New GDPR Rules for UK Businesses - Cain and Co

Data protection rules across the United Kingdom and Europe are set to changeIf you run a small business and collect personal data from customers, then you need to know what’s happening.

The new set of rules is called the General Data Protection Regulation (GDPR) and it comes into play on the 25th May, 2018. Described as, “the biggest change to data protection law for a generation,” every small business must be up to date with this.

Many people are asking a very relevant question; what will these new rules mean for the way small businesses approach their online marketing? For sending marketing emails to promote their business?

An Overview of Data Protection

The aim of data protection laws is to stop non-regulated businesses misusing personal information and to make sure that businesses keep private information secure. Personal information can be anything from someone’s name, to their credit card number or other financial data.

Some examples of misuse include selling email addresses to spammers or sending unsolicited marketing material. Simply speaking, if your business collects personal information (which most businesses do) and misuses that information, or fails to keep it secure, then you could face a fine.

How will the new rules change the way my business does online marketing?

The aim of the General Data Protection Regulation (GDPR) is to introduce a standard set of data protection rules across the European Union. In the United Kingdom, we already have a reasonably strict set of data protection rules in place. This means that small businesses that comply with existing legislation will not have to change a huge amount to make sure they comply with the new rules.

However, there are a couple of important changes which you will need to take into consideration, especially if you use the personal data you collect to send marketing messages to people. If you want to market your business to someone using their personal information, then you need to get complete permission from each person. For online marketing, that means asking users to tick a box, indicting they are happy to be sent marketing messages from you.

In the past, some businesses may have used a pre-ticked box and asked people to untick it if they didn’t want to receive marketing messages, but under the new rules this will not be allowed. If any disputes arise about whether someone has opted in to receive marketing messages, it will be down to your business to prove that they did. Ensure you keep a record of all the people who opted in to receive marketing messages. People who you contact will also have the right to ask you to delete any data you hold on them (regardless of whether that data is used for marketing), so consider this when updating your records.

What about my existing marketing lists?

If you are already marketing to people who actively opted in to receive messages from you, then you don’t have to ask them to opt in again when the new rules come into force. However, if they didn’t actively opt in, you will need to get complete consent from them, to continue sending messages. It is a good idea to be safe rather than sorry here and make sure you have this consent on record, before GDPR takes effect.

Can I send marketing messages without permission?

Yes, but they must be considered for a legitimate use. Marketing messages are allowed, only if they are considered a legitimate use of the data your business holds.

For it to be considered a legitimate use, there must be a clear relationship between your business and the person you send marketing messages to. For example, existing customers would except to hear from you. They may have recently purchased a product from you or they may have an account with you.

To ensure you are adhering to the new rules, it is best to obtain complete consent wherever possible.

What about physical marketing messages?

If you are sending out things like letters or special offers to people, then the General Data Protection Rules (GDPR) will also apply to this kind of marketing too.

What about Brexit?

The General Data Protection Regulation (GDPR) will come into play in May, 2018. This is at least one year before the Brexit process is complete. That means whatever happens, there is a period where UK firms must comply with the new rules. It is also possible that the United Kingdom will decide to keep the new GDPR rules, even after Brexit happens.


“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.” Information Commisioner, Elizabeth Denham.


The General Data Protection Regulation (GDPR) is a huge topic, so you can find out all the information you need here on the Information Commissioner’s Office website.

You can read the ‘12 Steps to Prepare for GDPR’ here. This has an updated and more focused guidance on the need to prepare for the new data protection rules which will take place from May 2018.