GDPR – It’s not the end of the world as we know it

On the eve of the new GDPR regulations coming in and with most peoples’ inboxes suffering a deluge of GDPR related emails, we thought it would be a good time to remind our clients and all small business owners how the GDPR will actually affect your data processing and marketing.

The most valuable piece of advice, as reported in The Guardian, is that you may well have the required consent already and you do not need to refresh all existing consents.

Here at Engine Room, our team have been working for months on how we can help our clients continue their results-driven marketing within the new GDPR framework. We’ve attended courses and webinars, read the guidance and drafted policies and action plans.

In the last few days, there seems to have been a domino effect as GDPR ‘repaper’ emails asking for opt-ins or informing you of new privacy policies. Fearful of not doing the right thing, small business owners and marketing managers have sent out their own requests and, in doing so, have damaged high-quality GDPR compliant lists and data.

It’s important to remember there are six bases for legal data processing under GDPR. As well as consent through a clear opt-in procedure, owner-run businesses should also be considering the following:

Legitimate interest

Legitimate interests is the most flexible of the six lawful bases. It is not focused on a particular purpose and therefore gives you more scope to apply it in different circumstances.

This could be the reasoning behind you emailing your leads or prospects based on their industry and job title. Whereby, the contacts you are emailing have an interest in your marketing communications, legitimately. What you have to offer, in terms of your goods, services or products will essentially benefit the business you are emailing. The receivers on the end of your emails are going to benefit or be interested in what you have to say.

It also covers ‘soft opt-in’. This means that consent is not required if you are sending marketing message about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:

  1. You give them the opportunity to opt-out when you receive their contact information
  2. You give them the opportunity to opt-out when you send them subsequent messages

Any respectable e-marketing or contact form platform will have these options as standard.


You can rely on this lawful basis if you need to process someone’s personal data:

  • To fulfil your contractual obligations to them.
  • Because they have asked you to do something before entering into a contract (e.g. provide a quote).

As an example, if a prospect has enquired through your website, you can email them and follow up without a separate consent or opt-in. It’s important, however, that your privacy policy documents your decision to rely on this lawful basis to ensure that you can justify your reasoning.

If you already have a GDPR compliant consent for your existing list, or you can show a legitimate interest, you might want to hold off clicking send on that ‘repaper’ campaign.

However, a requirement of GDPR is to be working towards compliance with clear progress and a plan by May 25th. So, make sure you’ve documented what you plan to do, why and when you plan to do it. Most importantly – don’t panic!

If you want to talk to us about your data and marketing in a GDPR-compliant way, get in touch.

Please note: this isn’t legal advice. We want to share our learning to make sure small businesses can continue to succeed alongside the GDPR, but if you need concrete legal advice please talk to a solicitor.

Quick Contact

Quick Contact

Contact Form