01164 422546


Top Tips To Help You Understand GDPR

It's not going anywhere ...


This week, I hand over to my colleague Hazel Napier, who has a host of knowledge about protecting businesses with terms and conditions. She writes about GDPR and offers some very useful top tips ...

If you're at all unsure on the GDPR regulations, Hazel's top tips will help!

If you're at all unsure on the GDPR regulations, Hazel's top tips will help!

copyright: jirsak / 123rf

The General Data Protection Regulations (GDPR) came into effect on 25th May 2018 and caused quite a shift in the way businesses handle data. Many business owners panicked, desperate for some well-structured and comprehensive advice and it didn't come without criticisms.

The reasons for the reform of the law made sense; there is no doubt it was necessary to update the law, since the last act was 20 years old and technology had moved on significantly since then.

Ultimately, data protection laws have aimed to protect individuals' personal data by offering people genuine choice and control over how organisations use their data and by making sure that organisations only store and use data where they have a lawful basis for doing so.

  • Top Tip Number 1 - Personal data includes business data too

    GDPR could not be more clear: if your email address is personally identifiable to you as an individual, this counts as Personal Data under the law. It is a common misconception that this rule applies only to private email addresses, so be careful when using business email addresses too. However, addresses such as info@ or hello@ are not protected and so these can be contacted, stored and processed in whichever way you wish.

  • Top Tip Number 2 - You do not always need consent

    There are SIX lawful bases on which processing can be applied and yet consent was the one the whole country went up in arms over. Businesses thought they had to ask for consent to contact someone they had met at a networking meeting, ask for consent from their clients even, and certainly were often under the belief that consent was always essential to send any form of marketing.

    We have heard of people still being asked for consent from nurseries and schools to store their children's details. What if they said no? Consent here simply isn't needed. Yes, consent is a huge part of GDPR, but as an educational establishment they have legal obligations that require them to collect, process and store personal data and therefore they do not need consent to collect certain data from parents or children. It's common sense really.

    As mentioned above, you also do not need consent from your clients to store their personal data. As 'contract' is a lawful basis for processing data, it is paramount that you have your clients' data to be able to complete the tasks you are in contract with them to do. Again, common sense.

    As time went on, more and more businesses were learning about the 'legitimate interest' lawful basis for processing and it does seem you can rely on this for many reasons for processing data. For example, if someone had enquired about your services, there is no issue in adding them to your mailing list, but you must give them the clear option to be able to unsubscribe and of course you must not add them to any mailing list that is not of legitimate interest to the business they enquired with.

  • Top Tip Number 3 - Pre-ticked boxes are not allowed

    Whilst you do not always need consent, it is important to remember that when consent is relied upon, it should mean you are offering individuals real choice and control. Genuine consent should put individuals in charge and by having pre-ticked boxes this is not explicit, it is instead a method of default consent.

    Consent should also not be a precondition of a service, for example, "Sign up to our mailing list and you'll receive this free widget". You should always show that consent is freely given, keep evidence of that consent and keep consent requests separate from any terms and conditions.

Remember, GDPR isn't going anywhere! Whilst there is little talk about it anymore, and it is no longer a buzz word, it is still important. The Data Protection Act 2018 is the UK's implementation of GDPR and so will still apply once the UK leaves the European Union. The same strict rules apply, known as the data protection principles.

"There is stronger legal protection for more sensitive personal data and every citizen has rights under DPA 2018!"

All this should be covered in your privacy policy, and if you want to obtain ISO27001, then understanding your obligations and putting it all in to practice, and ensuring you handle and process personal data in line with the law, is a key part of ensuring your businesses GDPR compliance.

Until next time ...

Book a meeting with me at a time that suits you by clicking this link


Would you like to know more?

A huge thank you to my colleague Hazel Napier for this week's blog post!

If you have any concerns about your own GDPR policy, why not talk to us? Call us on 01858 414226, leave a comment below or click here to ping over an email and let's see how we can help.

Share the blog love ...

Google AMP  /  Précis  

Share this to FacebookShare this to TwitterShare this to LinkedInShare this to PinterestShare this via Buffer

#SME #Quality #ISO9001 #UK

About Ellen Willoughby ...


I'm Ellen, Director of All About Quality and All About Productivity. I have over 20 years experience as professional in the quality world and 17 years as a practising Buddhist. As a result of this, I have a passion for improvement. in both business and personal life.


01164 422546