GDPR and your Privacy Policy

A few weeks ago I wrote an article about the General Data Protection regulation (GDPR) and signposting some useful resources as well as providing my take on what businesses should consider.

Since writing that post, like most people I’m now being bombarded with emails from companies pointing me to their new Privacy Notice or asking me to re-sign up to their Email communications. I’ve also been to a Business Gateway seminar where a lawyer from MacRoberts LLP provided an overview on what businesses need to do to get ready.

What became clear is that there’s quite a lot to consider and it can become quite murky. What also became obvious is that no business is exempt from this, whether it be a sole trader, a charity, a Limited Company etc. Everyone needs to be aware of GDPR and put controls and safeguards in place.

The one place to start and a potential quick win is to look at reviewing and updating your Privacy Policy if you have one. If you don’t you might want to consider writing one. The Privacy Policy is in place to tell people what data you hold on them, if any, what you do with that data, where that data is stored, how long the data is stored for and how they can request information on data stored and how to ask for it to be removed. I think the key thing here is to use common sense, be open and honest about the data you use.


Data Controllers and Data Processors

These are two definitions that you should be aware of under GDPR. According to the Regulations a Data Controller is:

a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
— [ S1(1) DPA]

The Data Processor is the person who processes the data on behalf of the data controller.


You run a business and as part of your Marketing you issue regular email Newsletters to Customers. To do this you use a Third Party mailing system such as Mailchimp. In this case you as the Business owner are the Data Controller, ie you have decided how you are going to use this data and Mailchimp is the Data Processor, ie they are issuing the Newsletter and storing the data on your behalf.

To take this a bit further, I occasionally help businesses to create and issue Newsletters, using Mailchimp. The businesses I work with would be classed as the data Controller, I would be classed as the Data Processor and mail chimp would be the sub Data Processor.

Coming back to the Privacy Policy, where you own a business where you are the Data Controller, you need to be open about which Third parties you use and in turn link through to their own Privacy Policy.


Email Marketing and Consent

Admittedly this is a very grey area and I don’t want to dwell on it too long. It is worth reading this section in the ICO guidelines.

You will have seen some emails coming through from businesses simply saying they have updated there privacy notice and some emails asking you to re-opt-in to mailings.

For customers, where they have bought a product in the past or are an existing client, then you are entitled to send emails as long as there is a clear opportunity for the individual to opt out or unsubscribe. The same applies to sole traders and some partnerships. For corporate entities where there is a general email, it is permissible to email them without consent, e.g. However employees of that corporate entity are classed the same as individual, e.g.

However, if you’re mailing people who haven’t previously been a client or customer and people’s details have simply been added to a mailing list, you need to gain consent from them before emailing them. This is where an email is sent asking people to resign up to mailing lists.

In Summary

GDPR is a very large and complex area. The views above are my own and distilled from what I’ve learned over the past few weeks. However, this legislation has been in the making for 4 years so there is far more to it that simply one page of my thoughts.

If you need help, you may want to get some legal help to understand your responsibilities. There are also lots of resources online, simply search for "GDPR". In the meantime, I hope this was of some use.

Scott Noble