01273 805 499 hello@workwithgoat.com

Last minute guide to GDPR compliance

It's not too late to get your data in order before 25th May 2018

Read in 3 minutes

By Ben Robson

Co-founder, GOAT

A bit late to the (rather dull) party, but if you have left it until the last minute here is GOAT’s guide to GDPR. Also rather dull is that we have to say this doesn’t constitute legal advice – it’s simply what we learnt from a session we attended on GDPR back in March 2018. Every business is different, so the following is designed as a quick summary on things to consider.

Essentially, it’s about asking yourself why you have people’s data and making sure you only using it for that purpose i.e. if someone asks for a quote and supplies their email address, you can email them the quote – but you can’t take that carte blanche that you can now send them marketing emails or other correspondence unrelated to the quote.

  • If someone enquires or makes a purchase, you’d need a separate check box so they can OPT IN to any marketing (our leave unticked to OPT OUT of any marketing)
  • You can’t sign people up to your mailing list for marketing without their specific consent i.e. just because they’ve bought from you or sent an enquiry your way
  • You can’t say ‘click here to confirm your purchase AND be signed up to our list’. They have to have a separate option to opt in or out

Equally, any email correspondence you keep on file etc., you need ask WHY you have those emails. If they’re done with, you need to delete them. 



For passwords, it’s recommended that you have a secure password keeper tool, so that passwords aren’t just in an Excel file somewhere or on bits of paper etc. that could get stolen or hacked.


Mailing lists:

In terms of mailing lists. Anyone who is on your current mailing list, you need to send a mass email to all of them saying that you are complying with GDPR legislation (maybe a short paragraph on what it is) and that if they want to keep hearing from you, they need to opt in again.

Give a simple button for them to press to sign up to your mailing list again.

As we understand, (and as mentioned this doesn’t constitute legal / formal advice), you can send them the reminder email around three times. If they don’t click to consent again, you have to delete their email address from your mailing list.


Further reading:

Hopefully that gives you some quick pointers on what to look out for as you move towards being GDPR compliant. We’d recommend the first port of call for further reading on the subject, being the ICO (Information Commissioner’s Office), as this helped us greatly when putting together our own plan for GDPR. Check out the ICO guidance, here.

Keep reading?