As of May 2018 GDPR (General Data Protection Regulation) is enforced. We are sure you have heard enough about this and understand what it is.

If you are don’t already, the Information Commissioner’s Office (ICO) website has all the information you need. This is the best information source to find out about GDPR, because:

  • they are regularly updated
  • would have the most current guidance on any changes to the direction

The ICO’s website also offer GDPR myth busting Blog updates, FAQ section, and a dedicated advice line for a small businesses and organisations

If you are just starting up a becoming a sole trader and growing your customer number. Please read up about GDPR.

To start here are four things you need to consider:


Start a document that records how, where, why you are collecting data. You might not realise it but data and information are collected through your website, having a e-newsletter, through Twitter and Facebook and other social media.

Here is an example of this and the next tab provides you with a template you are welcome to use. Please note this is an example, it is not a binding document, you are responsible to understand, adjust and document your processes to comply with the regulation the best way for your business.

If you are using any data processor ensure you are aware of their policy on GDPR and make note of this on your document.

2.Having a Privacy Policy

This doesn’t need to be long and arduous but it needs to be clear.

  • Who you are
  • What data you are collecting
  • How and  Where you collect your customer data
  • Why are you collecting their data and what the data is for?
  • When would you be reviewing, clearing or deleting the data

You can then use this policy on your website or when you approach customer/ people to sign up for an e-newsletter. As reference take a look at the best example of privacy policy, which is of course ICO’s


We are no longer allowed to have an already ticked in sign up button, or the option is opt out. Anything that you set up whether it is an online sign-up for your newsletter or a sheet of paper, has to be Opt-In. For example:

  • OK – Please sign here if you agree to receive our monthly product and offers e-newsletter
  • NOT OK – If you do not wish to receive our monthly newsletter please sign here

Some email newsletter providers such as Mailchimp also offer user to apply Double Opt-IN on their mailing list, this is to ensure that people make a conscious decision to sign up.

You also need to be clear of what they are signing up to, you can’t later on change that intent.

If for example you say:

By ticking this box you are signing up to receive our bimonthly information about our product and offers.

You can’t then later on send them an email to ask for a donation for your charity run. It is best practice to clarify what you will likely be contacting them for in the first instance.

4.Have a plan

Be ready with how would you respond when people ask about their data. Under GDPR individuals have the right to:

  1. be informed
  2. access
  3. rectification
  4. erasure
  5. restrict processing
  6. data portability
  7. object
  8. Rights in relation to automated decision making and profiling

To plan for when people request to exercise their rights, you need to be able to be sure that who ever requested this is the person who data belongs to. More information about what this means can be found here

We hope this helps, if there are any urgent or advice needed, please contact the ICO dedicated support line