The GDPR came into force in May 2018 in the European Union; since Brexit, the UK has signed into law equivalent legislation (the UK-GDPR is an almost word perfect copy of the EU GDPR).

This far-reaching piece of Data Protection legislation really shook up the private sector, giving private individuals a lot more rights, and gives private companies a lot more responsibilities. Crucially, those responsibilities can come with a hefty fine if they're breached - up to 2% of your annual turnover, or €10 million.

To be absolutely clear, the GDPR applies to any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to your data. That includes mailing lists, customer lists, orders, enquiries and emails and covers any information stored electronically, or on paper.  

In this series of articles, we provided some general guidance on some of the basic elements of the new Regulations; how they affect you and your website. Do remember that this legislation represents a new legal requirement. That means that if you have any concerns, seek legal advice. 

We have created a sample GDPR Privacy Policy, which may help you prepare for the GDPR. Feel free to click here and add it to your website!

Consent is King

Positive, active consent is the cornerstone of the GDPR. To be precise, an indvidual must agree for their data to be used for a specific purpose.

  • Gave positive consent for everything you do
  • Clearly explain why you need their data
  • Never use their data for any other purpose

Getting Positive Permission

Gone are the days when you could expect people to opt out. If you want to use someone's data, they have to opt in. 

However, unless they've clearly ticked a box that gives you permission, you can't use their data. Just as important, opting out doesn't count. If you want consent, you have to get it the hard way. 

What's great about that control is that there is no way for a customer to accidentally sign up to your newsletter.

Following that principle, at the checkout, there is a really simple rule. Clear language. Simple controls. Positive permission.

That means you can't expect customers to opt out. They have to opt in - no pre-ticked boxes!

The good news is that you can still assume consent in a few circumstances. For example, when a customer completes a purchase, you can assume that they are giving permission for you to use their address to deliver the products! The simplest rule is that when it comes to marketing, you need to be able to show that your customers made a decision to opt in to your emails. 

If your website doesn't follow these rules, please  please contact the office by emailing us as soon as possible.


Processing shall be lawful only if the data subject has given consent for one or more specific purposes

Explain What You're Doing

It is only ever lawful to use personal data where you have clearly specified what you will be doing with it, which means two things.

  1. You need to be clear about why you are collecting data
  2. You can only use the data for that purpose

For example, you might need to collect someone's address to give them a precise estimate of postage costs; just explain what you need and why. 

What you can't do is to tell them you're using that address for that one purpose, and then use it to send them a brochure. 

The simple rule is that you have to be up front and honest. If you're doubt, ask for their consent a second time. 

  • Ensure you never assume opt in on your website - no pre ticked boxes!
  • Offer a simple explanation of why you need the data at point of collection
  • Be clear about the purposes which which you collect data - update your T&Cs and Privacy Policies

1st January 2018