GDPR Compliance: Tracing the roots of your data

Unless you set up your business in the stone ages, it is highly likely that your organisation has a database. Whether or not that database is stored in a top of the range customer relationship management (CRM) system, or if it is filed the old school way on a good old-fashioned spreadsheet, or if you just rely on exporting your Linkedin connections as a .CSV file and firing off the occasional marketing email, this information needs to be GDPR compliant by May.

There is one incredibly simple questions that you can ask yourself to make sure your data is squeaky clean and that it is fine for you to contact the recipient in line with the new regulations.

Can I prove where this lead came from?

The crux of GDPR is that an individual needs to have permitted you for the reason you are contacting them. Once the purpose for which the original permission was given expires, so does the authorisation itself. For example, if you are an estate agent and you gathered a homeowners details when they were looking for a second home to purchase, and you complete the sale, the authorisation to be in contact with that individual no longer applies. And so if you have added this connection to your marketing lists, you have done so wrongfully. In this case, you’d then need them to re-opt into being on your marketing list. The same would apply if you owned a recruitment agency and put an applicant forward for a position. Should that position be filled elsewhere, you couldn’t just take that same CV and resubmit it multiple times, unless that candidate gave you blanket permission in the first place. If it is the case that not 100% of the contacts on your various databases have given full consent to be contacted for marketing purposes, then you will need to get them to opt into this service. Depending on whether or not the lead is newly gained or an existing contact will affect the process you need to consider.

New data

It would be a great idea to look at your processes now so that you can begin to seamlessly create new habits in time for May. This would entail reviewing the wording on your website, including any terms and conditions, in particular, where you capture any data. This includes any online forms in which the participant inputs personal data. Verbally, you can confirm change the terms of the initial agreements that you make with new clients and back these up with electronic terms so that you have a paper trail record of the permission.

Existing data

Your existing data is a little more complicated as not only do you need to follow the same protocol as you would for new data, but you also need to cleanse your existing contacts. You can do this by following the traditional w’s.

The ‘who’ (is your contact) and ‘why’ (you have their details) is straightforward, and we have already covered this above. ‘What’ to do with your existing list is to make sure you have the permission to contact them in the future. Naturally, the more contacts you have, the more arduous task you have ahead of you. One option could be something you embed into your current newsletters and digital campaigns.

The ‘when’ would relate to when you need to start cleansing your contacts. Our advice is to start now. The more time you give yourself, the less of a mammoth task it will feel. Plus it is an excellent excuse to get back in touch with people. Contacts you acquired years ago might not be familiar with your up-to-date service offering. Not only is it a non-invasive way to put your name back into the forefronts of their minds, but it is a great way to narrow down your sales funnel. Better to have a contact with 100 businesses of whom your service offering is relevant and of interest than a million individuals that don’t even read your correspondence.

‘Where’ is a commonly overlooked factor when it comes to your data. GDPR regulations state that data must be stored within the EU. This is easy to monitor when you are using your own internal systems and storage functions, but when it comes to using lesser-known software, it would be an idea to have a chat with your provider to find out where your data is stored to make sure you are compliant.

Most of the changes are fairly simple when given enough time to implement and put you in a strong position to leverage GDPR for your businesses advantage. A lot of businesses are struggling with where to start. That is where we come in.

For further help and advice on making your business compliant and making changes to your existing technology, please get in touch.  Contact us today by calling 01204 860050 or emailing us on

Free eBook
Test your Internet Security IQ