Twitter icon Instagram icon Twitter icon Log In

GDPR – Where to start?

What is GDPR?  

GDPR stands for General Data Protection Regulation, it will come into force on the 25th May 2018. The main purpose of this new data protection act (DPA) is to change how businesses and the public-sector use information from their customers, therefore consent and transparency are two huge factors that will change.

Will GDPR affect my business?

Yes, “controllers” or “processors” of personal data will be affected. This is because unlike the DPA, both parties that share information between one another are responsible for personal data. This data may be defined as information relating to an identified data subject, however the regulation within the new GDPR laws does not apply to data that does not relate to a subject or identifiable source. Consequently, old data should not be kept for longer than is necessary, if for any means you wish to keep the data on record you have to justify the reasons behind this as well as ensure the individual with that data is aware that their information is being kept.

Controllers: The controller uses personal data and determines the purposes and means of the processing of personal data.

Processors: The processor is an individual that processes personal data on behalf of the controller and their instructions.


There are lots of steps you can take to be GDPR compliant, one of many is to create policies. These policies should define how you obtain data, where you store data, what the data is used for and most importantly how it is secure. Do you use encryption? Do you store data in a safe or locked cupboard? Who has access to this?  It is necessary to create this policy, so customers are aware of their personal data and how it is used, as well as how long it may be kept for after they no longer use your services.

Consider why you might need a customer’s telephone, mobile number or email. Is it for customer service or is it for a primary contact regarding a recent subscription, payment etc. Specify your reasons clearly so that it is easy to understand for clients, in return they are aware of what they’re signing up to and what sharing their personal data will mean for the future.

Why a policy?

A policy is a great way to ensure you comply to GDPR laws from making your clients aware of their data and how it is used, as well as setting boundaries between you and what you can do with the information if customers allow you to use their data. In simple terms It’s a safety net for you and your business should under any circumstances a member calls with a desire to remove their personal data - “right to be forgotten” or to complain about how their data is being used.

Straightforwardly create a policy defining the terms for clients and their data should they share their information with you, and ensure you know where this as well so you are able to quickly remove them should they request. This is part of GDPR laws which defines that people should be able to unsubscribe from services as easily as they can sign up to them.

  • Ensure your emails have an unsubscribe option
  • Never prepopulate ticked boxes
  • Clarify information so that nothing is misleading
  • Policy for data – if you desire you can create varied policies for bookings and cancellations etc.


It is clearly stated in new GDPR laws that there must be a privacy policy defining the use of people’s data, other policies are optional to you, but this is a MUST.

If you are having difficulty conforming a policy look at the ICO website or use templates from online to support you in the process.

ICO Website:

I hope this helps,