Blog – Reputation Matters

GDPR Myth Busting – Well, consent is required for marketing! 

Not necessarily. The ICO is clear that marketing of your own products and services can be a legitimate interest. If you can show that the way you use people’s data is

  1. proportionate,
  2. has a minimal privacy impact, and
  3. people would not be surprised or likely to object to what you are doing, then consent is not required.

However, with respect to direct marketing, the Privacy and Electronic Communications Regulations take precedent.

Consent is not always required for direct marketing in business to business communications, but you have to be a little careful as sole traders and some partnerships are treated as individuals.

For direct marketing to individuals, consent is usually required, although marketing related to products and services similar to those they have already bought is OK.

If you are required to have consent under the Privacy and Electronic Communications Regs then this is the Legal Basis of Processing to use for GDPR.

Find out more

GDPR Myth Busting – We need the data subjects permission to process their data

No, you don’t – you must have one of six lawful reasons for processing data set out in the regulations, but not necessarily Consent. This includes:

  • where you are carrying out a Contract with the data subject or are taking steps to enter into a contract, a law firm carrying out conveyancing, or an insurance company getting information to prepare a quote.
  • where a law specifically requires the processing to be done, such as money laundering checks or employee right to work checks.
  • for your own or a third parties, legitimate interests. This is best where you use people’s data in ways they would reasonably expect and has little impact on privacy. For example, it is a legitimate interest for an internet shopping site to have contact details and a delivery address for shoppers.

Find out more

GDPR Myth Busting – Using professionals to deliver marketing services takes away the worry

If you pay a third party to do your marketing, you are both responsible for complying with GDPR and the Privacy & Electronic Communication Regulations.

If the ICO were to take enforcement action, they would usually take it against the ‘instigator‘. If a specialist subcontractor deliberately ignored the rules they might also consider taking action against them.

Whatever the situation it is a legal requirement to have a written GDPR compliant agreement in place, with suppliers that have access to your personal data. It needs to set out your contractor’s responsibilities and if possible, guarantees of compliance.

Find out more

GDPR Myth Buster – It’s all about marketing

No, it’s not.

Personal data is any information relating to an identifiable person who can be directly or indirectly identified.

What identifies an individual could be as simple as a name or a number or could be an IP address or a cookie.

The rules apply to both electronic personal data and to certain manual filing systems.

Processing means doing just about anything with the personal data including collecting, storing and disposing of it.

Employees and job applicants are covered so it can relate to making notes about candidates at a job interview. So don’t write anything that you don’t want the candidate to read as they have a right to make a subject access request.

In relation to marketing, we also have to bear in mind the Privacy and Electronic Communications Regulations which apply when you send electronic marketing messages, by phone, fax, email or text.

Find out more

GDPR Myth Buster – I’ve been in business for years and never had a problem

That’s great news.

The ICO’s like many regulators have an issue-driven enforcement policy.

If there is a significant data breach or numerous complaints then enforcement action may well follow.

If this happens, the ICO will ask how you demonstrate compliance.

If you can’t you will have no excuse and have to face the consequences which more than likely will include reputational damage.

Find out more

Do we have to have a Data Protection Policy?

There is no specific legal requirement to have a data protection policy under the Data Protection Act 2018 or the General Data Protection Regulations (GDPR).  However, there are some areas where such a document could prove useful.


The GDPR contains explicit provisions about documenting your processing activities:

  • You must maintain records on several things such as processing purposes, data sharing and retention.
  • Documentation can help you comply with other aspects of the GDPR and improve your data governance.
  • For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.


In addition, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. You must provide individuals with information including:

  • your purposes for processing their personal data,
  • your retention periods for that personal data, and
  • who it will be shared with

This is called ‘privacy information’. (Some businesses give this information in a “Privacy Policy” found on many websites.)

You must provide privacy information to individuals at the time you collect their personal data from them.

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

Using Data Processors

As well as imposing a legal obligation on data controllers (the owner of the data), to formalise their working relationship with data processors in a written contract, they are also responsible for assessing that the processor is competent to process personal data in line with the GDPR’s requirements. Part of this process is to ask to see relevant documentation, such as their privacy policy, record management policy and information security policy.