April 21, 2017

GDPR General Data Protection Regulations


 What is GDPR?

GDPR stands for General Data Protection Regulation and is set to replace the existing Data Protection Directive in May 2018. This framework was first put forth by the European Commission in 2012 and was finally agreed upon by the European Parliament and Council. GDPR contains several new protections for data and is due to be enforced in the spring of 2018.

The main aim of the GDPR is:

“to provide individuals with better control over their personal data, in a way that will help businesses to get the most out of the digital single market; through providing them with various business opportunities.”

As the digital economy grows, it is important for laws to be clear with an individual’s rights to be safeguarded and for there to be consistent international data protection regulations. Particularly with the increase in businesses/services operating across borders. It is believed that the introduction of this framework will ultimately contribute to an increase in consumer trust.

How will it affect your Direct Marketing?

The GDPR regulation will change the way you manage, protect, and administer the data under your control. One of the main effects will be how your organisation communicates with your members or customers via email, SMS, telephone, and direct mail.

You will have to provide clear opt in and opt out option for consumers.

Additionally, the recording of consent and improved privacy policies will be a requirement for when personal data is collected.

Data Categories (There are 4)

The GDPR widens the personal data net and clearly defines personal data into four categories which are as follows:

1 – Personal data and unique identifiers – includes online identifiers and location data

2 – Pseudonymous data – that has been through technological measure i.e. hashing or encrypting

3 – Genetic data – to do with an individual’s gene sequence)

4 – Biometric data – such as facial recognition, fingerprints, etc.

What are the Practical Implications?

Crumbling Cookies  – online and unique identifiers such as cookies used to gather data and further target potential consumers Non-EU advertising, analytics and social media platforms will most likely find themselves in a position where they will be legally required to treat these identifiers (cookies) as personal data under the protection of European law and will need to update their policies, procedures and systems as required.

Increased Costs – to carry out processes to organise your data sets and reduce any potential data breach will require system adaptation and human resource. Is your finance director aware of this and have they allocated your department a budget?

Organisational Compliance  – with data subject access, correction, deletion, and transferability being under close scrutiny.

Penalty for GDPR non-compliance

Penalties for not adhering to GDPR

You could face a fine of up to 4% of your organisation’s annual turnover.

Reputational Damage –  portraying a negative image which will ultimately damage your brand

Further Fines – If a company receives high amounts of complaints they could be liable to pay additional fines from the Information Commissioner’s Office (ICO)

To ensure that sensitive data is protected, your organisation will need to identify the risks that exist and then put in place procedures and policies to help mitigate these risks and prevent any problems that may occur.

Ensure that your IT meets GDPR regulations – Areas to consider:

  • Get up to speed with the proposed legalisation.
  • Research anything that you are unsure about.
  • Check your organisation’s  current internal data and IT processes.
  • Look at how to protect all data and whether you can provide evidence that will satisfy any inspection of it.
  • Find a reputable ADISA registered asset disposal expert that will be able to provide useful support and advice on the organisation’s IT lifecycle and provide robust solutions to limit the risk of data non-compliance.
  • Efficient and secure disposal of hardware.
  • Consider the use of personal devices by employees.
  • Be aware of all access to data and limit this beyond systems owned externally to the business so that it is under the sole control of the operating organisation.

6 Helpful Tips

  1. Develop a clear and concise privacy policy
  2. Enable an Opt-in requirement for data sharing
  3. Start implementing privacy through design
  4. Prepare for new data breach reporting requirements
  5. Implement controls to track and manage data
  6. Be prepared for data protection impact assessment


Test your GDPR knowledge – 6 quick questions – Get your result instantly

If you get 6/6 you may well be an expert – if not – come back, download the GDPR Fact Sheet and read on and get up to speed! – Then take it again.


Blog is written by Robin Sumner with research and contribution from Chenyse Taylor

Further Reading and References: FieldFisherDataIq,  ICOiAPPAllenOveryFSBDarkReadingiApp.org.

Romax_tagRomax Marketing & Distribution provides a wide range of services in Direct Marketing for B2B and B2C, including Direct Mail, Data Management, Printing, Discount Postage, Membership Communication Services, and Consultancy. 

Contact us, either by phone +44 (0) 20 8293 8550, email hello@romax.co.uk, or filling the form:

« »