organisations will handle customer data to prevent spam, increase safe-guarding and ensure customer consent of communications. The current Data Protection Act was created in 1998 and is simply outdated with the vast increase of digital media, therefore the European General Data Protection Regulation (GDPR) was agreed upon and will come into force on 25th May 2018. It’s important to note that it will still apply in the lead up to Brexit as the UK is still a member in 2018.


Elizabeth Denham, the UK’s information commissioner, who oversees data protection enforcement, explains, “GDPR is a step change for data protection,” so there is no real need to worry. If your business is already compliant with the existing data protection regulations, it is just a next step for protecting customers, but it you do not comply to GDPR by May, fines can range between 2-4% of your global turnover – no matter how big or how small your business. We have compiled a list of some of the key points to be aware of from a marketing perspective, in order to be compliant by May this year and prevent those nasty fines!


Business cards – a thing of the past

In this digital age, you must be able to prove that the consumer has a legitimate interest and has provided consent to have their data collected and stored or to receive communications from your business therefore business card information from someone you’ve met at a networking event cannot be added to a database.


Opt-in, be honest

This is the end of the pre-ticked box! Tell it all, tell it fast and tell the truth. You must state clearly what you intend to send to consumers, how you will communicate with them, what you will collect from them and how long you will hold their information – honesty is the best policy and it will protect your business. However, what is most important is that the consumer must be given a way to opt-in, they can no longer receive communications without legitimate consent.


According to the Chartered Institute of Marketing, they advised that a typical opt-in message looks like and includes the following:

  • Link to sample of communications – “receive case studies, news, hints and tips from experts and occasional special offers with our quarterly e-newsletter *insert link to sample*”
  • Tick-box – “please send me information about services and new products from *insert company name*” and list all forms of communication that you will provide, including post (and even fax if you still use it), email, telephone, with a tick-box inserted next to each.
  • Confidentiality promise – you must reassure your customers that you will not sell their data or pass it on to third parties and promise to keep their details safe and secure. Also, let your customers know if you have cyber protection measures in place.
  • Clear opt-out – “you can change your mind at any time by emailing unsubscribe@…”
  • Full disclosure on the data held with link to privacy statement – “for further details on how your data is managed, used and stored please visit: *link to privacy statement*”


Accountability is key

There are six principles of processing data and they must be followed to meet compliance, data must be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and where necessary, kept up to date
  • Retained only for as long as necessary
  • Processed in an appropriate manner to maintain security


Penalties for non-compliance are harsher

Previously the maximum fine for a breach was £500,000, now under GDPR, the fines will increase under a two-tier structure; less serious incidents could result in a maximum fine of either £7.9million or 2% of your business’s global turnover, whichever is greater, and for more serious offences the new maximum fine is up to £17.9million or 4% of the turnover, whichever is greater. It’s not worth risking!

Don’t shy away from social media

So far, the safer way to communicate with clear consent is actually on social media! Followers give their consent to your communications if they actively seek out and follow your social media channels.


Remember the size of your business is irrelevant, GDPR is based on the sensitivity of data and how likely it could leak so don’t risk your reputation, comply with GDPR, for more information about the ICO visit or for their guide on helping SMEs achieve compliance visit  Alternatively, if this sounds like something you would like our support with when it comes to marketing, give us a call on 01925 963 651.