Running a creative business

GDPR: The Principles

GDPR: The Principles

Before you start reading please note I am not an expert in GDPR. I am a business owner who is busy and struggling to understand what this GDPR thing is and how it will effect me. I therefor jumped at the chance to go to a local talk by Duncan Smith. Director of CIM and iCompli, about the subject. It was only 30 mins but it put my mind at rest. I thought I would share my notes with you to help.

Basically one of the things he said was that you don’t need to read the massive wedge of papers on GDPR…BIG SIGH OF RELEIF… you need to understand the principals and then go by what your gut feeling is. i.e. ask yourself “does this feel right”. You can not possibly know the intricate detail of the document as that is for the experts but following the gut on your understanding should be fine. Follow these guidelines and let your gut do the rest.


Basically the law is changing as we are still operating according to a law from 1998 and so much has changed since then with the smart phones and incredible data mining which comes with Aps and other technology.

The law needed to update to protect the consumer. Did you know the first iPhone released in 2007 and really if we are honest it is not a phone.. it is a marketing tracking device which collects information about people and the world is being driven by this data.


At the end of the day we are giving ALOT of control to people who create Apps and phones.

For instance.. did you know that Uber can tell where you are, what the weather is like where you are AND the battery life on your phone. That information can determine how much they charge you for a lift… how much more would you pay if it was raining?

Did you know that if you applied for a loan that the speed you move the slider can determine your APR… I didn’t! Apparently the faster you move it to the higher amount the more desperate you will seem for money and the higher the risk would look. Therefor they quote you a higher APR.

Also did you know that Facebook is always tracking the websites you visit EVEN if the browser is closed? You would need to log out of Facebook for this not to happen.

It is all happening without us knowing which is where the issue is coming from… Who knows what data is being tracked and could it harm us.

You can see how this is not in balance any more. Who holds all the cards here? Is it in the favour of the consumer?



GPDR is here to ask

“Who is in control with all this data?”

The new law is trying to understand who has the data,, what they are doing with it and why do they want it and could it harm the consumer?

GDPR is looking at the fundamental rights, your freedom and checking that the collection of data is lawful, fair and transparent.

So we need to make sure that the person who is in charge of data complies with the simple principles.

You also need to DEMONSTRATE you comply and PROVE that you have been lawful in processing data. This is the biggy for me. How can we prove it?

In a tiny nutshell there are for pillars which are:

– Control: You must give your consent and it must not be assumed. No more pre-ticked opt in boxes.
– Transparency: It must be clear what is happening
– Notification: You must be told
– Verify: How can you prove if you needed to give evidence.



The biggie is that the data collection must be LAWFUL, FAIR, TRANSPARENT

To be lawful it must pass ONE of these tests:
– Consent for a specific purposes
– Contractual necessity
– controllers legitimate interest
– Controller bound by legal obligation
– Protect vital interests
– Public interest, official duty

Remember that marketing is not contractually necessity.



One important change is that you can’t bundle together terms and marketing on a form tick box. So for instance you cant say that part of agreeing to your terms and conditions is that they agree to being marketed too. This is a big no-no. These tick boxes must be separated out.


CHAIN OF TRUST: If you work for others you must ensure that if you outsource your work that you tell your client. The law will chase down to the person who implemented the changes So..

If you are a web developer and set up data collection forms for people and they are not compliant then YOU will get in trouble as well as the business who instructed you.

If you outsourced this form creation to a third party then you need to make sure they are compliant or will come back on you.

Forms MUST be securely hosted and encrypted.

Basically you really need a strong contract when employing contractors or doing work for companies to protect yourself as they can throttle through. Make sure you say that no outsourcing without prior authorisation to protect yourself.


Information ASSET AUDIT: You need to go through all the software you use and check that it is all compliant.

– What is in the info
– Where is is stored
– How did it get in there


If working in the Cloud you must make sure that no data moves outside the EU. The servers must be in Europe. OR choose a company with a compliance statement to say they are complying with GDPR or get written consent that the data subject is happy that you are moving them out of the EU.


In summary this is how I personally see it but it is still early days as I don’t even think the experts truly understand and know the facts YET.

Basically you have to be totally transparent with the consumer on why you want the data and what you are going to do with it and then collect proof that you have done this. So you can’t trick people onto your list and then market to them.


So I think the questions we need to ask in particular to digital marketing is:

1. Where do we stand with re-marketing to our email list via platforms such as Facebook
2. If we collect leads for a free lead magnet on a particular training can we email them about a different sort of training (I guess as long as you are VERY explicit about the fact by taking the free training that they will receive marketing messages from you then you should be ok?)
3. How do we collect proof when someone opts in to our email list
4. Duncan did say that if you are collecting email and name alone that some of this does not apply so is it only for people collecting very heavy personal data relating to health.

Things we can start doing now to get GDPR ready

1. Do an audit and check all the programs you use comply by being in the EU or have a written compliance statement.
1. Such as CRM, Email management system..
2. Check your contracts when using contractors that they can not outsource without prior consent.
3. Check your sign up forms that they do not group together terms and marketing with the same tick box (so separate out I agree to the terms and the I will join the marketing list to two separate tick boxes and make sure they are not pre-ticked.

I will keep you posted on anything else I find out as I research this for my own business and my members so feel free to follow on Facebook or join my email list and I can let you know (I may also send you marketing messages very occasionally!)

Good luck