Marketers conducting market research at the office

Your Questions Answered About GDPR | Data Protection Made Easy

The big GDPR deadline may be behind us, but there is still a lot of confusion surrounding recent GDPR changes. Can you still use your email list? Should you be deleting old records? Are the data protection police going to come knocking at your door? However, navigating GDPR and data protection isn’t as complicated as you might think.

Here are the 10 most common questions we get asked about GDPR with their answers, without all the confusing jargon. Because GDPR doesn’t have to be difficult:

1. What is GDPR?

GDPR, or the General Data Protection Regulation, is an EU law on data protection and privacy for personal data inside and outside of the EU.

GDPR rules changed on 25th May 2018, so you and your business need to be aware of the changes in law and make sure you are following the new regulations on personal data protection. All businesses in the EU are affected, including SMEs.

2. What is the Data Protection Act?

The Data Protection Act (DPA) is a 1998 act that defines how personal data may be used and handled, so that it protects information about living individuals.

The Data Protection Act is currently being updated to reflect the changes in GDPR and to Brexit-proof the GDPR laws in the UK.

3. What is personal data?

Personal data is anything that can identify a living person, whereas sensitive personal data is any personal data that could cause discrimination. Examples of personal data include names, email addresses, phone numbers, financial information, medical records, CCTV video footage and more.

Under new GDPR rules, your business must have a policy in place that includes what personal data you store, how you are storing and handling it (e.g. transferring data), what proportionate measures you are taking to protect that data (password protection on computers, locked filing cabinets, encrypted emails etc.), what actions you will take in the event of a data breach, and when and how you dispose of personal data (e.g deleting old emails annually).

4. Who is responsible for protecting personal data?

Under GDPR, both the data controller (the party that holds the data) and the data processor (the party that processes the data) are responsible for complying with GDPR. This means that if you work with a marketing company, website company or other supplier who offers such services; you are all responsible to have policies in place that comply with GDPR, in order to store and handle data correctly.

Working on Marketing at the Office

5. How do I write a GDPR policy?

For templates, examples of how to write a GDPR policy and for more information, visit the ICO (Information Commissioner’s Office) website. Or contact us at HDK Marketing for help in organising a data audit and putting together a GDPR-compliant policy.

6. What is compliant consent?

Under new GDPR rules, individuals must explicitly opt in to receiving information from you e.g. when filling out forms or signing up to receive a newsletter, they must explicitly consent to opt in, rather than implicitly opt in or explicitly opt out.

However, if you have a genuine reason for holding and processing personal data (including legitimate interest, professional obligation and marketing), then this is OK. For example, your current and – to some extent – previous customers fall into this category.

If you’re unsure, check the ICO website for their definitions of marketing.

Note: one grey area is social media, such as using LinkedIn. Under GDPR, you should not export LinkedIn contacts and email them without their explicit consent. Some experts have gone as far to say that you should not InMail on LinkedIn without explicit consent, but with social media there is no clear place to draw the line.

Marketer and Client working on Marketing Strategy at the Office

7. Do I need to get my customers to re-opt-in to my mailing lists?

No. Your own customer data is fine. However, for new customers and contacts, the best practice is to be transparent and they must be given the choice to opt in, rather than opt out.

Another grey area surrounding personal data you currently have that has been obtained without explicit consent. For example, third party lists, researched lists, headhunting etc. For B2B, these contacts could fall under the “legitimate reason” category, but be mindful whether you will choose to continue marketing to these lists.

Note: info@, sales@ or enquiries@ email addresses are not considered personal data.

8. Do I need to hire a Data Protection Officer?

No. Unless you are Amazon, or Google, or Facebook, you will not need to hire a Data Protection Officer. Although GDPR is daunting, the steps to follow for any SME to become compliant is actually quite simple. These new data protection rules are not put in place to punish SMEs, but to make sure large companies fall in line.

Doing Market Research at the Office - Marketing Strategy

9. What should I do if a data breach happens?

You must inform the ICO of any data breach with 72 hours. This could include if a laptop gets stolen, computers are hacked, phones are lost (if you use your mobile phone for business) etc. Check the ICO website first to see if you need to report the data breach to them.

10. Am I going to get fined if I don’t comply with GDPR?

Not likely. Again, the focus of GDPR is to make sure that huge global companies with huge amounts of data are doing their best to protect it and the threat of large fines is there to ensure that. However, if you are an SME who is trying their best to comply with GDPR (including writing and adhering to a policy), then you are not a target. It is more likely that any small mistakes will be forgiven, as long as you can prove you are trying to comply with GDPR to the best of your ability.

11. BONUS QUESTION: So, What steps should I take next?

  • Complete an audit of the data and data processing you currently have.
  • Write a policy on how you will or do handle that data.
  • Put the plan into action and remediate any problems to ensure the protection of data, where it is contained and when it is in transit. This may mean that you contact any suppliers or service providers that have access to the personal data you hold.

Helen Denby-Knight - Director - HDK Marketing - Sutton Coldfield - Email Signature


HDK Marketing has helped many SMEs in writing their data protection policies and auditing how much personal data companies are currently holding. Therefore, if you need any help, support or advice on how your business can comply with the new GDPR rules, then don’t hesitate to contact us to learn more.