Are you GDPR Compliant?

The General Data Protection Regulations (GDPR) will be coming into force in just 8 weeks, so it’s time to get your house in order.  If you don’t know what GDPR is, here’s a quick overview, with some further reading and listening.

Please note this article does not constitute legal advice.  You are advised to do your own research, and seek independent legal advice on specific issues.

What is GDPR

GDPR is the new EU-wide legislation on Data Protection.  It will be enshrined in UK law too, so we will still have to abide by it after Brexit.

It ties up a lot of loose ends from previous Data Protection regulation and adds a lot of things in too.

If you are not compliant, you can be liable to massive (up to £20 million – yes you read that right, twenty million) fines.  But if you can show that you are working towards compliance this will count in your favour.


How GDPR is likely to affect you:

This is NOT an exhaustive list, and does NOT represent legal advice.  But I want to give you a snap shot of the sort of things that are covered.

If you are already following current law, there’s not that much change in data protection.  But you must keep records  on how and where you collect data, (so make sure you know exactly where your lists are kept and how they are kept). People must have given informed consent for you to collect it and use it (no more opt-out boxes, opt-in boxes only) and people must be able to not only opt out of mailing lists but be permanently deleted from them.

  • This means that if you hold data – names, email addresses, postal addresses, phone numbers of customers or clients or potential customers, then you must have EXPRESS permission not only to use it, but what you can use it for.  (For example, I cannot use the Design@HEART mailing list to send out information about my own design business because you didn’t sign up for that).
  • You must check that you are only collecting data that you really need (if you never send anything by post  do you need a postal address for example)
  • You must know where all your data is held – whether it’s on a secure website, or in something like Mailchimp, or on your laptop, or in wads of paper under your bed.  If you have a legitimate reason for still needing and using it, it must be secured (locked away, encrypted etc), if not, then it needs shredding.
  • You must make sure that people who sign up to your mailing lists are told exactly how you will use their data, and they must have a straight forward opt-out option for leaving the mailing list.  At which point you have to remove them from the list, not just stop sending them things.
  • You must make sure that all the people on your mailing list have given permission to be on it.  If you are not using software such as Mailchimp, but just have a spreadsheet of your own, you need to contact everyone and ask them whether they want to be on it.  And remember to delete people who don’t.
  • Your Privacy Policy and Terms and Conditions notices  (if you don’t have any, you must get them now) must expressly say how you intend to use people’s information.  This is the law now.  Once GDPR comes into force, you will need also to tell people in your Privacy Policy what you are collecting data for, how you will use it, how long you will keep it for, and that they have a right to complain to the Information Commissioner’s Office (ICO)  if they think there is a problem with the way you are handling their data.

Social Media

One of the new features of GDPR is that it covers social media profiles and photographs.  Please be sure to read up on this.  You cannot assume that just because people contact you through Social Media that you can use their email address to send them information for instance.



Photographs that can be used as biometric information (facial recognition) will be considered personal data by GDPR.  If you have photographs with people in them where their faces are recognisable then you would need to have their express permission to use them.  They would need to have clear information about the context in which the photos would be used, they would need to have access to those photos, and the right to erase them (ie removed from websites, social media, printed materials etc).  If photographs feature children under 18 years, full written parental consent must be given.  This is not a comprehensive list.  Please do your research.



I can highly recommend this podcast from Blogtacular

Theres a good summary of your obligations in this article from Sixth Sense PR

The definitive guide to GDPR from the official page of the Information Commissioner’s Office 

An overview of best practice for photographers in this article from dotkumo

An article from Our Social Times about GDPR and Social Media


Once again, please do your own research, and do not take this as a comprehensive list of things you must do.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: