Peter Gough
Managing Partner & Founder
The General Data Protection Regulation (GDPR) will come into force on May 25, 2018. The new legislation will set out how EU companies, and those processing data sourced from EU customers, can utilise data. GDPR will consolidate and unify data protection regulations across EU member states.


Since 1995, when the previous data directive came into force, huge technological advancements have transformed the way we live and work. The vast array of digital innovation has impacted on how data is used and the new legislation from May will address the challenges of data privacy and data sharing in a digital world.


Below we’ve given an overview of the key factors of GDPR and outlined why becoming GDPR compliant will ultimately be good for your business.


The core principles of GDPR



The new legislation states that you will need permission from existing and prospective customers in order to use their data to contact them or to share it with third parties. Individuals will be entitled to know what data you have on them, who you share their data with, how you store it, how long you’ve held it for, and the safeguards you have in place to protect their data. Individuals will have the right to withdraw their consent to you using their data at any time. In order to manage this process, you will need to build into your customer portals a more detailed preferences area or centre where the user can choose how they wish to be communicated with. The preferences area should include marketing requirements (interests, channel, the frequency of communication, privacy statement, consent) and ability to exercise data subject rights (request deletion of personal information, restriction of processing, self-exclusion, opt out of profiling).


Data collection

Personal data definitions have changed and now include direct personal data and attributed personal data. Online identifiers such as cookies and IP addresses are now classified as personal data. Consent must be a positive action taken by the data subject to opt-in. No pre-ticked boxes, silence as opt-in, or boxes to opt-out are allowed to be used. Consent must not be a prerequisite of providing a service. In addition, if you handle child data or sensitive data such as sexual orientation, religious beliefs, trade union membership, etc. then you will need to adhere to some specific regulations and consent. See the ICO for more details.


Data Subject Rights

Under the new law, EU citizens will have new rights. They can object to businesses using their data, they can ask for their data to be rectified if the information held about them is inaccurate and they can ask for their data to be erased. They can specify that they don’t mind their data being held, but that they don’t want it processed (i.e. used for marketing purposes or sold to third parties). Importantly, for digital marketers using automated systems, an individual can request to opt out of automated decision making and profiling. From May, citizens who ask to see what personal data is held on the register will be entitled to a response within one month of request. In addition, people will also have the right to have their personal data moved from one data controller to another.



GDPR requires businesses and organisation use encryption, pseudonymisation and segregation within architecture design relating to personal data. This means it will be harder for high-profile cyber-attacks, such as TalkTalk and Carphone Warehouse as well as the Wannacry NHS hacking scandal, to happen. In a post-GDPR world, most cyber breaches and attacks will be preventable.



You will be required to keep documents supporting the auditing of systems, your own teams and supervisory authorities in case there should be a challenge/breach. This documentation should support corporate responsibility. Potential fines for non-compliance are likely to be less if you can demonstrate the correct intentions.



You will have three days to notify the regulator of any significant data breaches in your business. Failure to comply with GDPR may result in a €20 million or 4% of global turnover (whichever is higher) fine.


5 ways GDPR will enhance your business

Rather than see GDPR as a large box-ticking exercise, it should actually be seen as a force for good. Here we’ve outlined five benefits for becoming GDPR compliant.


  1. It will boost your reputation: GDPR compliance will boost your reputation in the eyes of your potential customers as the will see you as secure, which will boost loyalty for your company or brand.
  2. It will force you to become customer-centric: now’s a good time to join up your relational technology and siloed systems. This is a unique opportunity to unify customer data into a Single Customer View rather than having it sit in a number of systems – to easily manage it, anonymise it and report on it for better marketing decisions.
  3. It will enhance your engagement with your customer: as you will have accurate and up to date preferences, you will be able to better respond to your customer requests and engage with them in the ways they prefer.
  4. It will enable you to use predictive modelling: keeping clean data means you’ll be able to glean business insights from historical events.  You will be able to use data to establish patterns, trends and predict the future, which in turn will empower your organisation and help you to innovate and launch new products.
  5. It will help to reduce security breaches caused by internal staff: with the introduction of role-based and compartment-level security settings, you will be able to ensure that the customer data you hold (and their preferences) are kept up to date and secure throughout your organisation.


ORM’s view 

We welcome the changes that GDPR will bring in delivering transparency to the end customer. We’ve been working with our clients, helping them to audit their log of interactions and acceptance of communications across preferred channels, as well as helping them detail the data they store and record.


In collaboration with our clients’ Data Protection Officers, we have built preference centres that have streamlined the previously clunky and cumbersome siloed data systems and brought them into one simple, easy to use hub. These preference centres allow our clients’ customers to easily request to remove their data and select their preferences accordingly.


Come and talk to us about how we can help you become GDPR compliant.


This blog is not an exhaustive list of how to achieve GDPR compliance. For more information and advice on the GDPR visit the UK's Information Commissioner's Office website or consult a specialist GDPR legal team.