This site uses cookies that store non-personal information to help us improve our site.

GDPR - what is it, how does it affect us and what are we going to do?

21 May 2018



The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).

It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.


Here's our take on it; 


Why we collect your data 

So we can do business with your company. So we know who to ask for, how to get hold of you, ship goods to you and so we are able to keep you informed of new products, services, events etc.


How we collect your data

By asking over the telephone, face to face, email, via our website etc. Your details are then stored on our financial system/CRM (currently SAP).



Our terms of consent must be clear. Consent must be easily given and freely withdrawn at any time. Consent is not required for a lawful basis, nor for all forms of direct marketing. We will be obtaining consent for all new contacts from the 25th May 2018. Pre-existing contacts will be unaffected, we will not apply the new regulations retrospectively. There must be an option for you to opt out.

Our statement must clearly state that we are only recording your details for the purposes of conducting ongoing business and communicating news items on such things as products and services with you. We only store such information as your name, title, job function, contact details you use for business purposes; office & mobile telephone numbers, email address, premises address/addresses.

We must ensure that all forms of electronic and written communication give you an easy way to opt out of receiving marketing information.

Opting out of your information being recorded in the first place, will be incorporated in our statement.


Right to access

If our users request their existing data profile, we must, within 30 days, be able to give them a fully detailed and free, electronic copy of the data we have collected about them. The report must also include the ways in which we are using their information (see privacy statement). Further copies will be subject to a reasonable fee.


Right to be forgotten

Also known as the right to data deletion. Once the original purpose or use of the customer data has been realised, our customers have the right to request we totally erase their personal data. In practical terms, because we are dealing with our customers on a regular basis and documents such as quotations and orders are linked to individuals, this will probably only ever happen if the owner or a senior director of the company requests it for the whole company.


Data portability

That gives users the rights to their own data. They must be able to obtain their data from us and re-use that same data in different environments outside of our company. Unlikely to happen in our case, we aren't a medical practice, bank, utilities provider, etc.


Privacy by design

This section requires companies to design their systems with the proper security protocols in place from the start. We should list them in our statement - staff with confidentiality clauses, access for staff who leave is removed, 2 stage access to our database for remote access etc. We should also state that we do not share our contact information with anyone other than if legally obliged to, delivery agents, and mailing houses, in our case, Mailchimp. We do not and will not ever share our database with other 3rd parties.


Breach notification

If a security breach occurs, we have 72 hours to report it to our customers and any data controllers (if we needed one, which we don't)


Data protection officers

Only required if the company has more than 250 employees, is a public authority, or is processing and monitoring data on a large scale. The person who has overall responsibility for our data security can't be the same as the IT manager.


What do you need to do now?



If you would like to find out more

Do take a look at our Privacy Policy



news image