Select Page

What I’m doing about GDPR

Jan 30, 2018 | Vee's blog | 11 comments

As GDPR deadline looms closer (May 25th) there’s been ever increasing advice and alarming stories of what needs to be done. I too have been keeping a keen eye on what’s required as being in the industry of digital marketing I feel it’s my job to make sure me and my clients stay out of jail.

GDPR stands for General Data Protection Regulation and it enhances the current data protection laws.

Unnecessary Advice?

I’ve seen is lot of advice that’s just unnecessary, and if you’re following best practice there’s not too much different you need to do anyway.

I attended a GDPR workshop for small business owners at the end of last year hosted by Small Business Saturday and we had at our disposal, a panel consisting of a privacy law expert, someone high up in Dropbox and a chap from FSB who were all part of the consultative process shaping the GDPR. Some proper experts who had hands on knowledge about the implications for us small business owners.

Key Thing I learnt about GDPR

One of the key things I came away with was the GDPR law is there to protect individual’s rights about how their data is handled. In other words, treat the data of others how you would like your own personal data treated – with respect and responsibility. Whilst originally, it’s the big companies abusing people’s privacy that GDPR was aimed at, it affects all of us, regardless of what size your organisation is. Even if your small business is just you and only handles people’s names and emails. If you process them somehow (e.g. store them, put them in your CRM or mail list) you are affected.

They are there to help

The other thing I came away with was that you won’t get fined for non-compliance out of the blue. There’s a whole consultation process where they try to find out what you might be doing (wrong), set you straight and as long as you respond and show that you’re doing your best to comply, it’s unlikely that you’d be fined the hefty fines they have power to levy. They are there to help! So really, all we need to do is reduce the risk of being investigated in the first place.

Dropbox have produced an 8 step guide to help you get ready –

What I’m doing about GDPR

Based on Dropbox’s helpful checklist here’s what I’m doing (and not doing).

1. Understanding my data

The data I have and collect is contact information that I’ve gathered either through networking meetings (formal and informal), online social media networking and through people signing up to receive guides or newsletters through my various websites and online presence. I collect names and emails and they get stored in my CRM system. If someone turns into a prospect, then I’ll also store phone numbers and some details relating to what I might help them with. When they turn into a client then I’ll collect even more data, some of it confidential and personal that I need in order to perform whatever services I’ve agreed with them. I do also have some paper records for clients and prospects because it’s easier to handle a bit of paper than faff around trying to find it on my computer.

2. Determining Ownership and Accountability

Easy. That’ll be me, as there’s just me in my business. This means it’s up to me to adopt a data protection compliance program (I love a good procedure!) and if I engage anyone to work in my team (virtually or in person), then I’ll need to provide them with training on how to handle the data correctly. If I had staff (which I don’t) then I’d also need to consider creating an internal data protection policy to protect the data of my employees. Phew – one less thing to worry about for now.

3. Ensuring a legal basis for processing

It’s now a good time to actually document how I obtain and process the different types of data. Nowadays, the only data (that’s not a client) I collect and process is people who’ve signed up to something on my website or people who I’ve met and followed up with.

I’ve seen well-meaning advice being bandied about that you need to get your existing list to double opt in (every year!). I asked the legal lady at the workshop her view on that

Let’s face it, most open rates are anything from 10-30% and the click through even less. Anyone doing this would lose 70-90% of their list in one swoop!

On the one hand it might be a good idea to audit the list and remove anyone who is inactive but since I communicate regularly with my list and there’s always been an unsubscribe link with every communication, I don’t need or intend to do this.

If you were communicating irregularly with your list, then it might be something to consider doing.

The GDPR requires us to clearly demonstrated how and when consent was given.

My Constant Contact account logs when and how people signed up. There’s a notes section so I could manually copy and paste in the text from an email or just note/log in the notes how I got their permission if I was manually adding them. Being given a business card does not prove consent to be added to a mailing list.

What I don’t do is automatically add people I’ve met to my email newsletter list without asking first. That’s been my best practice for quite a few years now. If I did that, then I’d be in trouble with my Email Marketing Tool (Constant Contact) as the condition of adding people to it (and most, if not all Email Marketing tools like Mailchimp, Drip etc) is that you have permission. It’s not good practice to just add people to your mailing list (I wrote a blog article about adding network contacts to your list).

4. Understanding the rights of data subjects

Data subjects (the people you hold records of) will have the right to access their personal data, have it corrected or erased (forgotten). Now this could be a tricky one. At the moment anyone on my list can see their email preferences and amend them. If they unsubscribe, the system won’t allow me to send any further emails to them.

However, their details are still held by the email marketing system and I still have access to their details. That’s so they don’t inadvertently get added again if I was to, for example, import a list where they were still on it. So, I think I’m covered on that, because although at the moment the software doesn’t let me completely ‘forget’ them, I still need to know that they should be forgotten.

5. Ensuring Privacy by Design

‘Privacy by design’ is to become an explicit legal requirement and so I need to begin considering how to build it into my business processes. Since the only place I store any personal information is in off-the-shelf online systems, I’m relying on them doing the necessary secure and encrypted techno stuff – but I can’t remain head in the sand on this – see point 8.
If I was a masseur or beautician and I kept paper records of clients treatments and personal conditions, then I’d want to make sure that that data was kept secure – for instance I would make sure their cards where I write their treatments was kept in a locked/secure cupboard.

But I’ve not forgotten the paper records I do have of clients. I’m going to go through it and shred any documents I don’t need and what’s left will go back in the lockable cabinet (which must be locked!).

6. Preparing for breach management

This is quite an onerous one. If my data was breached, I need to contact the correct authorities in a timely manner. How would my data be breached? If I was robbed or had my laptop, tablet or phone stolen or lost is the most obvious. If I was hacked or left my devices unlocked in public places might be another way my data could be breached. Or if someone broke into my home office. Which is why that cabinet needs to be locked.

7. Communicating Essential Information

I need to review my online privacy policies and other notices so that they detail the legal basis for my processing data. I also need to make users aware of the authority they can complain to if there’s a problem. I haven’t done that one yet. I use a plugin that generates the privacy policy words for me, so I’m expecting the plugin developers to create a version that is GDPR compliant or else no-one will download their plugin. Just in case, I’m subscribed to Suzanne Dibble’s Legal Academy and her GDPR pack which contains a GDPR compliant privacy policy that I could use and I highly recommend you do too.

8. Working with Providers

This one is also important as if one of your suppliers (who handles your data) has a security breach that affects you, then you’re both liable. The recommendation is that you check with all your suppliers that they need the necessary standards for data protection.

I’m not going to worry too much about this one. I use well-known companies like Constant Contact, Dropbox, Xero and they would have to makes themselves compliant to stay in business or customers will drop them.

There was some well-intentioned misinformation that said we could no longer use companies that had their servers outside the EU, so we’d have to move. This thankfully is no longer the case. Companies outside the EU (for example US and Canada) sign up to what’s called the Privacy Shield and that basically declares that they are compliant with equivalent privacy and security standards. So, I won’t be moving my current non-EU services from where they are at the moment.

So there you go, a quick run down of how I’m preparing for GDPR compliance. Have you thought about it too? Let me know in the comments.

Legal disclaimer

I’m not a legal expert and not proclaiming any advice or information in this article to be what is suitable for you and your business. It’s up to you to do your own research and take legal advice. I’m merely giving you an insight to how I will tackle GDPR compliance in my business.

Useful Links, Resources and Further Reading

ICO Website:

Check out: For organisations: -> General Data Protection Regulation (GDPR)

  • Useful guides: 12 steps to take now
  • Getting ready for the GDPR checklist

Small Business Hotline: 0303 123 123

Free Resources

Facebook Group

Suzanne Dibble video training

Click here for a free 2 hour training by Suzanne Dibble (Data Protection Expert/Lawyer)


GDPR Checklist:

Other resources

GDPR Pack comprising:

* Email for refreshing consent *GDPR compliant privacy policy *GDPR checklist inc processing checklist *Data processing inventory *Legitimate Interests Assessment form *Data transfer checklist *Marketing checklist *Records retention policy *DPO checklist *Employer checklist *Employee privacy statement *Employee subject access request form *Response to employee subject access request *Processor agreement *Subject access record *Data breach record *Data breach checklist *DPIA form



6 Simple Tweaks to Increasing Website Conversions WITHOUT Increasing Traffic

Inside this FREE GUIDE 6 Simple Tweaks to Increasing Website Conversions WITHOUT Increasing Traffic, you will discover my 6-step process to:

  • Stop website visitors from clicking off/bouncing with these simple client focused tweaks in your header area, so that they know they’re in the right place and stay longer on your site.
  • Get clients flocking to buy your offerings when you know how to use the right website images to excite their aspirations and desires that you fulfil with your products and/or services.
  • Learn what elements to include (and remove) so that your web copy is compelling and flows in a way that visitors take the action you want them to take (e.g. click here, sign up, buy, phone etc)


  1. Sherry Bevan

    Very thorough and well thought out article Vee. Thanks so much for sharing your approach. Really helpful.

  2. Vee Smith

    Thank you Sherry

  3. Jacqui Hogan

    An excellent article Vee.

  4. Vee Smith

    Thank you Jacqui

  5. Geraldine

    Great advice and super practical. Thanks Vee.

  6. Vee Smith

    Thanks Geraldine

  7. Deb Toulson

    So pleased to read some down to earth GDPR advice rather than all the scare-mongering stuff.
    I am part of a franchise who STILL haven’t told us what improvements they are making, but I know a lot of this is down to me so your 8 point list is really helpful.

  8. Deborah

    very helpful, thank you

  9. Stuart Burgess

    A brilliant article. Lovely relaxed tone yet extremely informative. Please keep ‘em coming.

  10. Sarah Arrow

    Hi Vee,
    You mention about the privacy shield, if your company holds data and isn’t in the EU or signed up to the privacy shield, then what? I’m not one for generic privacy policies and they’re often not based on UK law but US law. What do you recommend for those of us that like to trade using UK based policies? I’d think we need new policies, but I’d love to know what you advise here.

  11. Vee Smith

    Hi Sarah, it’s a very good point you raise. I think the issue is if the company you use who stores your data isn’t in the EU or signed up to the privacy shield, then I would ask them what they intentions are around GDPR compliance, because you (their customer) is based in the EU and therefore they are required to comply if they are to keep your custom. If their response wasn’t satisfactory, then I would seriously consider moving to another provider who is (and tell them, so that they do take it seriously). Disclaimer: Know that I’m not a lawyer or offering any advice, it’s just what I would do. The place for the definitive answer would be the ICO themselves 0303 123 1113 or their website:

Submit a Comment

Your email address will not be published. Required fields are marked *