Call us

03456 448 600

Show Menu

Are you ready for GDPR?

09 Jan 2018
Are you ready for GDPR?

We are making all our customers aware of the new GDPR regulations which come in to force next May.

GDPR – What is it?

General Data Protection Regulation (GDPR) is the new legislation to come from the European Union and is the result of four years of work by all countries within the EU to bring data protection legislation into line with current, previously unforeseen ways that data is now being used.

Currently, the UK relies on the Data Protection Act of 1998, but this will be superseded by this new legislation.

It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules the same throughout the EU.

GDPR – Why is it needed?

Firstly, the EU wants to give people more control over how their personal data is used. This is to strengthen data protection legislation and by introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.

Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate. Thus making data protection law identical throughout the single market

GDPR – When will it be enforced?

GDPR will apply in all EU member states from 25 May 2018.

GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically.

While it came into force on 24 May 2016, after all members of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.

GDPR – Who does it apply to?

Any “Controller” or “Processor” of data needs to abide by GDPR. A ‘Data Controller’ states how and why personal data is processed, while a ‘Processor’ is the party doing the actual processing of the data.


The Controller – A profit-seeking company, charity or government.

The Processor - An I.T. firm doing the actual data processing.

It's the ‘Controller's’ responsibility to ensure their ‘Processor’ abides by data protection law and ‘Processors’ must themselves abide by rules to maintain records of their processing activities.

If ‘Processors’ are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.

The New GDPR law is complex and goes well beyond what we can fit into this guide. However, you will find below some practical advice to help you get started with compliance

GDPR – What you need to do?

If your business uses email marketing, sends direct mail through the post or makes sales calls then the way you market your business will not be the same moving forward, you need to explicitly ask permission to send someone a marketing email… They MUST opt in!

It’s NOT OK just to assume you have permission, it’s also NOT OK to hide your terms in your Privacy Policy page.

It’s also NOT OK to pre-tick a box that people have to untick before they register their interest with you.

That was allowed in the past, but it isn’t anymore!

What can you do to tackle this?

ACT NOW! Start getting permission from your customers – This means you need to have a section on your registration forms that states they agree to opt in to receive any marketing material from you via email or post

By law, you have to keep a record of every customer’s agreement to receive email marketing and has signed up to your mailing list… also have to keep a record of exactly what they were shown when they agreed to sign up!

If a customer opts out, you MUST keep a record of customers that have opted out and keep a copy of their email opting out.

You MUST also ensure you do NOT send any further marketing to the customers that have opted out or you could be in for some nasty fines.

OFCOM used to issue these fines. However, the Information Commissioners Office (ICO) will, in future, issue these fines and they will be much stricter.

Website Analytics

If you use a tracking tool such as Google Analytics, this is classed as collecting data. People have the right to know what personal information you are storing about them and what your intentions are with their data.

The law applies to data which could be traced back to an individual. This even includes things like their computers IP address.

If your site doesn’t have a Privacy Policy, you will shortly need one to comply. It needs to stipulate to people what you are going to do with their data.

What about your existing customers?

Now here is the thing – GDPR says if there is another law that conflicts with it, we should pay attention to that law instead.

When it comes to email and telephone marketing, the Privacy and Electronic Communications Regulations (PECR) legislation takes priority.

The good news is, PECR allows a thing called “soft opt-in”

PECR says, if you have someone’s email address from the sale of goods, or a negotiation of purchase, then its OK to send them marketing material regarding products they have shown an interest in.

The bad news is, PECR is being replaced shortly and its replacement is currently being debated in Parliament. At this stage, no one knows if soft opt-in will be allowed in the future.

What are your customer opting-out Rights?

People have the Right to tell you to stop marketing to them. You also must make it easy for them to opt-out of receiving future marketing.

From today, you need to make sure marketing emails tell people how to unsubscribe. That could be saying “reply with unsubscribe in the subject” or with a link to click to automatically unsubscribe.

On printed mailers, you need to stipulate how they can stop receiving these mailers. The options you have are; adding a telephone number for them to call, an address to email or a link to visit for an opt-out landing page.

A good suggestion is to set up an email address solely for unsubscribes. Example: [email protected]

What are the telephone marketing rules?

The Telephone Preference Service (TPS) has been around for years, it’s where you register to stop receiving unwanted sales calls.

If you make a call to anyone registered on the TPS, you are breaking the Law and liable to a fine.

PECR says you don’t need explicit consent to make a sales call. But you do need to check the TPS list before you make a call.

Now checking the TPS list is all good and well! However, there is the Corporate Telephone Preference Service (CTPS) to consider! This is the corporate version when calling a business.

You can check if a company is listed via the following here.

Is your website secure enough?

You may have seen the little padlock symbol in the browser bar? This shows if a website is secure and it technically means the website has a Secure Sockets Layer (SSL) certificate,(for example:

If you store any personal data on a website, you absolutely must have an SSL certificate. This encrypts transmission of the data.

In October 2017, Google implemented the second part of its plan to label any site without an SSL certificate as non-secure.

Even if your site only has a contact form, unless it has an SSL certificate, the site visitors might get a nasty warning. It can scare visitors away so it’s best to ensure your website has an SSL Licence asap.

What are the postal marketing rules?

You don’t need explicit consent to send a mailer, letter, brochure or catalogue. Provided you make it clear how they can opt-out of future mailing and ensure that the content is relevant to them. Sending direct mail is allowed under the “legitimate interests of your business”

Sending a covering letter with small print for opt-out instructions could be a good idea.

Direct Mail Facts!

In today’s Digital World, direct mailing has decreased.

However, research shows that it actually gets a better response.

87% of people said they were influenced to make an online purchase as a result of receiving a direct mailer.

A typical Quality mailer is kept around the office or home for 17 days. 29% of people said they often shared these mailers with colleagues, friends and family.

So, what makes these customers more likely to respond? The answer: send them “Lumpy Mail”

Imagine if you were to receive an envelope in the post, its lumpy, there’s something inside it.

Could you resist opening it to see what it is? No, of course not! Adding a gift or something lumpy adds intrigue – Perhaps a personalised pen, or something similar with your logo.

Then, why not turn “lumpy mail” into a “thud”

Make your direct mail too big to ignore! Send a corporate brochure or welcome pack, with printed envelopes, or even an item they have to sign for.

If you are selling something of a higher value, investing a few pounds per piece might significantly increase your conversion rate.

A small postcard might grab someone’s attention. But if you really want to be noticed, then size really does matter!

Is it time to look at direct mailing again?

A common misconception is that GDPR only apples to personal data. Even if you sell B2B, GDPR still stands. Even if you only email a corporate address, the law still applies.

If the fines that the ICO have issued so far are anything to go by, they are taking this very seriously!

Useful Links & Information

Information Commissioners Office:

Telephone Protection Services:

Document XL has been supplying new and refurbished copiers and printers in Leeds since 2006, but did you know we also provide IT Support services to businesses throughout Yorkshire and Lancashire, as well?

Everyone here at Document XL takes data security and GDPR extremely seriously and our account managers can advise you on various simple, but effective ways to protect you and your company from breaking the new Laws.

Please don’t have nightmares, but if you are having sleepless nights, then give one of our account managers a call, as they can keep you safe.

Call us now on 08456 448 600


Welcome To Our Youtube Channel


Priority Reward Scheme?


Protect From Unscrupulous Sales


Document XL A4 Double Click


Benefits Of A Business Printer