Only 9 months until GDPR. Are you ready for the EU’s new data protection laws?

Brands and their followers are still victims of fake Facebook pages
31st July 2017
BBC reports on the rise of fake Facebook promotions
5th September 2017

General Data Protection Regulation comes into effect on the 25th May 2018 and will bring a new far stricter set of data protection regulations that will apply to any company seeking to trade in the UK or the EU. It also brings new heavy fines for breaches – up to €20 million or 4% of global turnover (whichever is greater!). Here is what you need to know to get your company ready for GDPR:


  1. What is personal data – data is now to be defined as anything that can identify a person. This is not just a name, address or telephone number, it can also be their social media accounts, IP addresses, internet history, location data, shopping habits and much more especially when combined with other equally innocent looking pieces of data.
  2. You are always responsible – whether you are the brand owner, an agency processing data on behalf of your client, a fulfilment company sending out direct mail, an international company based outside the EU or anything in-between, if there is a breach all of you are liable. This means you must review the policies of both your clients and your suppliers to ensure they are GDPR compliant and that all parties have strict contracts in place about how they use, collect or store consumer data.
  3. Consent – must be positive and freely given. This is the end of “opt out if you do not wish to receive” boxes. Consent should be in plain language, is for the time being only, not for ever and should clearly express what you will use the data for. If your data has not been gathered in this way, as most currently is not, then continuing to use this data or even possibly even just storing this data, will be a breach post May 2018.
  4. Breaches – if you lose any data or suffer any other type of breach you now have just 72 hours to notify the ICO and those affected (clients, consumers, suppliers, staff etc.) by the breach. This could be the hardest part of GDPR as it will require being able to spot or monitor breaches, as well as identify who they have affected, very quickly. With so much data still held on individual machines and no central access or register, it is important to introduce new policies on who and where data can be stored in the future to avoid these risks.
  5. Right to Access and the Right to be forgotten – the need for a single company database is reinforced by the need to comply with these new consumer powers: the right to access my data (what do you hold on me and how are you using my data) and the right to be forgotten (I want you to delete my data from all your systems). For a company without a central database this will be almost impossible to comply with, there is always the risk of a rogue file on someone’s computer. For the future, you will need to have systems in place that tracks every piece of data, records where it is stored and how it is used.
  6. Privacy starts with internal policy –  the new laws will affect every part of the business and so new policies may need to be in place before GDPR to correctly guide employees on their responsibilities. Although putting polices in place is one step towards protecting your liability, training and checking they are followed is the only sure way to stay compliant. A policy that isn’t followed isn’t a policy.
  7. The time to start was yesterday – the first draft of GDPR were published in May 2016 so “that there has not been enough time” is no excuse .

PromoVeritas are experts in compliance. We have been working for 15 years to mitigate risk, provide understanding of the law and write policies that protect you from harm.

With GDPR in mind, we have put together a comprehensive set of services designed to help you to be both knowledgeable and compliant. They apply to anyone who obtains, stores or uses data, whether they are an agency, a brand, UK based or international.

Training – the best way to avoid breaches and minimise the punishment if one was to occur is to show that you have taken steps to become GDPR complaint. The first of which is to train yourselves and your staff in what GDPR means for your business. We can provide a comprehensive look at how GDPR will affect your company, and options for becoming compliant. Lasting 3 to 4 hours it is suitable for marketing, data and legal staff and covers every aspect of the new laws.

Your offices – we can deliver the presentation to up to 20 people that is exclusively aimed towards your business and strongly advise representatives from Senior management, HR and Finance attend as all of them will be affected.

Our offices – we run regular training sessions and webinars from our head office in North West London

GDPR Road Map – this is a personalised report, compiled by one of our highly qualified consultants and involving a comprehensive review of your business and how you handle data. Typically lasting 3 days we will review your company’s current policies, how they are being followed, how they comply with GDPR, what gaps there might be and what your options are. We will leave you with a clear road map that you can action to move you towards GDPR compliance.

Policy Review – our in-house Legal team can write new data privacy contracts, service level agreements and all other policies and contracts to ensure you and your company are protected from suppliers, clients and staff.

BSI 10012 Certification – much of the work you do to get ready for GDPR will take you a long way towards BSI compliant as well. If you wish to get certified to BS10012, our consultants will conduct a pre-certification test to give you the best chance of passing and that you can use to show you are ahead of the game.

Pre-GDPR review – Prior to the 25th May we can conduct a review of your policies and how they are being followed. Is everything ready for the new law and is all the data you use compliant?

To find out more about our GDPR services contact us on +44 203 325 6000 or email

Share this post: