(GDP) R you doing anything? Part 1

New research by the Federation of Small Businesses shows that the SME sector is less prepared than others for the changes, with more than half of businesses having little or no understanding of the GDPR, and one in three having not yet started their preparations.

I have been talking a lot about GDPR recently, whether that's with my clients or at networking events, aided by my 3 GDPR monkeys and their smiley friend :

More of them in a minute.

I'm not saying I am a stickler for the rules, but I am very keen on making sure my clients can continue to market to their customers.

So I've spent quite a bit of time working with various industry bodies to make sure my of understanding of the legalities and I can provide the best possible support to my clients. After-all, I want them to succeed and continue to grow.  But here's the disclaimer : I am not a lawyer, so please do not take any of this as legal advice. 

So what is GDPR? 

The General Data Protection Regulations (GDPR)  is new EU data protection legislation, which will supersede the Data Protection Act 1998 on 25 May 2018. As well as tougher fines for non-compliance and breaches, it aims to give people more say over what companies can do with their data. By making data protection rules more or less the same in the EU, it should also make it easier for businesses. The last data protection legislation was also made before the explosion of the internet, so the new legislation wants to address this too. However, GDPR doesn't just cover emails and technology. Whatever you're filing, the notes you make on the phone, the form you get someone to fill in when they come in - that's all covered by GDPR. 

And in case you're thinking Brexit here, the Government have made it clear they will still implement this legisation. . 

So will it apply to you? Quite simply, if you process personal data on any EU residents then this applies to you. They could be a customer, supplier or even a member of staff. 

What do we mean by personal data?

It's items such as name, age and address as well as more sensitive items such as medical history, bank details and criminal convictions. Even IP address, which can be linked back to an individual in a company are covered here. 

I'm sensing the first monkey emoji coming.....

hear no evil emoji.png


I don't want to hear any more - this is all too complicated. I'm not implementing this, I won't be able to make any sales.

Chance are this will be swiftly followed by the second one.....


see no evil emoji.jpg


If I don't look it's not real. Everything will just go back to the way it was. 

Sadly, it is real and we all need to be doing something about it. Some have said that it's going to be another Y2K (remember that one?), but just like then, do you really want to take the chance?  Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort, plus, there will be no ‘grace’ period, the Information Commissioners Office will be regulating from this date.

So what can we do. Is it all a case of : 

speak no evil emoji.jpg


I can't talk to my clients any more. 

What can you do? 

Well the good news is, all is not lost. In fact many of the GDPR laws are already in place and businesses are succeeding with them.  If you are already complying with the terms of the Data Protection Act, and have effective data controls in place, then you are already well on the way to being ready for the GDPR.

The first thing you need to do now is review your data. What personal data are you currently obtaining, storing and processing?  If you do anything with data, whether that's write it on a piece of paper following a phone call, you are 'processing' it.  Think about who has access to the data and who can process it? Who do you pass data to and get data from? 

As a general principle, if you don’t need the data, don’t keep it. 

The next part is understanding whether you have permission to process the data. Have you been given consent by the person whose data you hold to process it. This is where your marketing consent comes in.  Think from a marketing viewpoint, it makes more sense to engage with customers who want to talk to us. Why would we want to talk to someone who doesn't want to hear from us? 

Do you have grounds to process this data? There are various legal bases on which data can be stored, collected and used. For marketing purposes it is likely to be consent or legitimate interest. 

What is legitimate interest?

Does your business depend on you processing this data? It is 'necessary' for achieving your business objectives? Take for example recruitment clients, it could be argued that they have a legitimate interest to contact and process candidate records to find the candidates a job and generate turnover. 

This has been a very quick step through the world of GDPR. I will be continuing to explore GDPR in my next blog, including privacy policies, appointing a data protection office and what the ICO is now calling 'unambiguous consent'. However, if you're stuck or this has kick-started you into action and you'd like to get more input please to contact me at Claire Best Marketing.

There is also lots of helpful advice and GDPR from the Information Commissioners Office

Whether you contact me or start talking to someone else, the most important thing is that you do take action. 25th May is less than 3 months away and you need to be looking at this now. 

Part 2 coming soon........



Disclaimer : This blog covers my thoughts and views on GDPR. I have worked with various industry bodies to ensure my advice is correct, but I am not a lawyer. I can not take any responsibilty for the consequences of you implementing anything as a result of what I have said about GDPR.