Clueless about GDPR and customer data protection? Keep calm and read on!

Think Cirrus/GDPR Blog/EU Flag

What is GDPR?

The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and when it comes into effect on May 25th, 2018, it intends to give European citizens back control over their personal data.

Businesses are collecting more personal data than ever before. But with the GDPR policy coming into effect next year, are small businesses ready to make changes to how they collect, store and use their data?

Could your business take a £310,000 financial hit? Sounds painful, right? That figure is the average maximum cost of a data breach, up from £115,000 in 2014.


Data Protection Act & GDPR: The Principles

GDPR has 8 principles of which businesses need to consider and abide by. GDPR has retained the principles from the original data protection act, but these have now been extended and strengthened. There is some further reading needed around these principles (handy links at the bottom).

The principles are as follows:

  • Principle 1 – Fair and Lawful
  • Principle 2 – Purposes
  • Principle 3 – Adequacy
  • Principle 4 – Accuracy
  • Principle 5 – Retention
  • Principle 6 – Rights
  • Principle 7 – Security
  • Principle 8 – International


According to the Information Commissioner’s Office, the most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.


Article 5 of the GDPR requires that personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to individuals;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”


What does this all mean?

So, for small business owners how do we make this real? How do we get our heads around the principles and put real processes in place?  Here are top 5 things to think about when storing and processing customer data:

  • OPT IN

This is all about process. You need to make sure that all your customers have opted into your mailing lists and ensure that they are made aware that their records are held on database. As a data controller or business owner you will need to make sure that you have documented proof of opt in. An email, system or process in place which proves consent to hold and use their data.


  • Again – this is about visibility and process. You need to make sure that your customers are aware that they can opt out. Under the new regulation customers now have a right to be forgotten. So, you need to make it easy for customers to opt out and stop receiving marketing communications


Take this opportunity to re-evaluate your tech and your processes around collecting data. Which CRM do you use? If you use spreadsheets, speak to your IT provider to see if they can support you with an integrated process. Does your email system and CRM communicate with each other? Does all your tech work appropriately with the processes you need to put in place?


The new regulations mean that if you have a ‘request to be forgotten’ you need to act and take responsibility. So, appoint a Data Processor or Controller to ensure that your databases are up to date, you’re storing consent forms and you’re following up on requests. Yes, it’s another admin task. But it needs to be done.


It’s time to start treating people and their data with respect. Ensure that the databases you use are secure and private. Ensure that your marketing activities consider your customers and how they’d like to be treated. What sort of messages would they like to receive and how often? Now is the time to be courteous. Its more than regulation, use this time to re-evaluate marketing communications and technology in your business.



Handy Links


Related Posts