The implementation date has been and gone and whilst there was a lot of unnecessary panic and worry. It is clear that since the hype of it all, many businesses are failing to implement simple practices to ensure they continue being or ever were GDPR compliant.

We are often asked by our clients ‘will this document make me compliant’? The short answer is ‘no’.

A privacy policy on your website does not automatically make you GDPR compliant, using a GDPR compliant website or an email marketing platform that is GDPR compliant will still not ‘make you compliant.’ Yes it may be secure, encrypted and all that jazz but as a data controller you still need to process that data correctly.

Unfortunately, the internet is still overloaded with GDPR compliance stuff that isn’t exactly always correct and understandably this can be super confusing for any business owner. My advice would be look at the source, are they credible? If you rather 1 on 1 advice speak to someone you trust in a professional capacity and someone who can simplify it so you completely understand it.

So how does it apply to you?


Personal Data as a definition, has become wider – so any information that can directly or indirectly identify a person is now considered as personal data. So that’s names, photographs, telephone numbers and emails. This includes business emails such as mine but not our generic  info@ address

It would be a good idea to ask yourself these simple questions with the  personal data you currently hold in mind

  • How did you collect this data?
  • What is your lawful basis for processing this data?
  • Where is the data stored?
  • How old is this data?
  • Is it sent to or used by any 3rd parties?

The answers to these questions will help you identify weak spots in your current policy and will highlight where the issues are. If you’re not sure how you collected the data or whether you asked for consent or not, then that’s clearly a problem and it needs to be addressed. By getting an overview of the current data you hold and how you use it, you’ll be able to see what is needed to ensure GDPR compliance.

Bear in mind, it is only lawful to process data in certain circumstances and you need to be clear on what your basis is for each set of data you’re holding.  If you have a contract with someone, for example, it is lawful to use the data to fulfil your obligations under that contract – this would include your employees, customers and suppliers.  It is also lawful if you’ve obtained consent from the individual.  Just make sure you are clear on what basis you are using.  Take a look at the ICO website if you’re not sure – they have some useful guidance.

Is the data up to date?

It is a good idea to delete unnecessary data.

Depending on how long your business has been operating, it is likely you have a lot of data that is no longer needed and has no benefit to your business whatsoever. By cleansing your database not only will you be more focused with who your real prospects and clients are, you are also reducing the risk of any breaches.

Not only that, how do you know this data is even still correct if it is years old, which is one of the principles of the GDPR.

Do you have a privacy policy?

An easy job to do is to make sure you have a privacy policy on your website.  You need to be telling data subjects how you manage their data, your lawful reasons for processing their data, any marketing you’ll be sending and how long you will hold on to their data for.  You also need to inform them of their rights.  A privacy policy can cover all this.


Marketing is probably the biggest worry surrounding GDPR, although this is predominately covered under the Privacy Electronic Communications Regulations. The GDPR does not replace PECR –  it has widened the definition of consent. You need to comply with both GDPR and PECR for even your b2b marketing.

Again, consent is not the only way to market but you do need to be clear on what lawful basis you are relying on. Consent must be freely given (so no pre-ticked boxes or schemes to build a marketing list); this means giving people genuine ongoing choice and control over how you use their data.

Consent should be obvious and require a positive action to opt in. By saying ‘Enter my competition with your email address but by doing this you agree to all future marketing’ is not a positive opt-in.

I would also be very clear in any emails you send why you are sending this email. ‘You are receiving this email because … ’. Not only is it being clear and transparent (another principle) it is excluding the possibility of the recipients complaining about your method of contact. The email may be perfectly legit but by saying why it is avoids any misunderstanding and appearing like you have ignored GDPR all together.