Get in Touch

Here is what you need to know to get your company ready for GDPR … PromoVeritas

by on September 25, 2017 in Latest News, Lead Article, News you can use, Nuggets

General Data Protection Regulation comes into effect on the 25th May 2018 and will bring a new far stricter set of data protection regulations that will apply to any company seeking to trade in the UK or the EU.

It also brings new heavy fines for breaches – up to €20 million or 4% of global turnover (whichever is greater!). Here is what you need to know to get your company ready for GDPR.

To find out more about GDPR services contact PromoVeritas on +44 203 325 6000 or email

What is personal data – data is now to be defined as anything that can identify a person. This is not just a name, address or telephone number, it can also be their social media accounts, IP addresses, internet history, location data, shopping habits and much more especially when combined with other equally innocent looking pieces of data.
You are always responsible – whether you are the brand owner, an agency processing data on behalf of your client, a fulfilment company sending out direct mail, an international company based outside the EU or anything in-between, if there is a breach all of you are liable.


  1. This means you must review the policies of both your clients and your suppliers to ensure they are GDPR compliant and that all parties have strict contracts in place about how they use, collect or store consumer data.

Consent – must be positive and freely given. This is the end of “opt out if you do not wish to receive” boxes. Consent should be in plain language, is for the time being only, not for ever and should clearly express what you will use the data for. If your data has not been gathered in this way, as most currently is not, then continuing to use this data or even possibly even just storing this data, will be a breach post May 2018.

Breaches – if you lose any data or suffer any other type of breach you now have just 72 hours to notify the ICO and those affected (clients, consumers, suppliers, staff etc.) by the breach. This could be the hardest part of GDPR as it will require being able to spot or monitor breaches, as well as identify who they have affected, very quickly. With so much data still held on individual machines and no central access or register, it is important to introduce new policies on who and where data can be stored in the future to avoid these risks.

Right to Access and the Right to be forgotten – the need for a single company database is reinforced by the need to comply with these new consumer powers: the right to access my data (what do you hold on me and how are you using my data) and the right to be forgotten (I want you to delete my data from all your systems).

For a company without a central database this will be almost impossible to comply with, there is always the risk of a rogue file on someone’s computer. For the future, you will need to have systems in place that tracks every piece of data, records where it is stored and how it is used.

Privacy starts with internal policy –  the new laws will affect every part of the business and so new policies may need to be in place before GDPR to correctly guide employees on their responsibilities. Although putting polices in place is one step towards protecting your liability, training and checking they are followed is the only sure way to stay compliant. A policy that isn’t followed isn’t a policy.

The time to start was yesterday – the first draft of GDPR were published in May 2016 so “that there has not been enough time” is no excuse .

Print article