General data protection regulation (GDPR): Your rights and responsibilities when it comes to collecting data.

Typing on laptop

The GDPR came into effect in May 2018. It’s a wide-reaching regulation designed to protect the privacy of individuals in the European Union (EU) and give them control over how their personal data is processed. This includes how it’s collected, stored and used. It affects every organisation in the world that processes personal data about people in the EU.


Although GDPR might seem scary at first, many see it as a positive step forward for data protection. Some of the key areas GDPR covers are:

Personal data about EU-based people (absolutely all of it)

This includes your customers, employees, suppliers and any other individual you collect personal data from. The information which the GDPR is concerned with includes:

  • Names, addresses, ID numbers
  • Health and genetic information
  • Political opinions
  • Sexual orientation
  • Web information, such as IP addresses, cookie data and RFID tags
  • Biometric data
  • Ethnic or racial data

How you collect personal data

You can only collect personal data if you have a legitimate reason to do so. You might need it for a sales contract, for example. Or your customer may have asked you to send them some information on your product or service. In all cases, you must make it clear what their personal data will be used for – and only use it for that purpose.

User contracts and terms and conditions (on websites, for example)

These need to be simple, clear and easy to understand – with no complicated legal text.

The right to know

Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).

The right to erasure

Customers can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.

Data portability

Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.

Data breach

You’re obliged to report certain types of data breach to the relevant supervisory authority.


There are many aspects to GDPR, but it really boils down to being clear and ethical with the personal data you process – that means treating it as you’d treat something valuable of your own. Some initial practical steps you can take to improve your privacy practices to align with the GDPR compliant are:

Check data collection and processing

  • Do an audit to check how you are collecting and processing personal data.
  • Ensure you have a legitimate basis for the processing of personal data.
  • Put processes in place to ensure you meet the obligations to your customers as set out in the GDPR (such as the right of access and the right of erasure).

Review notices and contracts

  • Update your internal and external notices to reflect the changes you’ve made to align with GDPR requirements.
  • Ensure your customer contracts are GDPR compliant.

Assign responsibility

  • Make someone in your organisation responsible for data protection and privacy.

Take care over security

  • Ensure systems that collect, process and store personal data are secure.


  • Consider what data you are requesting in your lead generation forms, is it ‘necessary and proportionate’ to the purpose you’re trying to achieve? e.g. do you really need their location to allow them to download an e book?
  • You should add a short plain English privacy statement to all forms on your website, stating how you will use any data collected, with a link to your full privacy statement. The statement should be about two sentences long, and explicitly state in plain English why you are collecting this information. An example statement could be, “[Company] will use this information to send you interesting and informative emails from time to time. We won’t share or sell your data to third parties, and for more information check out our privacy policy.”
  • Make your opt-in clear and require direct action by the consumer. It’s always better to be in a position with strong opt-in consent and we recommend you have a double opt-in feature for subscriptions. This is where the consumer must click a link in a welcome email to confirm they subscribed before you can send them your newsletters. You can easily automate a short email with a special CONFIRMLINK tag included asking them to confirm that they wanted to subscribe to your newsletters.
  • Make sure your unsubscribe and preference centre is up-to-date and working efficiently. Ideally, opt-out should be automatic and immediate.

If you’re feeling overwhelmed, don’t worry! Following those four steps will go a long way. On the surface, the new GDPR may appear scary and ominous, but it’s actually pretty straight forward. It really comes down to doing the right thing with the personal data you collect, and only send emails and information to people who’ve given you permission to do so for the purpose you told them. To learn more about the GDPR, visit

Disclaimer: This is for informational purposes only, not legal advice for your company to use in complying with the GDPR. If required, we recommend that you seek legal and other professional counsel to determine exactly how the GDPR might apply to you.