Last night I attended a most interesting talk, hosted by the Lossiemouth Business Association, about the change to the data protection laws, the GDPR, that comes into force next May, and specifically what that means for small business marketing. If you’re a small business owner, read on….

(This blog post is my report of the presentation by Claire Beckley of Ordered Company and Andrew Kings of to members of the Lossiemouth Business Association in November 2017. This is not official or legal advice, just me interpreting my notes to share some of what was discussed at the meeting.)

What is GDPR?

Currently in the UK, our right to privacy is covered by the Data Protection Act 1998.  The General Data Protection Regulations will come into effect in May 2018 and will apply to everyone in Europe, regardless of Brexit.  It will also apply to anyone who wants to use the personal data of people in Europe.  It’s designed to protect consumers and prevent their personal data being used without consent.

What does the GDPR mean for your marketing?

Firstly, you can only keep personal data on a lawful basis that you legitimately need in order to carry out your business with a person, whether that’s your client, customer, employee or third party. For most of us sending out newsletters and sales emails, this is likely to be their name and email address. Not date of birth, not mailing address, not phone number, etc, unless you have their consent to phone them, or you need to do it in order to do business (eg a hair salon could keep clients’ phone numbers on their database, but an online shop probably wouldn’t need to, so they must gain specific consent to do so).

Only carry out unsolicited marketing if the person you are targeting has given you permission to do so – Claire Beckley, Ordered

At the simplest level, you need to have a record that the people on your mailing list have consented to be contacted by you for the purposes of marketing. If they’ve opted in via an online form, then that would have been enough under current data laws.

But with GDPR, you also need to prove that when the data was collected, the purpose for it was clear, that they understood that they had the right to withdraw that consent at any time and that it was also clear how long you will retain that data for.

This means that you don’t necessarily have the right to continue emailing them until they ‘fly, die, or buy’.

If the clauses about the right to withdraw consent and how long you’d retain their personal data for were not included in the data or privacy policy on your website at the time they opted in, then between now and next May you should consider updating your privacy policy and contacting everyone on your mailing list and asking them to opt back in, under the new terms, removing those that don’t reply.

(Yes. Exactly. That’s what I thought!)

Don’t panic!

In preparing for GDPR, the keywords are ‘practical, proportionate and proactive’ – Andrew Kings,

Claire and Andy were very pragmatic about the situation, urging us to be ‘practical, proportionate and proactive’ in preparing for the changes. For a small business, this is only likely to become an issue if there is a serious data breach (eg a CC to a mailing list, rather than a BCC, thus sharing email addresses with a wider audience) which is reported to the Information Commissioner’s Office. They encouraged us to be aware of the new requirements and start to make changes in our operations to incorporate enhanced data protection into our practice and policies.

The good news is that social media is generally considered ‘permission marketing’, i.e. you give consent to be marketed to when you sign up for Facebook, Twitter, etc (that’s a whole other blog post in the making, being targeted by Facebook Ads), so for social media, pay per click ads and display ads, carry on as you were!

Data protection affects your whole business

Marketing is only one aspect of data protection. It also relates to your employees, your supply chain and other third parties, for example how you share client or employee data with your accountant.  The entire organisation, from the directors and management down, need to understand their responsibilities towards personal data.  If your receptionist doesn’t know he’s not allowed to pass on a client’s phone number, then you have a problem.

One further interesting point to note, corporate data is not protected, but personal data is. Therefore, it’s perfectly fine to contact ‘The Marketing Manager, Big Company Ltd’, but if you contact ‘Mary Smith, Big Company Ltd’, perhaps because you found her name on the company website, you need to explain on that first contact that she has the right to request not to hear from you again and that you’ll remove her details if requested.

For further information on wider issues of GDPR, visit the website of the Information Commissioner’s Office.

Preventing data breaches

The other issue is cybersecurity. Andy explained that data breaches can happen to anyone, either through malicious attacks (eg viruses, disgruntled employees or theft) or in unsecured environments where simple things such as strong unique passwords and locking mobile devices (and locking filing cabinets for those of you watching in black and white!) can help secure your data.

Since October 2014 the ‘Cyber Essentials’ accreditation has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services. For more information securing your data and your IT environment, there’s a government website.


It’s really about good manners.  For us as consumers, it’s good news. It means that when you get unsolicited phone calls you have the right to ask when and where they obtained your permission, what their privacy policy is and if they can’t answer you have the right to report them to the ICO!

But for a small business, marketing is about reaching out to clients and potential clients that might be interested in hearing from us, so let’s be aware of our responsibilities and treat their personal data with respect.

What are the chances of a data breach happening to you? I would imagine fairly slim. What would be the impact on your business if you lost your client database as a result of a data breach? Potentially huge.

So what do you do next? Panic? Ignore it?

In the first instance, get informed. Find out more about GDPR and data protection in general –

You can also contact Ordered Company and to discuss your situation and they’ll be able to tailor a solution specifically for you.


While writing this article, I’ve received an email from a local shoe shop, asking me to sign a petition against increased parking charges in the area. I now know that is likely to be considered a breach under the GDPR.
So no! Sorry Mr Shoeshop, I agree with what you’re trying to do, but when I gave you my email address it was because I wanted to hear about your lovely shoes. I did NOT give you permission to contact me for any other reason, please remove me from your database! 
What do the changes to data protection laws mean for small business marketing?
Tagged on: