GDPR for Small Online Businesses in the UK: How to Prepare

Reading Time: 6 mins

The EU’s General Data Protection Regulation, or GDPR, is coming into play May 25th 2018. The new regulation will have a huge impact on digital marketing, and what digital marketers can and can’t do.

It’s worth reconsidering what you can and can’t do once the legislation is here.

What does the GDPR do?

The GDPR is attempting to give more control and protection of sensitive data for EU citizens.

While the UK is set to leave the EU, businesses still need to comply. The GDPR affects any business or organisation that collects, processes or stores data of EU citizens.

As the GDPR website explains:

​The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.

The main area the GDPR covers is around consent, security and control.

Digital Marketing

When it comes to marketing, it means opt-ins and opt0outs must be clear.

Consent should be voluntary, with an affirmative action that is explicit. Otherwise, consent must be specific and unambiguous – data subjects must be aware what you are collecting, what it is used for, and who it is shared with

Consent must be freely given, informed and explicit. You cannot simply assume a contact has opted in. Consent cannot be based on a pre-ticked box, and inactivity cannot count as consent. Any contacts must also agree their data can be used.

The right to be forgotten is also a big deal under GDPR. This essentially means any contacts should be able to easily access and remove their data.

Marketers must also have a reason for processing personal data. This means you cannot collect data without a specific business reason, so essentially ensure you aren’t collecting data for the sake of it.

For instance, here is one thing marketers will need to handle. Google Analytics collects user data, IP addresses, cookies and more. Data must be anonymised before storage, or your site must have a notice of the use of cookies with explicit permission.

Another is the concept of retargeting ads and tracking. Visitors to your site should be informed if you are using remarketing ads, such as through the Facebook pixel.

Email opt-ins should have a checkbox for consent to every individual thing they can subscribe to. If you have a tracking pixel to see when emails are opened, there should be a disclaimer.

Websites & Ecommerce

Ideally, you need to conduct an audit of your site, determine what data you hold, where it originated and who it is shared with. You should also review third-party service providers and ensure they are compliant with the GDPR.

When it comes to your website and/or ecommerce, you should look into the following areas:


Ensure your processes are compliant. The security of data providers must be secure. You will need to share information regarding internal processes to ensure your chain is compliant.

Data access

Data subjects need to access personal data quickly, and allow data subjects to remove it.


When it comes to privacy, card details, email addresses and physical addresses must remain secure. You must detail what happens to customer data, who processes it and who’s responsible for storing it.

Keep records

Keep detailed records of consent, what it was consent for, and the method of consent.

Breach notifications

Any data breach must allow for data subjects to be informed within 72 hours.

Upon checkout, you should only be collecting the necessary information. You must also let them know how you’ll use the information. Consent must be had for each purpose of collecting the data.

You should also be updating your privacy policy to address GDPR. Discuss information that is collected, what it is used for, and third-party service providers it may be shared with. This must also mention the right to access data and to be forgotten.

For more details on GDPR for ecommerce, read our post here:

What GDPR Means for UK Ecommerce Businesses & How to Prepare for 2018


If you fail to comply with the GDPR, the penalties are severe. Breaches can be around €20 million, or 4% of annual turnover – whichever is larger.

While compliance may seem like a boring endeavour, it is necessary. So it’s worthwhile investing time and money into ensuring you are compliant, as every business with personal data needs to. This will involve educating your staff, changing your systems, and ensuring your ongoing business or marketing strategy is compliant.

Whether you are ready or not, GDPR will be here by May 25th 2018. GDPR will have a big impact on businesses small and large, though the good news is that it shouldn’t be too much hassle for small businesses if steps are followed.