In recent years the news outlets have been reporting stories of data harvesting & data breaches in large companies. Facebook and Cambridge Analytica being the latest as of writing (2018)

  • Data Harvesting – collecting data from a rich resource (such as Facebook)
  • Data Breach – information being stolen from company’s computer

As the general population becomes more aware of the value & risk of personal data, more people are beginning to ask questions such as:

  • Where is my personal data being stored?
  • How is my data being used by businesses?

Do you ever read the terms and conditions on a website before you sign up with personal information?

What is GDPR?

The General Data Protection Regulation 2018 (GDPR) is a legislative act based on the previous Data Protection Act (1998). The aim is to provide users with a clear understanding of how an organisation is going to use their personal data.

Data can be handled in three ways

  1. Collecting
  2. Storing
  3. Processing

Under GDPR rules your business must be transparent about how and why user data is handled.

What constitutes private data / non-sensitive data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.

  • Name
  • Photo
  • Email address
  • Bank details
  • Posts on social networking websites
  • Medical information
  • IP address

What is the difference between a data processor and a data controller?

A controller is an entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.


What do you need to do?


  1. Understand what GDPR is
  2. Make staff aware of legislation and how it impacts the business
  3. Organise an information audit – Identify what, where and how you collect and process data
  4. Determine if there is a business need for this data
  5. Create documents:
    • Data protection policies
    • Data protection impact assessments
    • Document how data is collected, stored and processed
    • Data breach action plan
  6. Publish relevant information online
  7. Create “honest & positive” opt-in to data collection and process data
  8. Create data access request process- “Subject Access Request”
    • Who is responsible
    • Data access request output in electronic format
    • Time limit of one month
  9. Create data erasure request process – “Right to be forgotten”


What do we suggest?

Appoint a DPO  (Data Protection Officer)

Even if you legally don’t have to, choosing someone to ‘take charge’ of Data privacy is a good thing, and this person should be included in all forward planning to make sure data privacy becomes part of your business.

Build a Data Preference Centre

Giving a user control over their data makes it much more likely they will stay with you long term. We use an enhanced email preference centre called a “Data Preference Centre” as a place for users to manage their data. It will quickly deal with users ‘Data rights’ as well as help you fine tune your marketing messages.

For more information and to build your own Data Preference Centre, get in touch.