<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2091254041141547&amp;ev=PageView&amp;noscript=1">

GDPR for Businesses: A Guide to Understanding the General Data Protection Regulations (GDPR)

Share this page to Facebook Share this page to LinkedIn Share this page to Twitter

Learn all about GDPR and how it applies to your business.


Discover how GDPR affects marketers.


Stay protected and download our GDPR Protection Pack.


GDPR for Businesses: A Guide to Understanding the General Data Protection Regulations (GDPR)

Share this page to Facebook Share this page to LinkedIn Share this page to Twitter


Arriving on 25 May 2018, the General Data Protection Regulation (GDPR) has reshaped the way that all businesses manage and control data and strengthened data protection in favour of the data subject.

It replaced the 1995 Data Protection Directive which became the Data Protection Act 1998 in the UK. A criticism of the Data Protection Act is that it lacked teeth, penalties were limited and the compliance obligations less than under GDPR. This resulted in countless examples where data was misused.

Now, fines are much more severe and can be unlimited and already the ICO is beginning to clamp down and use their new powers on those that fail to comply with the current regulation.

As responsible marketers, we understand GDPR and how to make this work for our business, and as business growth experts we also understand how GDPR can be a significant step-change in the way businesses handle data and communicate with other businesses and consumers. We are here to ensure that change is a positive one and guide you on the rules you need to know, how to ensure compliance, and how to make GDPR a positive change in your business.

Since GDPR came into effect, we have continued our mission to help as many businesses as possible. That’s why we have created this extensive GDPR Toolkit for Businesses.

So, if you’re looking to expand your GDPR knowledge or looking to finally get to grips with the rules, sink your teeth into this extensive guide. We’ve packed it full of ultra-valuable information, and our downloadable version comes with some extras we guarantee you’ll find useful.


Part 1: Information on GDPR

1. What Is GDPR?

The GDPR (General Data Protection Regulation) came into force throughout the EU on 25th May 2018, replacing the Data Protection Act 1998 in the UK.

The new law focuses on the data protection rights of all EU citizens and creates new rules for those businesses that control and process their data.

GDPR now means that Europe is covered by the strictest and most comprehensive data protection rules in the world. Before GDPR, different EU national governments had an inconsistent approach to data regulation and many failed to keep up with the rapid changes in technology which revolutionised how companies could gather, store and share data online.

Specifically, GDPR has amended how businesses and the public sector can process data and strengthened the rights of individuals with a focus on consent and control.

Our GDPR Toolkit is the essential GDPR guide for your business, providing everything you need to know to ensure your business is compliant. Included in every one of our GDPR Toolkits is a handy GDPR Checklist to make sure you’ve got everything in place to get compliant.

2. GDPR and Brexit

Brexit introduces a host of uncertainties for businesses in the UK, in the remaining EU states, and in other countries that do business with the UK and the wider EU.

While there are some myths flying around about how leaving the European Union will impact the UK’s obligation to follow EU law, from a UK perspective, the impact of Brexit on GDPR is nil. In fact, companies will still have to comply, Brexit or not as the UK intends to adopt all existing European regulations as we exit the EU.

In order to continue trading with the EU, with as little disruption as possible, businesses and organisations need to show they have the equivalent measures in place for their customer’s data.

3. Does GDPR Apply to My Business?

The legislation has wide-ranging application within the EU. Any business or organisation that obtains or processes data from European citizens, specifically their personal data, is subject to this legislation. The regulations still apply even if your business does not have a physical presence in the EU.

The regulators have recognised the added burden of GDPR for small businesses so some of the documentary obligations are different. If your business has more than 250 employees, you must extensively document all of your processing activities.

However, there is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document your data processing activities that:

  • Are not occasional.
  • Could result in a risk to the rights and freedoms of individuals.
  • Involve the processing of special categories of data or criminal conviction and offence data.

4. Know Who Governs Your GDPR Compliance

GDPR is designed to create a consistent data protection law across all EU member states and provide clear guidelines for any company using the data of EU citizens. As a result of it being so far-reaching, supervisory bodies will exist in each EU member state to regulate GDPR compliance.

For UK businesses who process EU subject data in other international offices as well, you’ll need to identify the official supervisory authority in each of those countries, so that you can report any data breaches and receive official domestic guidance on GDPR compliance.

Below you’ll find more information about who your supervisory authority may be depending on your location:

  • HANDLING DATA FROM THE UK ONLY: If you only control and process data from a UK-based office then the regulator for GDPR compliance is the Information Commissioner’s Office (ICO).
  • HANDLING DATA FROM EU MEMBER STATES OUTSIDE THE UK: You can find a list of the data protection authorities for every EU state on the European Commission website.
  • HANDLING DATA FROM NON-EU STATES: Even if your business is based outside the EU, if you hold any data from EU citizens you will have to abide by GDPR and identify a governing body to report to, should you need to. Here, you can find more information about supervisory authorities outside the EU.

5. Designate a Data Protection Officer (DPO)

Appointing a Data Protection Officer (DPO) is only compulsory for public authorities and companies involved in the large scale monitoring of individuals, but it is still recommended by the ICO to designate a DPO in all businesses to ensure compliance with the tougher GDPR rules.

Appointing a DPO is not as difficult as it may sound. Any trusted employee is capable of becoming a certified Data Protection Officer who can help ensure your organisation becomes GDPR compliant.

6. Tasks a DPO Must Perform

First and foremost, your DPO is the person to turn to with any queries about GDPR. With many significant changes being made to key areas such as consent to process data, having a dedicated person to monitor all areas of your business is vital.

Alongside supporting your business, DPOs are a valuable point-of-contact for both governing bodies and individuals who require information. Having a single individual responsible for this ensures a consistent approach that benefits all.

Furthermore, a DPO can coordinate your transition, performing company-wide audits to make sure data is stored and used properly.

7. GDPR Requires Board-Level Support

Making GDPR a successful part of your business requires buy-in from every part of your organisation. As such, we recommend that you treat GDPR compliance like a project requiring board-level support and sponsorship.

Confirming this support will help send a message to everyone in your business that GDPR compliance is not only vital, but also a positive opportunity to be seized. GDPR may create a number of challenges that need to be overcome. However, once you put in the effort, you’ll be rewarded with a system that allows you to learn more about your customers and target your marketing to better meet their needs.

This will help improve your customer satisfaction by providing a better customer experience – something that should be stressed to every department head.

8. Address How GDPR Affects Stakeholders

Once you have buy-in from each Head of Department, the responsibility of itemising the risks of GDPR can be delegated amongst the teams. To do so, here’s a short checklist of what each department head can do within their respective teams:

  • Department heads can help explain how GDPR impacts their teams and how it provides an opportunity to improve existing processes.
  • Once the changes to how data is gathered and used are understood, departments can begin to map out how to process information and can identify any areas that need to be made compliant.
  • For any non-compliant processes that represent a major risk to the company, departments can liaise with the DPO.

Once a department has gone through this process, the DPO can check these risks accordingly and ensure they are, in fact, GDPR compliant.

9. GDPR and Brexit

Understanding the differences in the roles of Controllers and Processors comes down to a subtle difference in who controls the data. In short:

  • A Data Controller controls what data is processed and the way this is handled. Ultimately they are responsible for compliance with GDPR. These responsibilities include lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity and confidentiality of personal data.
  • A Data Processor is anyone or any business who processes personal data on behalf of the controller and can only do so by providing adequate guarantees that they will implement appropriate technical and organisational measures that meet GDPR requirements.

Therefore, while the Data Controller has a greater share of the responsibilities, both roles must ensure they ultimately guarantee compliance with the rules. Regardless of whether your business fulfils the role of controller, processor or both, ensuring compliance is vital for avoiding hefty fines. As a result, understanding both your role and the responsibilities associated with it are a crucial part of preparing for GDPR.

10. Protecting Your Data

GDPR has redefined how businesses store their data. The driving force behind this is the fact that businesses are legally required to report any data breaches, that are likely to risk a person’s rights or freedoms, to their supervisory authority.

With 46% of all UK businesses falling victim to at least one data breach or attack in the year leading up to the deadline, you have to be prepared for that eventuality by implementing storage systems that allow you to secure data and protect against breaches, and also easily find data.

This ability to find data quickly is also important because, with data subjects agreeing to varying consents, it’s vital to know whom you can contact about what (which falls under PECR). Under GDPR, protecting your data goes hand-in-hand with protecting your business.

11. How to Handle Data Access Requests

Under GDPR, individuals have the power to make requests to data holders (i.e. companies like yours) about subject data that is being controlled and/or processed. It is the responsibility of the organisation to determine how they handle such requests.

Data Subject Access Requests are nothing new, but the GDPR has made a number of important changes that you need to be aware of:

  • For the most part, you cannot charge data subjects for releasing this information.
  • The time you have to respond and comply is reduced from the current 40 days under the Data Protection Act to one month under GDPR.
  • You have the right to refuse or charge for requests you deem manifestly unfounded or excessive but must be able to provide evidence of how you concluded the request to be unfounded or excessive.
  • If you find grounds to refuse a request, you must inform the individual of what those grounds are and provide them with information of the supervisory authority to which they can appeal their rights to a judicial remedy. This must be done within one month of the request being made.

12. How to Handle Data Breaches

However minimal or significant the breach may be, a process must be established within your company to detect, report and investigate any breach of personal data.

A data breach is recognised as any breach of security that can cause destruction, loss, alteration, unauthorised disclosure of, or undue access to personal data you store, transmit or process in some way. Such situations can occur accidentally or unlawfully.

Under Article 33 of GDPR, you must notify the appropriate supervisor no later than 72 hours after you’ve become aware of it. If you do not submit a notification in that time, the data controller must explain the delay.

Additionally, when you write a notification of the breach to the appropriate supervisor, you must address the following:

  • The nature of the breach.
  • The approximate number of data subjects affected.
  • Name and contact details of either the DPO or contact point at the organisation.
  • A description of the likely consequences of this personal data breach.
  • Any/all measures the controller has taken or proposes to take to mitigate the effects of the breach.

13. Understanding the Penalties for Non-Compliance

It’s likely that the first thing you heard about GDPR is the fines that organisations are susceptible to if they fail to comply. These have been increased significantly. In fact, had the fines issued by the ICO in 2016 been done so under GDPR, they would have been 79 times higher.

Below are the two tiers of fines, relevant to the degree to which you have violated GDPR compliance.

Tier 1 contains the lower-level of fines, which are:

  • 2% of annual turnover, or;
  • 10 million Euros (whichever figure is greater)

Tier 2 contains the maximum fines, which are:

  • 4% of annual turnover, or;
  • 20 million Euros (again, whichever figure is greater)

For a comparison: under the Data Protection Act, fines topped out at £500,000. For more information on the fines, you can read our article here about the dangers of not documenting your GDPR compliance.

Part 2: How Will GDPR Impact My Marketing?

All businesses deploy some form of marketing to share their products and services with leads and customers. Therefore, the impact of GDPR on marketing is something every business must sit up to and take notice of.

How much of an impact GDPR has will depend on the type of marketing your business currently uses. For those using outbound marketing, GDPR will make techniques such as cold-calling more difficult as consumers demand consent for you to process their data.

In its place, GDPR opens the door for inbound marketing, which puts your visitors and leads at the heart of your marketing by nurturing them to customers with valuable content that they can consent to.

1. Changes to Consent

Great marketing means creating a personal, customised experience for leads and customers alike. This is done through a number of strategies, the most popular of which is email marketing, something 75% of marketers say they use more now than they did three years ago.

Key to being successful in email marketing under GDPR means you must ensure you have defined your legal basis for processing the data subjects data. If this data subject is a consumer rather than a business, you also need consent under the Privacy and Electronic Communication Regulations (PECR) to contact them.

Under GDPR, consent is defined as:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Simply put, this means that all data obtained must be freely given and that the person giving consent has to knowingly agree that you will have their information. This is markedly different to the consent rules under the Data Protection Act, where data subjects could have consented for their data to be held by failing to opt-out.

Central to the GDPR definition of consent is the new rule requiring subjects to positively opt-in, which means no more pre-ticked consent boxes on online forms. Alongside making it transparent what they are consenting to, businesses must be clear about a subject’s right to withdraw their consent at any time.

2. What Consent Needs to Include

First and foremost, it is important to make clear that when we talk about what consent needs to include, we are not just referring to a single, blanket consent you can apply to every part of your business and type of marketing.

Part of creating a transparent consent system for your leads or customers is making it clear and specific exactly what they are consenting to. That means you will need to create multiple consents for each way you wish to use a subject’s data.

The ICO outlines the elements needed for a compliant consent, but we’ll take you through the checklist below:

  1. You have checked that consent is the most lawful basis for processing the data.
  2. Your consent is prominent and separate from your terms and conditions.
  3. You ask people to positively opt-in.
  4. You don’t gather consent by default by using, for example, pre-ticked boxes.
  5. Your consent is clear and easy to understand.
  6. You specify why you want the data and how you are going to use it.
  7. You provide individual options to consent separately to different purposes and types of processing.
  8. You name your organisation and any third party controllers relying on the consent.
  9. You inform individuals of their right to withdraw consent.
  10. You ensure individuals can refuse to consent without detriment.
  11. You avoid making consent a precondition of a service.

How you approach disclosing the information is up to you, but, to be legally compliant, all conditions must be met.

3. Benefits of Stricter Consent

Having to redesign your new system of consent may seem tough on the face of it, but the positives far outway the negatives.

Why? Well, every piece of consent you obtain will tell you a new piece of information about what your leads and customers want. This means that you can create far more targeted marketing to meet their needs. This will improve how your company can nurture leads on their journey to becoming a customer, and eventually flag-waver, for your company. And the best part?

"Your leads will want to hear from you."

Because the changes to consent now demand greater transparency, leads will know exactly what they are signing up for. So, when you have a database of contacts who have agreed to be contacted by you, you know each and everyone is waiting to engage with your marketing and your business.

4. How to Handle Child Consent

GDPR tackles some of the difficulties around the child and parental consent. Under GDPR, a person is no longer a child at 16, however, the regulation allows for member states to adjust this to as low as 13. It is the responsibility of the data controller to know the age of consent for the member states they are conducting business in.

Where you are looking to gain consent from persons under that age, consent should be gained from a person with parental responsibility and businesses must make reasonable efforts to verify that the person providing the consent is actually a parental figure.

Where parental consent does not necessarily apply to the processing of data that is required to comply with other legal obligations, or when the data processing is related to preventative or counselling services offered directly to a child.

Should you be offering services directly to a child, data controllers must ensure they have a clearly written privacy notice that children of that age will understand. When offering these services, it is vital to ensure you are aware of the age of the audience you are targeting.

5. Updating Your Privacy Policy

As a vital aspect of modern, digital marketing, companies with official privacy policy notices on their website need to ensure they are up-to-date and GDPR compliant.

The key to creating a privacy notice that will not breach the new regulation is to make sure you are transparent in explaining how the collected data is being used and confirming that it is being processed fairly and lawfully.

When gathering data directly from a person, your privacy policy must disclose:

  1. The identity and contact details of the controller and, where applicable, the controller’s DPO representative.
  2. The purpose of the processing and legal basis for the processing of the data.
  3. The legitimate interests of the controller or third party, where applicable.
  4. Any recipient or categories of recipients of the personal data.
  5. Details of international transfers of data to another country and applicable safeguards.
  6. The retention period of the data and the criteria that determines how long the data is stored.
  7. The existence of each of the data subject’s rights.
  8. The right to withdraw consent at any time, where relevant.
  9. The right to lodge a complaint with a supervisory authority.
  10. Whether the provision of personal data is part of a statutory or contractual requirement or obligation, and the possible consequences of failing to provide personal data.
  11. The existence of automated decision-making, including profiling and information about how decisions are made – and the significance of the consequences.

When data is collected directly, all of the above need to be provided at the time the data is obtained.

If data is obtained through a source other than directly from the subject (third-party data providers), you need to include all of the above (excluding j and k), as well as:

  1. The source the personal data originates from and whether it came from publicly accessible sources (for any data obtained by a third party).
  2. Categories of personal data.

Since you cannot immediately share your privacy policy when sourcing data from a third party, you must provide the information held in your policy at the following times:

  • Within a reasonable period of having obtained the data (within one month);
  • If the data is used to communicate with the individual, at the first point of communication;
  • If data disclosure to another party is envisaged, before the point of disclosure.

You can find out more information on creating a GDPR compliant privacy policy for data not obtained directly in Article 14 of the regulations.

6. Performing a Database Audit and Cleanse

It is clear that to be completely GDPR compliant, you need to ensure you have a structured data storage strategy. The first step to this is performing an audit of how you currently store data. You may find that data is held across multiple locations and systems in your organisation, some data may be out of date or simply incorrect.

Once you know where your data is, centralise it and ensure it is secure and internally accessible. There is no right or wrong way of deciding how your data is stored as it is unique to the business; the key is to make sure everyone in your organisation who needs to access it can.

Auditing your data is a great opportunity to identify any subject data that does not meet the GDPR requirements. That’s right, GDPR even applies to data gathered before May 2018 when it was introduced. So, if you don’t have that transparent, active consent, you’ll need to contact the data subject to request it.

The upside of this is that it will streamline your data and ensure everyone on your contact list wants to be contacted.

Part 3: The Next Steps


1. Get your GDPR Documents

The General Data Protection Regulation applies to all organisations, big and small, and with a dramatic increase in fines, your business cannot afford to be left unprotected. In fact, the average fine issued by the ICO is now £146,000 (double the previous year leading up to the 2018 deadline).

While GDPR brings a lot of change to your business or organisation, it also presents a great opportunity. The benefits of complying are threefold:

  1. It provides you and your business the opportunity to get your data in order. Better data means a better return on investment.
  2. Staying on the right side of the law is a given. We have already discussed fines and charges you can incur from the ICO.
  3. And thirdly, by staying GDPR compliant, you won’t risk damaging your brand.

If you are one of the businesses that have struggled to apply the complex rules surrounding GDPR and are yet to implement even the correct privacy and cookie policies, surprisingly, you’re not alone – but you are behind.

2. Book Your Marketing Assessment

Our team of digital growth experts are ready to help you find out how GDPR can be the kickstart you need to supercharge your business growth.

Finding out how we can help you can solve many of the challenges of GDPR is simple. Just book a Marketing Assessment today with a member of our team:

Download the Checklist


All businesses and companies will need to remain aware that the collection of customer data does cross over into many digital marketing activities.

By demonstrating your acknowledgement of such policies, your business will show your consumers that you care about their privacy and, in the long term, you will facilitate trust and loyalty among your customers.

Remember, this guide is for information only and we always recommend seeking legal advice to ensure your business and your customers are protected. You can also find useful information and advice on the ICO’s website.

Share this page to Facebook Share this page to LinkedIn Share this page to Twitter

Keep up to date with Digital Media Stream – Subscribe to our blogs

Close Popup Form