GDPR: What does it really mean for you?

Here’s exactly what you need to know and the steps you need to take.

It seems that everyone is talking about General Data Protection Regulation or GDPR, but what is it really all about? It seems that there’s a lot of scaremongering going on at the moment, and nobody seems to really know what’s going to happen.

What you really want to know is: what does it mean; how does it affect you; and what do you need to do about it, right? We’ve put together this short and simple guide to complying with GDPR – here’s exactly what you need to know and the steps you need to take.

What is GDPR?

GDPR is a new regulation regarding how you store and use customer data, in order to protect the privacy of the public. Many of the main points are pretty much the same as the current Data Protection Act, so the good news is if you’re already compliant you’re halfway there.

GDPR introduces tougher fines for non-compliance, and gives people more say over what we as companies can do with their data. In the wake of the Cambridge Analytica scandal, data protection is a hot topic at the moment and people are becoming more aware of how their data is harvested, so it’s important to get compliant.

What data does GDPR cover?

  • Identity information such as name and address
  • Health and genetic data
  • Biometric data
  • Web data such as IP address and cookies
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

What does it mean for you as a business?

Essentially, it’s no longer enough to include a disclaimer telling your customers that by providing data, they are agreeing to you using that data for marketing purposes. We’ve been able to get away with doing so up to now: if you purchase something from a website or enter an email address to download resources, that company can then contact you with promotional material.

Of course, there’s always been the option to opt out; going forward, your customers need to physically opt-in to receive communication from you. In a nutshell, that’s what GDPR means. You can’t tell your customers that they are opting in – you’ve got to give them a tick box or data capture form that they have to use for you to be allowed to contact them.

For those businesses that rely on purchasing email lists, it is likely the end of this practice. Unless the supplier can provide evidence of GDPR compliance and consent you will need to develop a new approach. The liability will not end with the list provider but with you also.

Unfortunately, there will be huge consequences for not being compliant with GDPR – namely a €20 million fine, or 4% of your company’s global turnover, whichever is largest. It sounds scary, but there are a few simple steps you can take to make sure you’re fully compliant.

Making sure new data is compliant

The first change you need to make is to your website. If people provide you with their data by purchasing from your website or using your services, you need to embed a tick box on to your site. This cannot be pre-ticked, and should say something along the lines of “I give permission for Xpand Marketing to contact me with promotional materials and updates.”

Speak to your IT team and make sure they’re aware of GDPR. If your website is maintained externally, get in touch with the person who maintains your website and make sure they’re up to speed and are getting that tick box embedded on your site. If a customer ticks that box, you can use their data. If they don’t, you can’t. Simple!

If you want to see some real-world examples of GDPR compliant websites, we recommend this blog by the DMA or this one by

Audit your existing data

You also need to make sure your existing data is compliant. Unfortunately, any data you already have that you don’t explicitly have permission to use is no longer okay. This includes any bought data, and data provided by customers who haven’t physically opted in, and data given to you by another business or branch of your own business.

We recommend sending out an email campaign letting your customer base know that you need them to sign up to continue receiving communications in the future. Then redirect them to a page on your website where they can enter their contact details and tick that box saying that it’s okay for you to get in touch. Then have that data fed through into a new mail list. Once GDPR comes in to play on 25 May, you’ll need to delete your old list, as you can no longer contact those leads.

Offer your contacts an incentive to sign up to receive communications from you; you could offer to send them a downloadable resource, or a voucher for your products or services. Accompany this with some really hot content that your customer base is interested in reading. Make them realise what they will miss out on if they no longer get emails from you!

What is your Lawful Basis?

Under GDPR, you’ll need to have a “lawful basis” for processing customer data. These require that the processing of data is necessary – if you could achieve the same purpose without the data, you won’t have a lawful basis. There are six available lawful bases for processing data, and you’ll need to fit into one of these:

  1. Consent. The individual has given consent for you to process your data for a specific purpose.
  2. Contract. The processing is necessary for a contract you have with the individual.
  3. Legal obligation. The processing is necessary for you to be legally compliant.
  4. Vital interests. The processing is necessary to protect someone’s life.
  5. Public task. The processing is necessary for you to perform a task in the public interest.
  6. Legitimate interests. The processing is necessary for your legitimate interests or the legitimate interests of a third party.

By embedding that tick box onto your website and getting explicit permission from your contacts, you’ll fall under number 1 – consent. We recommend this as the simplest way to fall under a lawful basis, although depending on the nature of your business you may fit into another category. Be aware that if you are relying on consent as your legal basis, then the individual will have a lot more power in how their data is used under GDPR than they do under existing Data Protection Laws

Privacy policy

If you don’t already have a privacy policy on your website, then we suggest you get one. It’s a simple way to make everything transparent between your business and your customers.

Your privacy policy should include:

  • What information you will collect
  • What your legal basis is for collecting this information
  • How it will be used by your business and for what purpose
  • If it will be made available to third parties, who are these third parties
  • What rights you have as an individual
  • What the process is for requesting, amending or deleting your data, including the length of time data will be held and how a customer can contact you.

Processes & Documentation

You will need to input processes and documentation that allow your business to comply with GDPR. These will include:

  • How your data is stored securely
  • How your business will respond to requests for information, amendment or deletion.
  • What your process is for dealing with a data breach. After all, nobody likes his or her data to be compromised.
  • A document will need to be created that outlines what data you hold, where it came from and for what purpose and whether consent has been gained. If you share data with other organisations you will need to document this so that in the event of data being amended or deleted, you can inform the third party accordingly. GDPR puts a greater emphasis on data controllers to demonstrate accountability.


For businesses in the B2B sphere, there has been some discussion about whether they will need to be compliant because GDPR deals with personal data. The simple answer is that GDPR “applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified.” Just because a user has provided a work email address, doesn’t mean that that individual can’t be identified.

Another point of discussion is that a business can send email to their existing subscriber list because it falls under ‘Legitimate Interest.’ It’s dangerous to use legitimate interest as a lawful basis without fully auditing the data you hold. To fall under ‘Legitimate Interest’ you will need to have a ‘relevant and appropriate relationship’ with the data subject, such as a client or a customer. To confuse matters, the PECR ePrivacy laws will need to be satisfied. You can use ‘Legitimate Interest’ if data was obtained using a soft opt-in under PECR, for example, somebody has recently purchased a product or service from you and hasn’t opted in, it is reasonable to think that that individual would be open to receiving information from you.

Hopefully, this blog post has helped you figure out how to get compliant, but if you’re still unsure about GDPR, it’s better to be safe then sorry. Get in touch with us and we can help you to make the changes you need in time for the deadline.

For further information on GDPR, you can download a 12-step guide from the Information Commissioner. You can find a list of key definitions here.

Suggested reading
GDPR: Why you should be just as worried about your content as you are about your data
Read more