--> What you need to know about the new General Data Protection Rules (GDPR) | Yewtrade

We'll Call You

Complete the form below and one of our advisors will call you back within 48 hours.


What you need to know about the new General Data Protection Rules (GDPR)

The new GDPR rules are coming into effect on May 25th 2018 and so this short guide briefly covers how you can ensure you are adequately prepared as failure to comply could be very costly for your business.

The GDPR rules have been created in order to update the current data protection rules, to protect identifiable personal data and also to prevent businesses from spamming their customers.  Every business that handles data of EU based customers needs to comply whether or not the business itself is based in the EU.

Within the rules, you do not need to obtain customer consent to send them an email with your invoice if that is how you wish to send them out but it is very important that you obtain explicit consent from the customer before you send them any marketing literature.  While the rules may seem onerous, they are not too bad when you break it down and one of the good side effects is that any future marketing campaigns you do run will cost you less as you will only be sending the material out to customers who have expressed an explicit wish to receive it.  Your return on investment for the campaign should, therefore, be much higher.

In order to comply you need to carry out and show that you have carried out the following steps.

1.       Make a list of all customer data and a clear list of where each set of data is stored and who has access to it.  For GDPR compliance you must have total knowledge of all customer info whether it is stored physically or digitally and know who can access it and where it is kept.

2.       GDPR is all about privacy.  Make sure your staff and 3rd party suppliers are aware of your privacy policy.  The policy must include stipulations of who can access what level of personal customer data.

3.       Review Consent.  Your customers must know and give explicit consent to be contacted by any method (Phone, SMS Text, Email).  For example, they may specify that they only want to receive emails about your marketing.  If this is the case you are not allowed to call them about any offers.  You must have consent procedures in place for GDPR compliance.  It is very important that any tick box ticked is for the customer to explicitly opt-in.  It is not compliant to have an opt-out tick box that must be ticked.  The customer must actively opt-in and not be opted in by default.

4.       Data Breach Policies.  What do you do if somebody manages to hack into your systems and obtain your customer information?  You need to have a full plan of action ready to be implemented if you think that any customer data has been compromised.  This includes the need for clearly communicating to the customer that their data has been breached and how they should reset online passwords to their accounts and any other relevant information to the breach and your remedy for it.

5.       Data Protection.  For GDPR compliance you must protect the data that you possess on your customers.  Data that is in the public domain such as website and contact information if it is on that website are not included.  Any data that is aggregated for marketing analysis must have information that could lead to the identification of an individual removed.  The best way to protect data is to delete the data you don’t need.

What data is included in the GDPR

Personal data is anything that could be used to identify an individual.  Identifiable information relating to an individual is sensitive data and it must be treated with due diligence to security.  This includes IP addresses, location data, online and behavioural identifiers that could be traced back to an individual or mobile device.  So you must treat all this data with the same care you would of their bank details.

Pseudonymous Data is data that has been stripped of its specific identifiers.  The use of this is not so strict because it can’t be traced back to a single customer.  You can use this kind of information to analyse trends in your customer's habits and buying behaviour.

If someone could obtain your data what is the level of harm that could be used? Any data that leads to an individual being recognised and at risk is personal data.  Any data that would not create a risk of harm such as an anonymous profile with nothing linking to an individual is pseudonymous data.  If you hold any genetic or biometric data on your customers then this comes with further restrictions and it cannot be handled without specific explicit consent.

If someone requests to be removed you must remove all data about them if there are no financial transactions.  However, financial transactions cannot be removed.  The best method is to archive these transactions into another database that has heavily restricted access.

You do not need consent to email invoices.  You need consent to email newsletters.

GDPR and Promotions

You must give customers a method whereby they can access the data you hold on them and change how you contact them for marketing purposes.

A notable area of GDPR is direct marketing.   You can process personal data for the purposes of direct marketing because there is a legitimate interest. 

When you run a promotion it is important that you do not give a special offer for only people who sign up for your marketing.  This is called coercion.  You are allowed however to give different offers to people who sign up. 

For example, you can’t say “Sign-up to our newsletter and receive 25% off.” As this is coercion and offering an incentive to receive the marketing.  You can, however, word your offer something like “50% off.  Want more offers?  Sign up today.“  Doing this means you are giving an offer to all and not just to those who sign up.  That is the crucial point.

So how can you be sure to be ready for the GDPR rules?  Simply follow the checklist below.

Your GDPR Readiness Checklist

1.       Conduct an audit of your customer data

2.       List the processes you have for handling personal data.

3.       Identify your lawful basis for processing, storing and documenting personal data.  The lawful basis is the reason you hold the data for contacting them.  If you have no reason to hold their data delete it.

4.       Create and document how you request and record a customers consent to be included in marketing literature and so on.

5.       Write a data protection policy that includes the new personal data identifiers such as IP addresses, cookies and information about mobile devices.

6.       Name a specific Data Protection Officer responsible for upholding your policy.

7.       Communicate your new personal data protection policy to all members of the business and make it available for customers to view upon request.

8.       Implement technical processes such as encryption and security access for the data.

9.       Create procedures for handling sensitive personal data such as the genetic and biometric data where or if it is relevant.

10.   Ensure all staff are trained to responsibly handle personal data.

11.   Develop a breach notification process to identify, report, communicate, manage and resolve any breaches.

12.   Write a policy for correcting data, personal access and erasure where it's allowable. 

13.   Include clear explicit opt-in consent on for all your marketing communications.



Members of the Yewtrade Exchange can pay for their business expenses with their own goods and services and thereby get a large discount.

Using our barter system allows members to fill downtime in their business and so become more efficient and more profitable.

Our Contacts

International House
12 Constance Street
London, E16 2DQ
Phone: 07710 569375
Email: info@yewtrade.com