Happy New GDPR Year!

Maybe the mere mention of GDPR at the beginning of January, when you’ve just got back into work after a festive couple of weeks is something you think you need like a hole in the head. Maybe this wasn’t top of your New Year’s Resolutions list—Make sure we are GDPR compliant before 25th May.

However, the thing to remember is that this new law is for our benefit and the benefit of all our clients, customers and associates. It promises enhanced rights for citizens, greater transparency and increased accountability. How can anyone say that’s not a good thing?

Another thing to remember is that if you’ve kept your data protection up to speed in recent years, the changes you’ll have to make aren’t that massive anyway.

Bust those GDPR myths…

There’s a whole lot of information out there, and misinformation—some of which is a result of several revisions of GDPR, so that some legislation, originally proposed, has not been ratified and will not apply. Here are five of the most common myths which are doing the rounds—entertaining to read about, but not true, or at least, reality heavily embroidered for effect.

Myth # 1 – Massive fines will ensue if your company isn’t compliant

The fact of the matter is that fines could be bigger—£17 million or 4% of turnover is the new maximum—but according to the Information Commissioner’s Office (ICO), this will not become the norm. Minor infringements in the early stages of implementation will not be stamped on and the ICO’s commitment is to guidance and education rather than punishment. ‘Issuing fines has always been, and will continue to be, a last resort,’ says Elizabeth Denham, UK Information Commissioner. While there is no intention of allowing breaches to pass by unnoticed, there are warnings, reprimands and corrective orders in the ICO toolbox before they bring out the mighty sledgehammer of punitive fines.

Myth # 2 – Now that Brexit is going ahead, GDPR rules won’t apply to the UK

Apparently 1 in 4 UK businesses have stopped preparing for GDPR compliance, thinking it won’t apply to them if and when the UK leaves the EU, which is forecast to happen in March 2019. Well, for a start, GDPR enforcement begins 10 months before Brexit is predicted to happen. In addition, the government has issued a statement of intent to instigate a new Data Protection Bill, which will implement GDPR in full.

Myth # 3 – Our company is based in America so GDPR doesn’t count

But…do you offer goods and services to companies or individuals in the UK and the whole of the EU —either resident or visitor—or anyone from Britain or the EU living in a non-EU country? Many companies from across the globe may have offices overseas. If you have to process data from UK/EU citizens or visitors to Europe, including the UK, then, yes, GDPR applies to you.

Myth # 4 – My company data is stored with a cloud service provider, so it’s their responsibility to be compliant, not mine

Wrong – for the most part. You have a high duty of care to anyone for whom you store personal data and, to that end, it’s your responsibility to choose a reputable service provider to hold that sensitive information. You will be held responsible for GDPR compliance relating to your database – though service providers must comply with GDPR requirements too.

Myth # 5 – GDPR doesn’t apply in retrospect, so personal data we already have on our database isn’t subject to GDPR rules.

GDPR rules will apply regardless of when you collected the data—as long as that data is associated with a living person who was in the UK or the EU at the time. As an example, if you have contact information from prospective customers (B2C or B2B) gathered before 25th May 2018, this data must be compliant with GDPR.


Don’t believe everything you read in the media! And always err on the side of caution when it comes to data compliance. Remember that’s both B2C and B2B. If you are struggling with the finer details, at Mailing Expert we’ll be happy to talk you through them.


Mailing Expert

GDPR – sorting the fact from the fiction


What’s Happening on 25th May 2018?

  • It’s Julian Clary’s 58th birthday
  • It’s 41 years since Star Wars was released
  • GDPR replaces the current DPA

Cause for celebration all round? Maybe – but certainly, cause for preparation – and we don’t mean saving up to buy Julian Clary’s dog a diamante collar.

So – there’s less than a year to go and it makes absolute business sense to Be Prepared, exactly as the scout motto says. Don’t subscribe to lastminute.com; you’ll only regret it.

And what does GDPR stand for? General Data Protection Regulation, which replaces the Data Protection Act (DPA).

See here for the blog we wrote earlier which explains its evolution.

In brief, the GDPR concerns the rights people have over their personal data*. The DPA has become outdated since technology has progressed so rapidly in the past few years and so much business is carried out online. The new regulations aim to streamline data protection across Europe so that, no matter which country you trade with, or in which country your data is held, there’s consistency in the way data is handled. Helpful for businesses. Reassuring for individuals.

By the way, the fact that we are in the process of leaving the EU makes no difference because the GDPR applies to every business which holds or processes the data of EU citizens. If we want to trade in Europe then we will be obliged to show that UK standards are equivalent to the EU’s GDPR framework. Additionally, GDPR will become mandatory in the UK so even if you don’t trade overseas, it will apply to you.

There’s plenty to be getting on with in the meantime, meticulously outlined by the Information Commissioner’s Office (ICO). Here are five things you could put on your To Do List in the next few weeks. We’ll suggest more in subsequent blogs about GDPR.

  1. Appoint a data protection officer – crucial. It’s vital that someone takes the lead in this matter, otherwise there’s a danger it will be lost in the piles of other policies every company has to deal with. And, that someone should report to a board member or ideally be a board member.
  2. Raise awareness you may know about the impending change in regulations but do all the key decision-makers in your company?
  3. Organise an information auditunless you know the current personal data situation in your company (Whose data? Where from? How shared? To whom?) how can you possibly plan for the future?
  4. Check procedures – do they cover the new rights individuals will have?
  5. Plan timetable to amend privacy notices – make sure they will meet the new requirements in plenty of time for GDPR.

At Mailing Expert, we’re ahead of the game. Why not join us? Together we can make this happen.


Mailing Expert


* personal data is not only an individual’s name & address it is anything that identifies an individual from other information, including physical characteristics, pseudonyms, occupation, address, email et cetera or a combination of identification elements; that means business contacts too.

New Data Protection Legislation from the EU – GDPR

We all love a bit of legislation, especially when it’s contained in a 204 page directive from the EU. In the spirit of customer service, here’s a summary of the reforms to save you endless nights of tedious bedtime reading. We aim to please.

The 1985 Data Protection Act Directive and the 1998 Data Protection Act

Just to bring us up to speed. In the latter part of the 20th century it became apparent that most companies and organisations – individuals too – were storing and processing personal information on computers. While this has many advantages as far as speed and efficiency goes, it leaves us vulnerable because this data may be accessed by others without our knowledge or permission. Unscrupulous people could misuse it – use it for commercial advantage, identity theft for criminal purposes or sell it on to a third party for financial gain.

The 1985 Data Protection Directive was created to control the way such information is handled and to give some legal rights to people who have information stored about them. It was implemented into UK law by the 1998 Data Protection Act. The problem with the 1995 Data Protection Directive was that each Member State could implement it into their own national law in a slightly different way so each Member State had their own set of rules and since people often have data stored in many countries, as they say, things got complicated…

So now the 2016 EU Legislation

Designed to establish one set of rules across Europe, with a European Data Protection Board to ensure a common interpretation across all the national data protection authorities, it should make it more straightforward for everyone to do business outside their home country. It heralds the arrival of an era of renewed accountability and transparency, which can only be applauded.

It consists of two parts:

The General Data Protection Regulation (GDPR) – allowing individuals to have more control over their personal data, reducing regulation and enhancing trust so everyone can make the most of the opportunities afforded by the Digital Single Market.

The Criminal Justice Directive – concerned with Europe-wide cooperation with criminal investigations and law enforcement, leading to more effective anti-crime and anti-terrorism.
Political agreement on the test has been reached; it will become law very shortly; enforcement will start in 2018. It’s something for which you must prepare because penalties for breaches will be HUGE – figures flying about are fines of €20 million or 4% of a business’s global gross revenue. Ouch!

What it means for you – in a nutshell

N.B. This is not comprehensive. It covers the aspects that we consider have most bearing on the direct marketing aspect of your business.

The definition of personal data – any information which allows anyone to identify a person, so aside from the obvious name, address andn ID numbers, this now includes such things as cookies and IP addresses if they lead back to a person.

Consent – agreeing to data collection and use doesn’t need to be explicit but it must be unambiguous – a subtle distinction? It must be clear why you require the data. Your privacy notices and policies must be tip-top, accessible and transparent. Consent must be acquired by a “clear affirmative action.” No action, silence and use of pre-ticked boxes will not count as consent. Withdrawing consent should be just as easy as giving it.

Profiling – that’s to say, using the data to determine particular criteria about individuals – like personal preferences or location. This is an important tool in DM. It looks as though consent must have been obtained in the first instance.

Legitimate Interest – use of data for DM is considered to be legitimate (phew!) – that is, unless what you intend to do breaches the fundamentals human rights and freedoms of the subject, particularly in the case of children.

Data Protection Officer – it will be mandatory to appoint one if your organisation is engaged in regular and systematic monitoring of data subjects on a large scale or processing sensitive personal data. We will have to find out what this means from the guidance which will be issued in the next two years. At one point in the discussions, this ruling was only applicable to companies with more than 250 employees, now it’s any organisation which meets the above criteria. The appointed person must know about data protection law and practices to a level suitable for the role within a particular company. Even if your organisation does not have to appoint one compulsorily, it may decide to appoint one anyway.

Privacy Risk Impact Assessments – data controllers must take robust precautions before embarking on higher-risk data-processing activities to minimise the risk to their data subjects. This might include encryption, establishing resilient systems and regular evaluation to ensure security is fit for purpose.

Notification of breaches – “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” If the breach is going to impact on the rights and freedoms of individuals then ‘the appropriate supervisory authority’ must be notified within 72 hours, and the data subjects must be told, ‘without undue delay.’ Data processors and must inform data controllers are both obliged to notify

Liability of data processors – data processors will have direct obligations under the Regulation and will not be able to hide behind data controllers.

Have you lost the will to live now? Our apologies. The trouble is, it IS something we all have to grasp before it’s too late. These are regulations we will be implementing at Mailing Expert – for YOUR protection as well as ours.

Deep breaths, everyone!MEL LogoEX