The European Union has taken a significant step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018.  Under the regulations, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed.  This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.

The new regulations replace the Data Protection Directive 95/46/EC


The regulations set out the responsibilities of

Data Controllers – those who determine what personal data is collected and how it is processed; and Data Processors – those that process personal data on behalf of a ‘Controller’

And gives more rights (power and control) to

Data Subjects – any individual who can be identified, directly or indirectly, by the data (Personally Identifiable Information, PII) held against them

What are the strengthened Rights for Data Subjects?

Individuals now have the

Right to be informed – clarity about who uses their data

Right of access – to see what data is held on them

Right to rectification – to have it amended if inaccurate

Right to erasure – to be deleted on request

Right to restrict processing – to specify in what ways their data can be used



We understand that for our customers, in their role as data controller, meeting the GDPR requirements will take time and effort.  It is likely a myriad of systems and third-party applications are in use to run their business.

If you are still at the stage of reviewing what you need to do to demonstrate compliance here is a suggested checklist:

  • Create a data privacy team to oversee GDPR activities and raise awareness
  • Review current security and privacy processes in place and where applicable, revise your contracts with third parties and customers to meet the requirements of the GDPR
  • Identify the Personally Identifiable Information (PII)/Personal data that is being collected
  • Analyse how this information is being processed, stored, retained and deleted
  • Assess the third parties with whom you disclose data
  • Establish procedures to respond to data subjects when they exercise their rights
  • Establish and conduct Privacy Impact Assessment (PIA)
  • Create processes for data breach notification activities
  • Continuous employee awareness is vital to ensure continual compliance to the GDPR





If your business is found to be in breach of GDPR you face a hefty fine.  The maximum can be up to 4% of your annual global turnover or €20 Million, whichever is greater. The fines are imposed for infringements like:

  • Insufficient customer consent to process data
  • Not having your records in order
  • Failing to notify the relevant authority and data subjects about a breach


 Free Business Consultation



As an organisation that collects personal data in order to fulfil a sales function, you are classed as a Data Controller.  Your obligations under the regulations include, but are not limited to:

  1. provide clear information to your customers about the personal data you collect, for what purpose, and the Data Processors you use (typically addressed in a Privacy Policy)
  2. protect personal data against accidental loss, unauthorized access, or unlawful processing (this is typically addressed in a Security Policy)
  3. written agreements with processors that are given access to your customer’s data, that require them to act only according to your instructions and make sure they comply with all data protection requirements (this is typically addressed in commercial contracts)
  4. informing the data subject (end customer) within 72 hours of first becoming aware of a data breach

In addition, you should follow the basic data protection principles of:

  1. Lawfulness, fairness and transparency – the basic tenets of how you handle and manage your customer data
  2. Purpose limitation – how long you have been keeping the data
  3. Data minimisation – identifying what data is held and for what purpose; and not keeping more than is necessary
  4. Accuracy – making sure the data you hold is accurate
  5. Data retention – is the data you hold still necessary for the original purpose of processing
  6. Security – how secure is the data you hold


As a data controller, you must have a valid lawful basis in order to process personal data.  Organisations are free to determine which of the six defined bases are applicable to each of their activities, as defined in Article 6 of the GDPR – and this should be recorded in your Privacy Policy.

For most of the organisations, we work with this is likely to be on the basis of ‘legitimate interests’.  The rationale for this can include:

  1. no sensitive personal data is collected (eg. racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences)
  2. the amount and type of data collected is minimal and deemed reasonable to expect for the fulfilment of the activity (eg. to process a sale for tickets to be delivered to a customer it is necessary to collect a name, address and payment details)
  3. there is a minimal privacy impact on the individual based on the range of data held and how it is used

For organisations that choose to use the lawful basis for processing data based on ‘consent’ the regulations introduce enhanced rights for individuals.





The data controller should document how an individual can withdraw their consent (typically addressed in a Privacy Policy).

All email communications should carry an ‘Unsubscribe’ link and this should be recorded in the email marketing client being used. A documented process should exist defining any ‘Master/Slave’ relationships within your email client.


Individuals have the right to request that their personal data is erased.


Individuals can request to see what data is held on them by the data controller – and organisations must respond within a maximum of 1 month to any such request (unless it is deemed to be complex, in which case extensions are allowed).





To support your obligation to restrict unauthorised access to personal data. 



The data controller is also advised to review the Terms of Service (T&C’s) they make available to customers.  Similarly, with the Privacy Policy.  It is here where you can inform your customers why you are keeping their data; for how long; their right to opt out; and who to contact should they wish to change their preferences or be removed.

Best practice would suggest these should include any specific references to third-party data sharing and the legal basis for this – as defined in your Privacy Policy – such as the sharing of data with The Audience Agency for purely benchmarking purposes.



This guide is meant solely to educate you on GDPR and the information provided, and any views expressed, are those of Black Lion Media only and should not be construed as Legal advice or be replaced for Legal advice.

Black Lion Media does not take the responsibility of misinterpretation or misunderstanding of the content by the reader and Black Lion Media makes no warranties, express, implied, or statutory, as to the information in this guide.

You are advised to seek the guidance of a Legal Consultant/Advisor in your compliance project.


Free Strategy Meeting