What the hell is GDPR anyway, and why should I care?


OK, so anything named the General Data Protection Regulation (GDPR) doesn’t sound a great deal of fun to read. But for any business that handles data (i.e. all of us these days), it can’t be ignored. This new regulation will be a law, not a directive, which each EU member state has to implement. And the fines for non-compliance are staggering – up to €20m or 4% of annual turnover (whichever is higher).

That’s twenty million Euros. Paying attention yet?

Added to that, there is no limit on company size which means the fines can affect the smallest startups as much as the largest corporates.

GDPR will come into force on May 25, 2018 – all of us need to start thinking about the data we hold, and how we use it.

Don’t we have data laws already? Why the change? 

We do. But currently, each of the 28 member states of the EU has its own separate data protection laws, based around the EU E-Privacy Directive. It’s fair to say this makes things a little confusing – which is why the GDPR came about. This new EU privacy law will create a single data protection framework across the EU, and will be enforced as law from May 25, 2018. With the ruling coming into force pre-Brexit, the UK will still need to enforce the changes even with the hardest of Brexits.

What this all means is a unified way in which businesses collate, handle and process personal information. This touches on everything from data storage and security access all the way through to marketing activity.


Ok, gotcha! So what do I do now? 

Good question. The answer is to start prepping, NOW.

The Information Commissioner’s Office has confirmed that it will publish regular practical GDPR guidance (and signposting guidance created by others), which can be found on their website. In a document entitled “Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now”, first published in March 2016, they stress the importance of acting now to ensure that you gain buy-in from key stakeholders, and put in place any new processes needed for compliance. Their 12 steps include:

  • Raising awareness of GDPR amongst decision-makers
  • Organising an information audit: the data you hold, where it came from and who it’s shared with
  • Checking that your current procedures cover all the data protection rights that individuals have
  • Having the right procedures in place should a data breach happen

This isn’t just a compliance challenge, it’s a technical one too. You need to understand what data you hold, where it is, who has access to it, and what it’s used for. Personal data isn’t just names and ID numbers or payroll numbers; it includes things like your computer’s IP address and demographic information.

Data needs to be encrypted or anonymised, so it can’t be immediately tied back to an individual. Privacy notices need to be clear and easy to understand, outlining why data is collected, what it will be used for and how long it will be kept. It must be as easy for users to opt-out as it is to opt-in, and opting in must be positive. That means not pre-ticking email sign-in boxes, for example.


Wait, so this affects my marketing efforts too? 

Yup, the days of buying a list and spamming the crap out of them are long gone (and rightly so, we say).

Put simply, B2B and B2C marketers alike will need to have written consent (like an opt-in form) from their audience in order to market to them at all. There will be no use of cookies to track users’ behaviour without their consent, and you must have clear written documentation confirming that your audience is happy for you to use their details for marketing purposes – which could cause problems for your email marketing efforts. What’s more, exactly which data you are able to use must also be made clear.

Essentially, your audience must have confirmed in writing to opt-in: soft opt-ins or relying on opt-outs to filter lists will no longer be the norm.

Add to this the fact that the regulation gives consumers the right to be forgotten, easier access to information on how their data is used and the right to know when their data has been hacked: for some firms, a great deal of work needs to be done before the new ruling comes into force.


But I like spamming people…

Well… you should probably stop that.

Winbox is all about email marketing the right way. Building relationships with you customers is paramount, and adding value is the best way to engage your audience.

You can still buy lists now, so make hay while the sun is shining, but make sure that the messages and information you send them is of high enough value to keep them coming back for more. Your list may well take a hit, but the engagement rates should be much, much higher.


You’ve been very helpful, thanks!

You’re welcome.

Marc Woodland is the founder of Bristol-based email marketing specialists, Winbox. If you’d like to find out more about GDPR, pop along to their  free event on the 28th June and get your roadmap from marketing and legal specialists