top of page

Small Business Entrepreneurs: Are you sure your marketing activities comply with the GDPR?


Have you heard about the new rules introduced by the General Data Protection Regulation (GDPR) throughout the EU from 25 May 2018? If not you shouldn’t wait too much longer before checking if you comply. The fines can be huge, up to 4% of turnover or €20 million, whichever is higher! And yet, a quarter of London businesses were entirely ignorant of GDPR in January 2018!

To make it short, all companies (including small businesses and charities) must obtain clear consent from their employees / customers / users to store and process their personal data. It is not based on the size of the business but really on what and how much data you collect and how you process and protect it.

If you have employees (particularly over 250), you must check regulations about holding processing and protecting “critical” personal data from breach (such as criminal convictions and offences, ethnicity, religious or political views), and maybe hire a data protection officer.

For more detailed advice read this precious guide from the Information Commissioner’s Office (ICO) in the UK.

How then will your marketing activities be impacted?

When it comes to your customers data, you must make sure you have obtained their permission, document what information you hold, where it came from, what it was collected for and who you share it with. You must also ensure you can delete all of it or send them a copy upon request and report any data breach within 72h.

Consent is central to the rules of GDPR for marketing.

If you have an online store and collect personal information, during the checkout process (address for delivery, size, number of children…), you will need to gain consent to process someone’s data, not only to deliver the order (which you probably already do) but also separately for any other marketing activities your company intends to use it for (posting special offers, newsletter, loyalty scheme…). This consent can only be given via “opt-in” (no “pre-ticked” boxes), meaning people must check a box to give permission separately to each type of use of their data. Businesses must also record when that consent was given.

Did you get consent from your Newsletters recipients?

You already have created a mailing list of customers and potential customers and you send them regular emails with your offers and information. Now you must prove that you have been given permission to write to them. If you are worried that you don’t have consent, then Mailchimp for example is an easy option to create a sign-in form (with a separate checkbox for each agreement) and send it to all your list to ensure people still want to receive what you are sending them (and give you permission to transfer their data to your Mailchimp account). Of course, all this does not exempt you from having to offer the opt-out option in every newsletter you send!

You are not sure how to set up and design the sign-in form? Contact me, I can surely work this out for you! See my own “sign-in form” for inspiration.

For all other direct marketing activities (bought-in lists from third parties, phone calls, SMS, mail), see this very useful marketing guidance and checklist from ICO.

NB: This article is provided as a resource, but does not constitute legal advice. I encourage you to speak to a legal practitioner to learn how the GDPR may affect your organization.


bottom of page