What does this mean to you?
What do you know about this?
Will you be compliant by 25th May 2018?

Firstly, did you know that GDPR stands for General Data Protection Regulation?  This was formally and finally approved by the EU Government on 14 April 2016.  As noted on the GDPR main website, this new regulation was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

But what does this mean for you and your business?

So after 2 years, each business owner in the UK (as we are still part of the EU community) should be prepared (or at least preparing) to complete the steps to get their business compliant before 25th May 2018.  Here are some steps and information to get you started in your business.  Remember, this affects all businesses – whether home based and small business through to large corporates.  It doesn’t matter the size of your business but it is important to know that if you and your business work within the EU with EU / UK customers, clients, suppliers, employees and sub-contractors then you need to comply with these new regulations.


What sort of Data do you hold?

Start working out now what personal data you currently hold for your customers, clients, suppliers, employees, sub-contractors.  This data includes:

  • Name
  • Address
  • Email details
  • Phone numbers
  • Bank details
  • Photos
  • Health details
  • Emergency contact details
  • Religious beliefs

All personal data should be accurate and kept up to date.

Why do you hold this data?

There are numerous reasons you may hold this data.  For employees, obviously you require data for payment of salaries, tax purposes, emergency contact and more.  For customers and clients, you may hold their details for contact purposes.  It is also important to ensure that you know why you hold the specific personal data you hold. Data should only be held for as long as is required by your business and remains relevant to the clients, customer, supplier or employee.

How do you use the data?

Is it use for marketing purposes?  If so, have your customers and clients provided you with express confirmation that they are happy to receive your marketing communications?  If not this is something you need to ensure you receive.  See below.  If you store bank details etc are they secured?

Who has responsibility for the data you hold?

Normally there will be someone who has overall charge of the personal data you hold for your customers, clients, suppliers and employees.  Identify who this is for those you hold personal data for.  If you are a small business and do not hold large scale personal data such as travel agents, schools or hospitals, you may not need to employ a Data Protection Officer (DPO), although employing someone to handle the compliance with GDPR can be a handy resource for a small business.

Who has access to the personal data stored by your business?

Although someone will hold ultimate responsibility for the security of the personal data held by your business, there will be staff who have access to this data.  A list of all staff should be made outlining what access they have and this should be made available to your clients, customers, suppliers, employees and sub-contractors if asked.  Staff should be trained in what constitutes a personal data breach, processes by your business in terms of uploading, access and security.  Any mistakes by any staff member must be reported to the Data Protection Officer or person who is responsible for the personal data held by your business.

What security is in place to keep personal data secure?

Obviously this is one of the most important aspects of personal data held by you.  How do you keep personal data secure?  Is it password protected?  The use of Encryption is the most effective way ensure that data is kept secure.  Data must be processed in a manner that ensures complete security including protection against unauthorised or unlawful processing, accidental loss, destruction and/or damage of the data.



GDPR and your customers

Accessing data

All data must be processed by your business lawfully and in a transparent manner.  Any data must only be collected for specified and for the purpose your business requires it for.  Data should be easily accessible for individuals who you hold data for.  Any access to their data must be provided within 1 month of their request.

Making changes

Should a client, supplier, employee or sub-contractor request a change to their data, this should be provided to that person within 1 month of their request.

Removal of data

If an individual wants you to stop using or processing their data, they can contact the relevant person in your business and request this.  Unless you still require these details for the running of a contract or other in your business, you need to comply with the request.  The request need to be dealt with, within 1 month after the request.

Privacy Policy

Make sure that your Privacy Policy includes all of the types of personal data you hold including HR records, customer lists, contact detail records.  A Privacy Policy must clearly outline what data is held, how you hold the data, who is responsible for the data, who has access to the data, and an outline of how the person can gain access to their data to make changes or request deletion.



GDPR and Marketing

Permission for Data

Even if you already send out email newsletters or other to clients, customers or suppliers, you need to ensure that every single subscriber has provided express consent to be included on your subscriber list.  They must show that they are clearly happy to receive communications from you.  In other words, they need to physically, not verbally confirm that they are happy to be included.

How do you do this?  Well you need to ensure that each person on your list has double opted-in on your newsletter subscription.  This is something which is easy to set up in whatever Newsletter platform you set up.

On each form you have on your website, you should have the options available for people to tick that they have understood your Privacy Policy and that they are happy to be included on your newsletter subscription list.

If someone opts out of an email from you, you need to ensure that no further emails go to that person as this will be a breach of this compliance.

Focus on Data

What data do you actually need?  This is really important.  You should only collect data which is relevant to your business and what you are offering your clients and suppliers etc.  For example if your list is to supply someone with beauty treatments and you need to know their skin colour to best assist them, then this would be data which is relevant to your business.

You need to be specific and have all data protected and available to your clients and suppliers if requested.  See below.

Access to Data

You need to allow your contacts to have easy access to their data.  So when you set up your opt-in for your newsletter lists, ensure that whatever information you are capturing is available easily to those who may request it.  Although currently law, an Unsubscribe button must be present on all email newsletters which go out from your business and the link on which users click on to unsubscribe to manage their preferences and cancellation of emails.



This GDPR gives the public a more certain control of their personal data and how it is held by individual businesses.   It is a way of creating a uniformity across the EU for all citizens.  It is important to note that even after Brexit, the UK will continue with compliance and rules inline with the GDPR so any work being done now by all businesses will remain in place even after Brexit.

You should also do your due-diligence in terms of any sub-contractors or suppliers you use.  Are they GDPR compliant?  Look at updating any contracts you may have to ensure that you are covered by them being compliant.

There is still time to be compliant and the above is just the starting point to help you get started.  The most important aspect for you RIGHT NOW is to look at all of the current data you hold, how you hold it and what you need to look at to ensure that if you are marketing to clients/suppliers – have they opted in physically or only verbally.  They need to provide you with express confirmation and agreement to be on your marketing lists.

If you need help with your compliance or preparing your newsletter lists for GDPR, please let me know.  I have also been approached by businesses I work with asking me to become their Data Protection Officer.

Remember there is still TIME.

You can also join a GDPR Facebook Group hosted by Suzanne Dibble, The Small Business Law Expert.  Suzanne hosts FB lives and answers questions to small businesses who need more information on what is required for their businesses.

© Hazel Theocharous, Learn Grow Transform

Pin It on Pinterest

Share This