How will GDPR affect you?

If all you can think about are the dreaded fines, let’s quickly put your mind at ease.

Back to Blog

From fear over fines to panic about privacy, you’ve probably felt a sense of rising terror over the official GDPR deadline of May 25 2018.

First of all, don’t panic.

Although it feels overwhelming, there’s still time to get your business compliant. Here’s a bite-size guide of what GDPR is and where to start. Enjoy.

A quick overview
GDPR is the new regulatory legislation that will replace the outdated DPA (Data Protection Act). All organisations that use the personal data of EU citizens (even citizens that aren’t located in the EU) must stick to the new regulations.

Some of the new standards state that:

  • organisations that use personal information must do so fairly and transparently

  • ‘personal data’ includes any information that identifies a person – this can mean IP address, posts on social media, photos or location information

  • there are new rights for individuals in place that include the right to be forgotten and the right to object

  • individuals must actively consent to their data being used (no pre-checked tick boxes)

  • individuals must be made aware of exactly how it is being used, why it is being used and that they’re free to object to it being used.

  • organisations must keep a record of consent

  • some organisations (like public authorities) are required to appoint a Data Protection Officer.

Fines are fine

If all you can think about are the dreaded fines, let’s quickly put your mind at ease. The ICO (Information Commissioner's Office) has officially debunked the notion that minor infractions would incur heavy fines from the outset of GDPR.

ICO Commissioner Elizabeth Denham said:

“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

“Issuing fines has always been, and will continue to be, a last resort.”

Phew! Now let’s get into what you should be doing.

Here’s where you need to start

  1. Audit your data

This is an essential exercise to pin down exactly how you use audience data and why. At any time, you may be required to find a person's data that you have stored as part of their right to access, deletion or portability. This means having a record of your audit is essential.

A good place to start is to track the usage of data through the entire delivery process of a product or service. Try to to pin down who uses it, how many pairs of hands it passes between and how carefully it’s handled.

You need to be aware of how your organisation collects, records, stores, retrieves, discloses and erases data. You should also begin to collect proof of everyone’s consent and ensure it’s easily accessible in case you encounter a complaint in future.

2. Get to know GDPR implementation
It’s vital that everyone within your organisation is made aware of the changes and your efforts to become compliant.

At Crocstar, we voted that the most talented team member should research the topic, attend webinars and present findings to the rest of the team. As well as write an award-winning blog post. (I think I nailed it.)

3. Let people know
Individuals also have the right to be informed. It‘s important to notify the people on your mailing lists about GDPR and ask for further consent to allow you to use their data for communication purposes.

One way to make sure you’re as transparent as possible is to provide clear privacy notices.


As you start to implement GDPR, your private policy will become your best friend. All you have to do is make sure it answers the following:

What information is being collected?

Who is collecting it?

How is it collected?

Why is it being collected?

How will it be used?

Who will it be shared with?

What will be the effect of this on the individuals concerned?

Is the intended use likely to cause individuals to object or complain?

GDPR at a glance
As well as these initial three steps, take a look at this infographic produced by the ICO with 12 quick step that your business should take.


Turn GDPR into a positive
Aside from dodging fines, complying can be beneficial for your business in many more ways.


The law will help you create a more trusting relationship between your business and your subscribers. Knowing exactly what kind of experience subscribers want from you helps you meet, and exceed, their expectations. 


GDPR empowers your subscribers to understand exactly what data is being collected and how it will be used. And since the GDPR provides subscribers with the right to easily specify and update permissions, it should also lead to fewer unsubscribes and spam complaints – which also helps to improves deliverability. 

Make your data efforts something to shout about

A number of organisations have been proactive with GDPR and turned it into a positive PR story. Take a look at this compliance video from EasyJet for a great example.

From assessing your current output to creating a new content strategy, we can help you get compliant without losing your creativity – let’s talk.