As a small business the personal information (data) that you collect from your buyers is essential to your business.  For example, without a buyer’s name and contact details you can’t fulfil their order but that information is also gold-dust for your marketing activities to entice buyers to make their next purchase with you.

However, just because someone buys from you, it doesn’t mean that you can automatically assume you can contact them about something different after you have fulfilled their order (sent the product or provided the service). If you subsequently want to tell them about your new products, services, upgrades and anything else you think they may be interested in, you now need to think twice.

Data protection law is about protecting an individual’s personal data – this means that you can only contact an individual if

  • There’s a lawful reason (such as to fulfil someone’s order or to comply with a legal obligation) OR
  • They have agreed that you can (consented)

Computer MouseFor marketing purposes, most businesses rely on obtaining an individual’s consent so that the business can contact them – it makes good business sense to use the initial buying process to ask your customers if you can contact them again to tell them about your products/services or to enrol them in a loyalty scheme. However GDPR changes means that you now need to take a good hard look at the question of consent from individuals, including your customers, to be sure that you can contact them without breaching your data protection obligations. Of course there is not only consent discussed in GDPR but when it comes to marketing (PECR) consent sits there ready to catch you out.

Many business currently rely on obtaining consent to contact the individual using

  • Pre-ticked boxes
  • Consent that’s hidden within their terms and conditions of business
  • Inferring consent from silence or inactivity (i.e. not saying that they do not want to be contacted)

The problem is that changes to data protection (the General Data Protection Regulations or GDPR which came into force in May 2018) demand that the consent from your customers must be

  • Freely given
  • Specific
  • Informed and
  • An unambiguous indication of the person’s wishes (i.e. there is no doubt as to the individual’s wishes)

What do you need to do?

Look at what information you collect from your buyers and how you want to use it. If you want to be able to contact them for particular purposes, such as marketing, look at how you obtain consent and how you can make changes now.

If you don’t you will find yourself with data that is useless because you will be breaching data protection if you contact people without their express permission.

What happens if you don’t?

The Information Commissioners Office (ICO) who enforces data protection clearly means business. They are urging businesses to get on board with their regulatory duties as

  • You will need to tell them if you breach any data protection and
  • If you do, or are not complying with your data protection obligations then your business could be fined

None of this is complex, its just multifaceted and easy to miss, talk to us about your marketing plans and let us guide you through the red tape you need to watch out for. Call us for a FREE No Obligation chat on 01244 300413 or email

Share this: