Practical steps towards GDPR compliance

GDPR Compliance

Practical steps towards GDPR compliance

If you’ve not heard of GDPR yet, it’s about time you did. It’s a big deal that affects all businesses.

The General Data Protection Regulation (GDPR) is European Union legislation that will begin to be enforced on May 25th this year. Its aim is to strengthen the rights of individuals around how their personal data is used. As you can imagine, because it’s legislation it’s pretty involved and complicated.

There’s already loads of information out there on GDPR. We’re not going to repeat it all. And we’re not going to go into the legal stuff. If you really want the detail, you can go to:

We’re here to offer some practical advice to help get your website and marketing compliant.


Where to start

As a handy starting point, take a look at our GDPR guide. It’s a fairly easy read but contains some very useful information on what you need to know and what you need to think about.

We’ve recently become a Nettl Partner – a move which gives us the backing of a larger organisation and the support we need to make sure we can implement GDPR properly for our clients.


The first things you should do

1. Get your website secure.

Make sure your website has an SSL certificate (so you see a little padlock or http:// in your browser). This will encrypt any personal data sent via your website. It’s also now a requirement of search engines so something you should do to keep your site ranking on search engines and usable for visitors.

2. Update your privacy policy.

If you don’t already have a privacy policy on your website, get one. If you do have one, it will probably need updating in light of GDPR. You will also need to make sure that you keep a very good record every time you update your policy in the future. There’s quite a list of specific information GDPR legislation wants you to include in your privacy policy. We can help steer you in the right direction.

3. Check your data collection forms.

Whether it’s a simple contact form on your website, or a newsletter sign up form specifically to collect data for marketing, you’ll probably need to make some updates. You need to display a notice with a link to your privacy policy everywhere you collect data.

Whilst it may be possible to market to individuals under the “legitimate interest” legal basis (or one of the other legal bases outlined under GDPR), in most cases, you will need specific consent. Whenever you collect data for marketing, you need to make sure there is a positive opt in action – so a box that needs to be ticked, for example. You also need to be much more specific, giving people the option of how they are happy to be contacted. Marketing opt in must be separate from acceptance of terms and conditions.

This whole area can require some thought to get it right – give us a call if you need help.

Keeping records

One of the big things to come out of GDPR is the need for much more accountability. Unless you’re already being very thorough, you will have to keep more paperwork about the personal data you’re collecting and processing in order to fully comply.

You need to record, for example, which of GDPR’s six legal bases you are using to process the data. For marketing this will usually be consent or legitimate interest.

You need to record when and where you collected the data, exactly what you can use the data for, and the privacy statement that was active at the time of collecting data.

You may need to assess how you’re currently storing your personal data to make sure you’re able to keep all the records you need. Otherwise it might be time to consider a CRM system.

GDPR and your marketing

A good place to start with all this is to look at any data you currently hold. Do you really need it? Are you actually using it? If the answer is no, it’s probably best to delete it. Under GDPR you can’t hang on to data “just in case”.

Once you know what you’ve got, you may need to consider a re-permissioning campaign to make sure your contacts are happy for you to keep in touch. Just make sure you don’t email people who have asked you not to or you could face large fines.

Ultimately, GDPR should make for better marketing. You’ll only be contacting people who actually want to hear from you. In the short term, there are definitely headaches. And it may be harder to build those marketing lists – it could be time to get creative!

The key is to make sure that any data you do collect in the future is done so in accordance with GDPR.

If you need help with any of this – get in touch. We’d be glad to help.