Are you GDPR ready?

You can’t get away from the General Data Protection Regulations (GDPR) coming into effect on 25th May 2018, and while you must make time to understand how they impact your organisation, if you already operate in a responsible way, you needn’t be unduly alarmed.

The regulations are designed to:

  • give people more rights over how their data is used (because no-one likes the thought of their details being shared);
  • ensure organisations take a robust approach to data privacy and protection (again, most would agree that this is no bad thing).


What is personal data?

Personal data is anything that identifies an individual, so while ‘John Smith’ might be not be distinguishable on its own, together with an email address or ID number, for example, this could identify a single person.

Organisations will, of course, still need to use (or ‘process’ as it is termed) personal data to carry out their day-to-day activity, and there are no set time limits about how long people’s information can be kept. The key is to ensure that the data being used for these purposes is safe and stored in an organised way.

The reasons for having clear-cut systems for data storage in order to comply with GDPR are two-fold. Firstly, under the new regulations an individual (be it employee, customer, prospect) has the right to be provided with the information you hold about them and, secondly, they have the ‘right to be forgotten’ and their data destroyed. Clear systems will make both of these obligations much easier to fulfil and more transparent for all involved.


What impact will this have on marketing activity?

There has been a lot of scaremongering about how the new GDPR regulations will affect direct marketing activity. In fact, it is not quite as limiting as some have suggested. Going forward, there will be three ways of direct marketing under the new GDPR regulations…


‘Legitimate Interest’

The Information Commissioners Office (ICO) which governs this area states that there are six bases for processing data. For day-to-day activity most will process data under the ‘contract’ basis. There are then three further bases for processing data; legal obligation, vital interest and public task (where data processing is necessary to comply with the law, protect someone’s life or perform a task in the public interest respectively). The fifth and sixth bases are ‘legitimate interest’ and ‘consent’. ‘Legitimate interest’ is where an organisation can make the decision to communicate with a person on the basis of having a legitimate interest to contact them. Crucially, the ICO suggests that direct marketing could fall into this category, but only if carried out responsibly.

The best way to determine legitimate interest is to ask ‘would the person I am communicating with expect this data processing to take place?’ Often, the answer is that current, recent or prospective customers probably would expect marketing communications, whereas contacts bought from a mailing list, for example, may not.


Legitimate Interest

The ICO recommends thinking about:

  • Who does the processing benefit?
  • Would individuals expect this processing to take place?
  • What is your relationship with the individual?
  • Are you in a position of power over them?
  • What is the impact of the processing on the individual?
  • Are they vulnerable?
  • Are some of the individuals concerned likely to object?
  • Are you able to stop the processing at any time on request?




If the people you are marketing to don’t fall into the above category, gaining ‘consent’ is the other way to justify contacting someone, and here the consent process must be transparent (see box).

Going forward, when asking for someone’s details for marketing purposes you need to tell them:

  • What information is being collected
  • Who is collecting it
  • How it is collected
  • Why it is being collected
  • How it will be used
  • How it will be looked after
  • How long it will be kept
  • Who it will be shared with
  • What the effect of this will be on the individuals concerned
  • What their rights are


For website forms/email marketing, this information needs to be clearly visible on the sign-up page. For face-to-face or phone interactions it is recommended that you follow a script or record the interaction. Marketing opt-ins cannot lead the user in any way, this means boxes cannot be pre-ticked, and the buttons to ‘opt in’ or ‘opt out’ must be of an equal size and of equal visibility.

You can’t use data after 25th May, where subjects weren’t given this information, but up until this date you can contact your database and ask them to ‘re-subscribe’ following the above guidelines.

Remember if you buy lists for marketing purposes, they are likely to increase in price soon. Also, get confirmation in writing/in a contract to confirm that the person you are buying from has gained consent from each person listed to be contacted.


Consider using social media

Social media is a great way to communicate with your audience as you don’t need to hold data on individuals and people interested in your business can ‘follow’ and ‘unfollow’ you as they wish. However, algorithms are forever changing so try and use a range of communication channels, not just social ones, to get your message across.


Top tips for businesses

Know your data
Unless you know what personal data you process, why, what you do with it, where it is held and how you process it, it will be difficult to be sure you are compliant. Check the policies with providers who process personal data on your behalf too.

Get your team on-board 
Ensure everyone in your business understands the principles of GDPR and create a culture where data protection is taken seriously. Be especially aware when you are out of the office with documents, phones, tablets, laptops or memory sticks containing personal information – IT security will be more important than ever!

Check your privacy policy
You should have a company privacy document that covers all company activities including personnel, client/supplier data, payroll etc. It should also detail how and if data is collected on your website, and this information should be duplicated on your website in the form of a ‘privacy statement’. If you have any data capture forms on your website these should also each contain a privacy notice explaining: who you are; what you’ll do with the data; how you will look after it; why you need it; how long you need it for and what the user’s rights are.

Check consents
Review current consents and re-permission now if necessary. Don’t forget to comply with existing direct marketing laws whilst doing so.


Top tips for data storage

  • Make sure data is stored securely – use encryption where necessary
  • Avoid duplication of data
  • Only hold the personal data that you need for an individual and only for so long as you need it. The more personal data you hold, the greater the risks
  • Make sure anyone you contact can easily opt out of future communications if they so wish and your systems are robust enough to ensure they don’t get contacted again by accident
  • Don’t forget about employee data


While the above can seem overwhelming, and initially you may need to allocate some time to checking and tweaking your systems, looking to the future these regulations will probably be of benefit to most. Not only will it help make organisations’ internal systems more robust and create a more responsible culture, in the long-term databases will be leaner, more accurate and contain more engaged customers, allowing marketing to be more targeted and your business more trustworthy.

It is an area that must be taken seriously though, as non-compliance can lead to fines of up to 4% of the global revenue of a company.


Disclaimer: This article is for information only and it is important you seek your own legal advice to ensure your business is fully compliant.  Reverberate cannot be held in anyway responsible for failure to comply with GDPR.