Accessible Marketing

GDPR – What do small businesses need to know?

by Judith Hutchinson

GDPR - What do small businesses need to know


I’ve been asked about GDPR in relation to marketing for small businesses, here I am answering these question, if you have others join the Accessible Marketing Facebook group:

What is GDPR?

It sounds really boring doesn’t it – General Data Protection Regulations, I’m almost yawning just typing it.   The 2 key things that GDPR is trying to do is to give people back control of their personal data and to simplify the regulatory environment around data collection and processing.  Organisations can face fines of up to 20 million euros or 4% of turnover so it’s certainly a serious business

And as a consumer, I think it’s a positive thing that organisations are being encouraged to take the collection and storage of my data seriously.

I’m a small business owner and I’ve been working with small business owners for nearly 10 years, so I get that something like the GDPRs are either seen as a waste of time and something to be ignored or a real worry.  I would say be aware of GDPR and start thinking now about what you can be doing to be ready for when the regulations come into force in May 2018.

Thankfully if you are already aware of and putting into practice the current data protection regulations then you probably don’t have a fat lot to worry about.  Equally for things like e-newsletters, using a platform such as Mailchimp will help with things like ensuring people opt-in and giving them the opportunity to unsubscribe.

But I’m a small business it doesn’t apply to me, does it?

You’re right in a way – there is a regulation to state that organisations with fewer than 250 employees will not be bound by GDPR.  However, there are parts of the regulations that small businesses and even sole traders need to follow.  No matter how small you are, you have to comply with the new regulations regarding the secure collection, storage and usage of personal information.

And I would also say that as the general public become more aware of the regulations there will be an expectation from consumers that you should follow the regulations regardless of what size you are.


In the UK we are leaving the EU and therefore it doesn’t apply to us, does it?

In a word – yes it does.  To start we haven’t left yet and the regs kick in in May 2018.  Plus the ICO have said that the regs, once we leave, will basically be the same as GDPR.


How do I get in trouble? Do I get reported by people who receive my newsletter?

This is a really good question the same organisation who polices the current Data Protection Regulations will be policing the GDPR.   This is the ICO (Information Commissioner’s Office).

You may or not be aware that organisations who collect personal data are supposed to be registered with ICO already (there’s an annual fee of around £35 for small businesses).  The way organisations register and pay will be changing in line with the GDPR coming into force.  Those already registered with the ICO will be receiving notification of the changes with their renewal.   There’s more info on the ICO fee and registration in line with GDPR here 


How bad is the punishment? Do I go to prison?!?!

No you won’t go to prison.  The ‘punishment’ could be 20 million euros or 4% of turnover and in theory individuals an sue for compensation for both material and non-material damage (e.g. distress) so it’s certainly a serious business.


If I send a generic email telling everyone to unsubscribe from my list if they don’t want to receive anything from me, does that automatically mean that they have given me permission to send them stuff if they don’t unsubscribe?

People have to opt-in not opt-out.  The regs state There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity”


Should I email everyone I add to my list in the future so I have written permission? Is this what we need to do now?

The people on your email list have already opted in.  If you are using a system such as MailChimp or other similar email platforms you will likely already have a record of their opt-in.  These systems do offer you the opportunity to ensure people still want to receive what you are sending them and it could be a good idea – I’d rather have a small quality list of people that want to receive information from me than a large list of people who just delete my email the minute it lands in their inbox.

If you are worried that you don’t have consent from your email marketing list then you could send them a reconfirm email (most platforms have a template for this).  Otherwise, if you have a record of them signing up E.g. Via a form on your website which is linked to your email platform then you’re good.

What do I need to do now?

The ICO have produced 12 steps to take now.  These can be found here

For very small businesses I would start by:

It’s also worth thinking about your website in terms of GDPR – take a look at this article on Secure Certificates and why they are vital for your website and business

If you have other marketing related questions head over to the Accessible Marketing Facebook Group

And if you really can’t sleep you can see the full regulations here



Twitter LinkedIn Facebook Google+ Pinterest YouTube
Member of Greater Birmingham Chambers of Commerce

Accessible Marketing

Sutton Coldfield, Birmingham, West Midlands
Tel: 07766 773643

© 2019  |  Terms and Conditions  |  Privacy Policy  |  Cookie Policy  |  Get your Starting Point website