Businesses face new legal requirements from May 2018 on how they collect, store and use information.

Under the new General Data Protection Regulation (GDPR), all businesses must obtain customers’ consent to collect, store and use their personal data.

Businesses will also face more checks on how they protect and maintain such data, both in digital and paper formats.

Informed customer consent is the key theme of GDPR. The new law will make it easier for customers to withdraw consent for business use of their personal data, or ask it to move to another service provider or be erased.

The new regulations are being enacted across the European Union and include the UK, regardless of Brexit. The aim is to modernise and align all data protection laws affecting people located in Europe and to build better trust and transparency between customers and organisations which collect and use personal data.

‘Personal data’ can include email addresses, internet protocol (IP) addresses, telephone numbers, bank account details, health records, economic or social information. This type of information could be stored in emails, spreadsheets, databases, invoices, delivery notes, employees’ contact lists or clients’ contact lists. GDPR is also designed to allow parents and guardians to give consent for children’s data to be used.

GDPR will impact on both business owners and staff, across many levels, roles and departments – including I.T, marketing and administration activities.

Businesses need to prepare for the big changes. They should aim to understand the key GDPR issues, start to take action and also seek expert advice to comply with the new regulations and minimise any risks.

As highlighted at the start, consent is vital under GDPR for you to collect, store and use personal data from your customers and contacts. Their consent must be given freely. The new laws say their consent must be specific, informed and unambiguous. Businesses cannot simply assume they have consent from the customer, even if their relationship with the customer is good and long-standing

Another key requirement under GDPR is for businesses is to keep detailed records of their data processing methods for potential inspection. Businesses failing to do so face potentially heavy fines.

Businesses should maintain and review personal data, delete any un-needed data, act promptly on data-related requests and report any cyber-attacks to the UK Information Commissioners Office.

For professional help on your marketing and digital activities, feel free to give us a ring for a conversation. We are subject to the same GDPR laws and Cornerstone is classed as a ‘data processor’ under the new regulations.

Cornerstone works with a wide range of businesses and we now offer three types of GDPR packages tailored for different website needs.

Our three GDPR packages are:

• Site Secured Standard package – perfect for business-to-business and business-to-consumer websites with a few contact forms.
• E-commerce Secure package – the best way to ensure e-commerce websites are safe
• Site Secure Bespoke package – designed for business with multiple websites or complex websites with multiple forms, integrations or functions.

Expert legal advice on GDPR is available from solicitors.


Businesses should not confuse GDPR requirements on consent and personal data with other individual privacy laws or corporate PR guidelines.

Previous changes, such as the Data Protection Act or privacy laws, have often sparked needless panic or confusion among businesses and other organisations who have not understood the rules.

The common use of employees’ names, work contact details and workplace photographs on employer-business websites, marketing material, news and social media is not a GDPR issue. This is not the use of ‘personal data’ that GDPR focuses on.

Employees cannot object to their employer’s reasonable use of workplace information for legitimate business purposes under GDPR or privacy laws.

Under privacy law, people’s rights to individual privacy are highest in private, domestic locations such as family homes and gardens. At work, employees have lesser rights to privacy. So they can be asked to appear in marketing activities linked to the workplace and employer’s needs. This includes business-related PR, photography, social media and marketing activities.
It is obviously good practice to gain employees’ approval for such activities. But this is not the commercial harvesting and use of ‘personal data’ that GDPR focuses on.

Similarly, GDPR’s emphasis on consent to use customers’ personal data is different to the consent needed when one business wishes to publicly link itself to another business or brand for PR purposes. This is known as ‘association’ and approval for any publicity should be obtained from the second business or brand. Association is typically sought for PR publicity where case studies are sought to highlight the successful sale of a product or service.

Professional marketing and PR specialists such as Cornerstone always gain approval for association in news releases and other marketing material.

Finally, social media channels deal with consent and privacy issues in their terms and conditions. From May they too will be subject to GDPR laws for users in the UK and Europe. Facebook has recently launched an advertising campaign to raise awareness of GDPR changes following the Cambridge Analytica data-harvesting controversy.

Ready to talk GDPR with us? Get in touch today here.

Cornerstone DM