GDPR: All your basic questions answered

The General Data Protection Regulation is coming into effect in the European Union from May 25, 2018.

This new regulation will change the way personal data is collected, stored and used, and affects businesses servicing the EU as well as those taking data about any EU citizens.

We have covered the basics here to get you started and see if you need to find out more to stay compliant.

What is GDPR?

The GDPR is a regulation that has been designed specifically to improve protections for people around the processing of their personal data.

Why is this new regulation important?

Previous guidelines around personal data protection have been patchy, because they only applied to specific countries and legal jurisdictions, so there were loopholes and discrepancies.

Also, previous directives were just that, directives. These new laws are regulations, which means there is a minimum base level that businesses MUST comply with.

While businesses have been collecting personal information for 100 years, the widespread storage, use and sharing of personal data exploded with the rise of the internet. We have needed good laws in this area for some time now, but action hadn’t yet been taken.

Recently we have seen many businesses who have leaked personal data or been hacked, which has solidified the need for the stronger regulations.

Who does this affect?

Although your business may not be based in the EU, or specifically conduct business there, the effects of the GDPR are pretty wide reaching.

Anyone who collects, stores, manages or uses the personal data of any EU citizen needs to comply with the new regulations.

This includes email addresses, so for many small and medium businesses, if you deal with customers online, this very well may apply to you.

Because of the nature of email addresses, it might affect you without you even knowing. For example, do you know geographically where all of your customers, including people just on your emailing list, are based? How do you know they aren’t EU citizens?

As an example, this will likely affect you if you use any of the following for your business:

  • Google Analytics
  • Meta Tracking Pixel
  • Google AdWords Tracking
  • Email Marketing Software  (such as Mailchimp, ActiveCampaign, Infusionsoft etc)
  • Online Booking Software (such as Acuity, Calendly)
  • Promote your business via online learning platforms (such as Thinkific, Teachable etc)
  • Storing customer information on Cloud Storage (such Google Drive, Dropbox)
  • Using cloud software for emails, data storage, client information
  • and the list goes on…

To be on the safer side, it’s just easier to make sure you are compliant.

What are the GDPR changes?

There are changes in these main areas:


Businesses need to explain to their customers what they are doing with their information and how they are storing it and disposing of it.

Informed consent to these uses has to be obtained from the customer, in a manner that the business can show evidence of if need be.

This level of consent is much higher than anything previously required.

Individual Rights

The new laws give greater personal rights to the customer.

These include the right to know what their data is being used for, to request a copy of it, to use it elsewhere, to request that it be rectified if something is incorrect, to restrict its use and request that it be deleted if consent is removed.

Data Processing

The responsibilities of businesses who manage, process and store the data are laid out in the new laws. There must be documented contracts between these parties detailing how the data is going to be used.

Most businesses will need to appoint a data protection officer, who will be responsible for making sure that you comply with the GDPR. If you are a small business, this will most likely be you, so the buck stops here.

There are also extra restrictions around transferring personal data between countries and organisations outside the EU.

What does your business need to do to comply?

If you think these changes might affect your business, there are a few simple things you can do to make sure that you comply.

You need informed consent to collect and use personal data from all existing clients (as well as new ones). You need to get in contact with all existing customers and get them to give you that consent.

For new customers, you will need to give them information about how you are using their personal data, and then get their consent to do so. A double opt-in, which means your pop-up form just asks them to repeat and confirm their email address before subscribing, is one of the easiest ways to do this.

Your opt-in form also has to explain what data you are collecting and what you are doing with it.

You will need to delete the details of any customer that doesn’t give you this consent, and make sure that you get rid of any old details or lists that you are no longer using.

You will need to have a system of exporting the data to any customer who requests it.

What if you don’t comply?

There are administrative fines and penalties if your business is found to be non-compliant with the new regulations. The specific fine will depend on factors like the nature of your breach, your intent and the size of your company, plus your prior history in their area. At the lower end it is €10 million, so perhaps making sure your business is compliant might be the cheaper way to go.

Where to start

  1. Update your Privacy Policy.
  2. Ensure your privacy policy is visible and accessible from your website, online store, booking forms, business Facebook page, email marketing platform, learning platform (such as Thinkific)… basically anywhere you are conducting business activities online.
  3. Amend any opt-in or subscribe features to comply with GDPR changes.
  4. Ensure EU contacts and customers are aware of and agree to your Privacy Policy.
  5. Request EU contacts to re-confirm subscription to your business or marketing.
  6. Delete details of contacts and customers that do not provide consent.

Further reading and getting legal advice

Now obviously, this is our ‘nutshell’ overview of the changes, and by no means should be the legal advice on which you base what your own business does to comply.

If you think you might be affected, definitely seek independent legal council to make sure that all of your bases are securely covered for when the new laws come into play.

For more information, this website is a great resource:

You can also download the Free GDPR Compliance Checklist from Legally Shalini to get you started.