How much does GDPR compliance cost?

How much does GDPR compliance cost?

As a business owner, you might be cynical about GDPR and data protection, and given that every new bit of company legislation seems to come with associated compliance costs, it’s no surprise.

Every time the government tells us that we need to adhere to more rules and regulations, it seems that the compliance businesses benefit -with talk that if you don’t comply with GDPR, you’ll end up facing massive fines, which could sink your business, so you need to spend tens of thousands of pounds to make sure that doesn’t happen.

How much big business pays

Before GDPR became law, Price Waterhouse Coopers discovered that 68% of the companies it surveyed planned to spend between one and ten million to make sure they met the regulation’s requirements.

That’s quite a bit of money. And even though these were large businesses (over 500 employees with a large annual turnover), the costs still seem astronomical.

Maybe you’re a small transport business with 200 employees; it still seems you’d have to fork out an awful lot of money to become compliant.

Even smaller businesses might baulk at the potential cost of making sure they have everything in order. From the garage carrying out MOTs to the air conditioning company supplying local care homes, the costs to meet the GDPR’s requirement can be daunting.

What about security?

Let’s put it another way, however. How much do you pay for physical security?  To protect your assets?

If you have a factory, you need to secure it, and you probably spend a lot on that.

Security for a physical building can be extremely costly because it usually doesn’t stop at putting a good lock on the gate.

You’ll probably hire a consultant to assess the risk. They’ll be doing a security audit, checking your offices, workshops, and other areas and providing a report that will highlight vulnerabilities that need to be taken care of.

They’ll provide advice on which type of lock to use where, how to make sure customers are safe when they visit your premises, where to install CCTV, what activities on-site need to be protected, and so on.

There will also be specific compliance requirements from a legal perspective for physical access to some sites, which are also covered by legislation.

And, of course, there will be legal costs and insurance to consider.

Although nobody wants to be spending money on these things, everyone understands that we live in a world where they are necessary. We can’t simply leave the factory gates open at night and rely on people’s goodwill to not enter and run off with an expensive piece of machinery.

GDPR is security – for your data

The world has changed, and data security and preventing harm to individuals is as, if not more, important as physical security.

So much information is stored on a computer these days, and it’s information that can be used in many criminal ways; therefore, if you happen to store that data, you need to take care of it.

What’s more, GDPR doesn’t just protect a user’s data, such as what you can keep, how long you can keep it and what you can do with it; the legislation makes it clear what steps you need to carry out should that data go missing, or be misused in some way.

If a customer’s car was stolen from your garage, would you try to keep it a secret? Of course not; there’s no way you could.

What if someone took their data?

A factory can have locks on all doors, security guards and dogs checking that if anyone walks by, they know they will face a challenge if they want to get in.

What about your data?

An insecure network doesn’t appeal to passers-by but it’s open to people worldwide, and it’s shocking how many of them would love to get access.

Data breaches cost money, and the risks of not taking the risk of one happening seriously far outweigh the costs of making sure you’re prepared in the event it happens to you.

GDPR costs don’t need to be prohibitive

It’s important to realise that GDPR wasn’t meant to sink companies who couldn’t comply.

The measures a company needs to take to ensure they’re compliant are more like common sense, much like securing your premises.

Simple things like making sure employees don’t leave USB sticks lying about with customer data on them and having secure passwords are a simple start as well as ensuring your data protection policies are in place.

Knowing what data you have on your customers, and understanding the laws about processing that data, what you can do with it, and what to do if it goes missing are also steps in the right direction.

You can do a lot of this yourself. The ICO provides a lot of information for businesses that helps them make sure they comply with the legislation. .

However, this takes time to read and understand and you won’t be completely sure you are doing the right thing. An external qualified, experienced and professional consultant can take the pressure off and worry away and ensure you’re doing the right thing.

Get in touch

If you’re at all unsure whether your company is compliant with the GDPR and other data protection laws give us a call today or contact us via the site.  That first call costs you nothing.

Can I send marketing emails to customers?

Can I send marketing emails to customers?

GDPR caused a lot of confusion when it first appeared, and it’s still causing confusion now, but one of the most complex and tricky subjects is about when businesses can and can’t email their customers.

For years companies have been sending out emails to anyone that appears on their mailing list without thinking if it is legal to do so; it’s a classic tactic to upsell.

There were rules about this in the privacy regulations (known as ‘PECR’) long before the GDPR came along.

GDPR and PECR make the rules extremely clear and gives the ICO teeth to act (and they do act) if people break the rules.

What emails can I send?

One of the problems with sending emails is differentiating between the two distinct types.

There are transactional emails and there are marketing emails.

Transactional emails

If someone buys something off your site, then there’s likely to be a process they have to go through in order to receive their goods.

It’s usually fairly simple:

  • Add a product to a cart
  • Checkout from that cart
  • Fill out some details
  • Receive confirmation, order status, delivery emails

Those emails at the end of the process and then any updates about that order are transactional emails because they relate to that transaction.

If anything else is generated, such as a follow-up to ask if your product was received, and maybe a review, could also be seen as transactional.

However, if you then send an email trying to upsell, such as “We hope you loved your socks, would you like a pair of matching gloves?”, is marketing.

If you send emails to do with the customer’s account, such as updating passwords, changes to terms and conditions, things like that, then those are transactional also.

Marketing emails

This is fairly self-explanatory.

If you try to sell something to your customer, or your email explains new website features or other things that are meant to entice your customers to click and go check out the site – that’s marketing.

Fairly clear, no?

Confusion reigns

Here’s the problem. Some people still break the law, others are going over the top.

I’ve seen websites that have a form where people can download an e-book.  They need to put their details on it. The form also has a tick box that says “Please tick this box if you consent to us sending you this e-book.”

GDPR says the customer should give clear consent, in this case, the consent would be in the form of actually filling out the details to request the e-book and submitting it. .

Imagine it if someone requested the form but then didn’t allow you to send it to them?

Gaining clear consent

When someone is checking out of your store, you can offer them the option of opting in to receive updates from you.

This is usually in the form of a tickbox somewhere on the checkout page – importantly, it needs to be un-ticked initially.

There is also something called the soft opt-in.  This is where someone buys from you and gives their email to you as part of the buying process. PECR allows you to take the view that your customers, having bought from you, would not mind knowing about similar products.  So as long as you give them a chance to opt-out at the time they buy the product from you and give them a right to opt-out every time you email them then that’s OK.

And that’s really it.

Summing up

The law is extremely clear on what can and cannot be sent to customers, and it leaves little to interpretation.

The simple fact is, if you want to market to customers then you need to have their permission or you act under the soft opt-in.  There are no clever ways around it, and if you break the rules of GDPR and PECR, you’re in danger of being picked up by the ICO and fined.



I’m a small business, do I need to appoint an Art. 27 GDPR representative?

I’m a small business, do I need to appoint an Art. 27 GDPR representative?

Unless you’ve spent the last 12 months on the International Space Station, there’s a very good chance that the Covid 19 pandemic has affected you in some way. For many, it has seen a fundamental shift in the way they run their business. Those in the retail and hospitality sector have been hit particularly hard, and it’s during these difficult times, some find that they have to adapt and try new ways to bolster an income that has been severely reduced. Going online has been the obvious choice, and so 2020 became the year that shop owners, small and large, took the plunge and got themselves a website. Of course, it used to be challenging to start an online shop, but there are so many ways to do it these days; you can be up and running within a day. It’s no surprise that Shopify now has 1.5 million websites hosted on its platform, and it’s one of the fastest-growing systems for starting up an online presence. But there’s a particular responsibility that comes with owning an online store, and it’s something that needs to be taken seriously: GDPR.

It’s not just about that pop-up

For many, they install some pop-up software that tells people they’re using cookies, and that’s it. But it might not be “it” if you want to ship to countries in which GDPR applies. If you’re in the USA, for example, and want to ship to the UK or Europe, you may well have to adhere to GDPR rules and appoint a GDPR representative. Also, if you’re based in the UK, you can no longer simply post things across to Europe friction-free because of Brexit. You may also need to appoint a GDPR representative in a European country.

How and why does Article 27 apply?

Let’s deal with the UK for now. If you have recently set up a store in the UK and want to ship to anywhere in Europe, then it’s likely article 27 will apply, unless the processing of that data is “occasional”. The ICO (the governing body for GDPR in the UK) states that “occasional” use is a “one-off occurrence, something you do rarely”. So, for example, you mainly sell to the UK, but someone in Germany finds your site, buys something and needs the product delivering there. In this case, you are unlikely to need to appoint a GDPR representative. However, suppose you actively market to Germany or France or anywhere else in the EU. You have prices on your site available in euros, and postage rates set up specifically to handle international shipping. In that case, you’re not ticking the occasional box, and you will need to appoint someone. One exemption is if you already have an office in a European country, but if you’ve just signed up for a Shopify site, that’s unlikely to be the case.

What does the GDPR representative do?

Data protection has been top of governments’ agenda for some time now as the prevalence of websites collecting personal data has clashed with the number of breaches and access to that data. It’s in everyone’s interest to ensure information is looked after. Companies should have a straightforward method of ensuring people know that their private data has been compromised if a breach does occur. Also, people who know a company is holding their data should have access to someone they can talk to. Governments should also be able to query the capabilities of companies holding that data. Therefore, a representative needs to be available in the customer’s country and have the necessary authority to act on the company’s behalf should there be any such queries. As a side note, this person or agency needs to be named in your privacy policy.

But I’m a tiny business. Does Article 27 include me?

Sorry, yes. Some tiny businesses process lots of data. If you sell to someone in Europe, then you have details that could personally identify them. Their address and other information will likely stay in your order system for some time, so they need to have confidence that you’re looking after that data.

I’m in the USA. Does it apply to me?

It certainly does! Although the laws are European in origin (and UK due to Brexit), they are international in scope. If you sell to the UK or any European country, you need to appoint an Article 27 GDPR representative.

Is it expensive, surely I don’t need to employ someone?

Luckily there are ways to comply with the law without setting up an office in the country you want to trade with. A GDPR representative can be an agent who will act on your behalf, and DPA-OK is here for you! Contact us today!

Can I Send Marketing Emails to Companies?

Can I Send Marketing Emails to Companies?

In light of the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) legislation, you may have some doubts about what you can and can’t do regarding marketing emails. One legislation does not replace the other, but complying with one can get you closer to fulfilling the other one’s regulations. It’s necessary to comply with both.

They place specific rules on many things such as marketing calls, emails, texts, faxes, web browser cookies, and customer privacy information. These apply to both business-to-consumer and business-to-business sales and marketing. Regardless, the purpose of this article is to clarify the rules that apply to business-to-business marketing emails.

In short, yes, you can send marketing emails to companies, but you must keep a list of businesses that object or opt out. This applies to the company as a whole and the individuals working in them. However, there are more detailed business-to-business email marketing rules that you must follow, so keep reading the article to know what they are.

Whenever you process personal data, the UK GDPR provisions and requirements apply. This means that if you are able to identify an individual directly or indirectly, the regulations have effect.. To give an example, when you have a business contact’s name and number on file or an email address that can identify them, such as “”, you must comply with the regulations.

Does the PECR or the GDPR State That We Require Consent for Marketing?

No, it isn’t always necessary. While consenting is a lawful way of processing information, some alternatives to it exist. For example, you can justify your business-to-business email marketing by relying on legitimate interests.

Regardless, there are situations where consent is required to comply with PECR. Still, the rules of marketing to companies are different than those of marketing to individuals. Rules on consent don’t apply to any email sent to companies or other corporate bodies (limited liability partnerships, government bodies, and Scottish partnerships). There is one requirement: the sender of the marketing email has to identify itself while providing contact details.

However, even if that’s the case, if the company goes through the trouble of stating that they don’t wish to receive further marketing emails, the best practice is to stop sending them.

What Are the Marketing Email Rules?

You can email any company, limited liability partnership, Scottish partnership, or government body. You can’t email sole traders and some particular partnerships, as the Privacy and Electronic Communications Regulations recognise them as individuals.

That means that you can only send marketing emails towards these small businesses when they expressly consent or buy a product or service from you and fail to opt-out from the marketing emails when given the opportunity to do so. This case only applies if the message includes a unsubscribe, refuse, or opt-out option.

For corporate bodies, proper business sense and regulations recommend the practice of keeping a “don’t email” list for businesses who opt-out. Any new marketing list you obtain should be screened against that list to ensure that you don’t send emails to companies that object to them.

Some GDPR provisions apply whenever you email company workers with an email address with the corporation’s domain. Individual employees have a right to ask you to stop sending them marketing emails on these types of addresses.

What Counts as Consent?

The General Data Protection Regulation’s standard for consent is relatively high. It must leave nothing to doubt, involving a clear and concise affirmative action in the form of an opt-in option. You can’t use a pre-ticked opt-in box. It’s also necessary to include different consent options whenever the data is processed in various manners.

It would be best if you didn’t tie the consent’s processing as a precondition to a service, as it isn’t an adequate lawful basis. A consent request requires the inclusion of the following information:

  • Your business’ name
  • Third parties that make use of the processed information gained on consent
  • The reason you want their data
  • What you want to do with their data
  • They can opt-out their consent whenever they want

Keeping evidence of it is essential: who consents, when the person did so, how they did so, and what you told them. Try and make it easy for them to withdraw their consent whenever they wish to do it.

However, as previously stated, it isn’t always necessary. Whenever acquiring approval proves difficult, you can look for an alternative lawful basis.

When Can I Use Legitimate Interests in Practice?

Legitimate interests are a considerably flexible lawful base. As it doesn’t focus on a single purpose, it allows you to rely on it in different situations. However, that doesn’t mean that it’s always adequate to use. There is an appropriate foundation where you can use it, which is during these scenarios:

  • The impact on the individual’s privacy is minimum
  • Your processing has a convincing justification
  • It’s reasonable for the individual to expect their data to be used in that way

There are more situations where you can use legitimate interests, but these three are the most useful.

What Are the Rules for International Marketing Emails?

Whenever you send emails to companies outside the UK, you need to comply with their countries’ laws. For the moment, countries in Europe possess similar data protection regulations to the United Kingdom. However, some of their rules are more stringent than the UK ones, even more so for business-to-business marketing.

You need to seek legal advice if you want to send marketing emails to companies in other countries.

Can I Hire Another Company or Individual to Send Marketing Emails?

The hired party and yourself must still comply with the GDPR and PECR. You are responsible because you are technically prompting the other party to send the emails. Should your contractor fail to comply with some provisions and requirements, any legal action could be taken directly against you.

The authorities can also consider interceding with the contractor if they continue to ignore the rules, whether deliberate or not. For that reason, having a written contract stipulating the responsibilities your contractor has is ideal. It may be wise to ask your contractor to indemnify you in case they commit a PECR violation.

Should they break the law, causing your organisation some reputational damage and making you subject to legal action, you can seek legal advice and take measures for the contract violation.

What More Should I Consider?

As stated throughout the article, you must remember that whenever you process the personal data of an individual with the purpose of sending business-to-business emails, they have the right to object.

This right applies whenever you process their data for direct marketing. Whenever an individual objects to marketing emails, complying with their wishes is mandatory. You must adhere to their demands even if the processing basis is that of legitimate interests.

You must provide information on what you’re using the personal data for, your processing basis, the length of time you plan to store their information, and the parties with access to it.

If you rely on consent, there isn’t a right to object. However, any individual can withdraw it at any point, and you must cease the processing of their data when they do so.

The Children’s Code – are you ready?

The Children’s Code – are you ready?

A long time ago in a galaxy far away …….. (22 January 2020) the Information Commissioner’s Office [‘ICO’] introduced the Children’s Code.

If you are a provider of ‘Information Society Services’ likely to be accessed by children -defined as under 18 and you are not aware of it then you need to get up to speed.

The Code applies to apps, social media platforms, online messaging, online marketplaces, content streaming services and any websites offering goods or services to children over the internet.

The Code recognises that the digital economy can provide benefits to children but is often not a “safe space” for them. The Code looks to change that – not by seeking to protect children from the digital world, but by protecting them within it.

The Code is already in force but, like the GDPR, it has a 12-month transition period for providers to make the necessary changes.

Affected providers need to be ‘Code Ready’ by 2 September 2021.

Before there was a Code there was a law…

Providers are already obliged to comply with the GDPR and Data Protection Act 2018 and PECR 2003 when processing [collecting, storing, using, sharing, erasing etc.] the personal data of children -any information that relates to them.

It is not enough to comply with the GDPR – an organisation has to be able to demonstrate that it is compliant.   It’s called ‘accountability’. The Information Commissioner’s Office [‘ICO’] has made it clear that if a provider does not follow the code then they may find it difficult to prove that they comply (are ‘accountable’) with the GDPR.

Failure to comply may lead to complaints from children or their parents, potential ICO investigations, claims for compensation, bad publicity, time dealing with issues and, worst-case scenario, fines.

Providers can avoid all of that by being proactive and taking steps to be Code Ready now.

The starting point for any Provider processing personal data is that they must comply with the data protection principles. Simplified these are:

(a)   they must process children’s personal data lawfully, fairly and in a transparent manner.

(b)   a child’s data should only be collected for specified, explicit and legitimate purposes…

(c)    any processing of personal data should be adequate, relevant, and limited to what is necessary

(d)   personal data should be accurate and, where necessary, kept up to date

(e)   it should be kept in a form that identifies the child for no longer than is necessary and,

(f)     it should be processed in a manner that ensures appropriate security of the child’s data….

As stated above a Provider must be able to demonstrate that they comply with the 6 principles above.

Not sure about the principles or how to prove you comply? Contact us -but following the Code will help.


Don’t forget children may have the following rights:

1)     to be informed about how their data is used

2)     to access a copy of it

3)     to rectify inaccurate information

4)     to erase it

5)     to restrict what is done with it

6)     to have others who have received their data notified about any rectification, erasure, or restriction of it

7)     to have it ported to another provider

8)     to object to how it is used and to direct marketing

9)     to object to automated decision making and,

10)  to be notified of certain types of personal data breaches.

What does a Provider need to do?

The code puts forward 15 standards.

Not all will apply to every provider.  They are summarised below:

  1. What is best for the child should be a primary consideration when providers design and develop online services.
  2. Providers should do a Data Protection Impact Assessment (‘DPIA’) to inform them as to what they should do to do away/ reduce risks of harm to children who are likely to access the services.

If you do not know how to do one of these contact us.

  1. Providers should take a risk-based approach to recognising the age of child users and ensure they effectively apply the standards in the code to those users.
  2. Privacy information and other published terms, policies, and community standards, must be concise, prominent, and in clear language suited to the age of the child. Providers should provide additional specific ‘bite-sized’ explanations about how they use personal data at the point data is collected.

For help with this contact us.

  1. Provider’s must not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
  2. Providers must uphold their own published terms, policies, and community standards.

Need terms, policies, notices? Contact us.

  1. Settings must be ‘high privacy’ by default.
  2. Providers must collect and retain only the minimum amount of personal data needed to provide the parts of the service in which a child is actively and knowingly engaged. Children should be given separate choices over which parts they wish to activate.
  3. Providers must not disclose children’s data unless they can demonstrate a compelling reason to do so.
  4. Providers must switch geolocation options off by default (unless they can demonstrate a compelling reason it to be on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session.
  5.  If a provider provides parental controls then they should give the child age-appropriate information about this. If a parent or carer can monitor their child’s online activity or track their location, then there should be an obvious sign to the child that they are being monitored.
  6. Providers should switch options which use profiling ‘off’ by default (unless they can demonstrate a compelling reason for it to be on by default, taking account of the best interests of the child). Providers should only allow profiling if they have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  7. Providers should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections.
  8. Where providers supply a connected toy or device, they should ensure they include effective tools to enable conformance to the code.
  9. Providers should provide prominent and accessible tools to help children exercise their data protection rights [see above] and report concerns.


Providers need to review their offerings now to ensure they do the right thing and are ‘Code Ready’ by 2 September 2021.  Failure to do will make it more difficult to prove that a provider is compliant with the GDPR. DPA/OK can advise Providers on what their legal obligations are.

What is a Data Breach Response Plan: How Do I Create One?

What is a Data Breach Response Plan: How Do I Create One?

A data breach response plan is a strategy that helps businesses detect and respond to information security violations in a quick and coordinated way. Having a response plan will minimise the financial and reputational damage that comes with a breach incident and ensures compliance with GDPR rules.

If your business is unprepared following a data breach, it will put you under huge pressure. Under GDPR rules, a breach incident must be reported to the Information Commissioner’s Office (ICO) without delay and within a maximum of 72 hours.

Trying to cope with meeting compliance rules and simultaneously managing the fallout of a data breach will stretch your resources and disrupt day-to-day business operations. That’s why we cannot understate the importance of your business having a data breach response plan.

Worryingly, according to a PwC Global Economic Crime and Fraud Survey, just 30% of businesses  worldwide have a data breach response plan in place. Unfortunately, in the event of a breach, no plan often means slow action by which time the long-term damage may have been done.

How to Create a Data Breach Response Plan

To avoid the pitfalls that follow a data breach, here’s how to create a robust, effective response plan:

#1 – Assemble a data breach response team

Assembling a data breach response team ensures an effective and efficient way to mitigate the damage and execute your response plan. Having a team that’s aware of its responsibilities means that your plan can be activated the moment a breach is discovered.

The size of your organisation will determine the structure of your team. It could include the following personnel:

  • Data Protection Officer
  • Data Breach Response Team Coordinator
  • Legal and Compliance Officer
  • Head of IT
  • Human Resources Manager
  • Marketing and PR Executive

Each individual role plays its part in a coordinated response. However, activating the team isn’t always necessary. It’s down to the person responsible for compliance at board level  to decide if a breach is so serious that it needs escalating to the data breach response team based on who has been affected, the potential legal, financial and reputational ramifications and the disruption to the business.

#2 – Get cyber insurance

Data breaches are a daily threat to your business, so having cyber security insurance as part of your data breach response plan gives you coverage if you have to activate your response team. Having the right insurance coverage is crucial to safeguarding your company against significant financial losses.

You can then call on your insurance policy as part of your response plan to protect the wellbeing of your business financially.

#3 – Include a containment process

Having a containment process as part of your plan means that your response team and other personnel know exactly what to do to contain a breach when it’s discovered. This should include:

  • Date and time recording of the breach
  • Alerting and activating your response team – including the date and time of activation
  • Closing down systems affected
  • Gathering documentation

#4 – Include an evaluation process

Every response requires an evaluation process to identify areas for improvement in cyber security. An evaluation should include:

  • An initial investigation into the breach
  • A risk assessment
  • Establishing the priorities following a breach
  • A forensic investigation into the breach – you may need to engage a forensics firm for this

#5 – Include a notification process

Your data breach response plan should include a notification strategy to, where required,  alert the authorities within the 72-hour timeframe and any people that have been affected by the breach. This is where you can utilise your marketing and PR team and seek legal advice to effectively, and honestly, make the necessary people aware of a breach incident.

#6 – Include a prevention plan

Your response plan should have a future prevention plan to improve your data protection measures. A prevention strategy should include:

  • A review of the findings into your investigation
  • An update of your response plan
  • A plan to train staff on updated procedures and responsibilities
  • An audit of your response process

Expect the unexpected

Data breaches can happen unexpectedly and it’s best to be prepared. It’s a cliché, but fail to plan, then you plan to fail. You might think that protecting your IT is sufficient, but with more than 80,000 cyber-attacks occurring per day, you can never be too careful.

The time, cost and resources it takes to develop a plan will be significantly less than experiencing a data breach.

If you would like to create a data breach response plan, get in touch with DPA/OK today.