The Seven Core Principles of The General Data Protection Regulations (GDPR) 2018 and their effect on marketing.

Published April 2018 by Leanne Millar BSc


GDPR or the General Data Protection Regulations is a new UK law which is enforceable after the 25th of May 2018. The key thing about GDPR is that it doesn’t just affect residents and businesses of the UK. It affects every company worldwide which has UK citizens as its customers. GDPR is big and there are big fines to go with it. This is including a fine of up to 20 Million Euro or 4% of a business’s annual turnover (whichever one is higher).

There are 7 basic principles which should be abided by. Those are that all data and the way it is collected should be:

  • Lawful, fair and transparent.
  • Limited to the purpose in which it was collected.
  • Minimised to what is absolutely needed.
  • Accurate and up to date.
  • Limited in how it is stored with minimal copies of data both digitally and in print.
  • Data must be secure and the integrity and confidentiality of those whom the data is about is protected to the highest capacity.
  • Someone must be held accountable for data collection and security.

So how does this affect businesses in terms of marketing?

In a nut shell there are some key elements of things businesses should be doing to be compliant with their marketing.


The main one which has everyone in a panic is the double opt-in for e-mails. This applies to e-mails collected before and after the deadline date and you should be able to prove that the person who the e-mail belongs to gave you full and express permission to be on your mailing list and the person should have the option to unsubscribe at any time. This however does not apply to those e-mails which are in the public domain if they don’t identify a person by name. For instance, is perfectly acceptable to be cold e-mailed however is considered a private e-mail address and can only be e-mailed for the purpose it was supplied for. I.E On a business card to a person asking them to contact you should they wish to discuss business. Only the person that it was given to has permission to e-mail. On another note Limited companies can be e-mailed without prior double opt-in as long as they are not registered with the e-mail preference list. However companies must give them the option to unsubscribe and abide by that rule. Many companies have chosen to give people and businesses the option to double opt in to a new e-mail list and have completely deleted their old e-mail lists as it just isn’t time efficient to sift through thousands of e-mail addresses to see which ones are acceptable.


Unless a person has given you direct permission to store their personal details GDPR will make it unlawful to send direct mail marketing which is personalised to individual people. It is not however at this current time or likely to be soon unlawful to send out un-personalised marketing materials to addresses in the post or through a mailing service.


A beautiful system of marketing which appears to be unaffected by GDPR. Well from our end anyway. Social Media tends to be on an opt-in basis as standard, so this makes things relatively easy. The main thing is to separate your personal from your business as friends and family may not have “opted-in” to receive your marketing communications. Therefor your purpose for using their data isn’t what they consented too. The most important thing is that your social media providers I.E Facebook, Google, Twitter and Linked In are GDPR compliant. If they are trading in the UK, they are almost definitely ensuring that they are. If you are unsure you can always ask them.


It is not illegal to cold call providing it is a business and their telephone records are in the public domain. It is however illegal to store their first names and surnames in your database without their permission. Here is a way around cold calling to ensure that you are GDPR compliant in your marketing efforts. Know the job title of the person you want to speak too. What is the decision makers title likely to be? For example: You are a company which provides websites to businesses. Ask to speak to either the Managing Director or the head of the Web Department or the head of the Marketing Department. Even better try and connect with them on Linked In so that they have “opted-in” to you contacting them or you at least know what their job title is before you call them. Remember with sales you usually must hear of a company at least 3 times before you are likely to do business with them. Cold calling does in fact still work. It is an excellent way of building relationships with the decision makers. Most importantly however, remember to build relationships rather than going in for the hard sale. Try and get a meeting or a scheduled call time with them. Be sympathetic of their busy schedules.


So, this is another very good GDPR compliant marketing tool. In fact, it is also a pretty good way of getting people to sign up to your mailing lists etc. Give people an example of the good content you share and ask them to give you a try by double-opting-in. Also give people a reason to want to contact you again. A limited time discount voucher for one example. Always find a way of keeping the communication going. Just remember to do it legally. You can’t do a prize draw for submitting your business cards anymore. That’s illegal unless you tell them that they are agreeing to sign up to your marketing list and their data will be stored because of them submitting their business card into the competition.

So there is a lot of worry about GDPR and for a lot of companies, particularly small ones and sole traders it’s going to be a bit of a hassle making sure you have policies and procedures in place. For larger companies, they will no doubt take a hit when it comes to their mailing lists. However, this doesn’t make it impossible to market your business. This isn’t the end of the world. It’s not much different to what you should have been doing under these pre-existing laws

  • Computer Misuse Act 1990
  • Consumer Protection Act 1987
  • Data Protection Act 1998
  • Disability Discrimination Act 1995
  • EC Directives on Waste Electrical and Electronic Equipment (WEEE)
  • Freedom of Information Act 2002
  • Health and Safety at Work Act 1974
  • Copyright, Designs and Patent Act 1988
  • Protection of the Environment (Environmental Information Regulations 2005)
  • Regulation of Investigatory Powers Act 2000
  • The Telecommunications Regulations 2000 (Lawful Business Practice) (Interception of Communications)

The biggest difference is that the government have insisted that they will enforce the law. They will fine companies who fail to comply. They will potentially shut companies down who are failing on large scale levels.


This blog is only our interpretation of the mind field that is The General Data Protection Regulations of 2018. Although we are confident that we are giving adequate and relevant information we recommend that everyone do their own due diligence and if at all unsure contact the ICO helpline for advice. We are not solicitors or legal professionals and we cannot give legal advice. If you find anything within this blog to be inaccurate please contact our webmaster on and we will research and correct any information in a timely fashion. Thank you.

We would like to keep you informed of updates to our website and blog and send you exclusive offers and content. If you agree please sign up using the form below.