Customer Experience

What Does GDPR Mean for Your Small Business Marketing

GDPR for small business marketing

The new General Data Protection Regulation (GDPR) has been in force in the UK since May 2018. It’s the biggest change to data privacy regulations in 20 years. And it can have a big impact on your small business – particularly on your marketing.

The changes the law introduced are quite complex. So here’s an overview of what the new regulations say and what you need to do in order to comply.

What is GDPR?

GDPR for small business marketingGDPR is a law which aims to protect the personal data of EU citizens. It ensures that businesses are using this data in a fair, safe and secure way. As a small business, this means that the way you collect, store, use and share personal data has changed.

GDPR applies to any business worldwide dealing with personal data of EU and UK citizens. That includes sole traders and small businesses like us, all the way up to huge corporations.

The law affects both online and offline data. And it applies to internal communications as well as customer-facing data collection.

There can be fines of up to €20 million (or 4% of the company’s global turnover) for non-compliance. So make sure your privacy & cookie policy is always up-to-date!

The six principles of GDPR

GDPR has six main principles at its heart. These define what personal data is and what responsibility small businesses have for their customers’ data. It also outlines how you can ensure compliance with the new legislation. Let’s have a look:

  1. Lawfulness, Fairness and Transparency – You need to make customers aware of what their data will be used for. Ensure it is used only in the way you have described, and that it meets the requirements of the GDPR law.
  2. Purpose Limitations – Personal data can only be obtained for specific and legitimate purposes. It cannot be used further without additional consent.
  3. Data Minimisation – Only the minimum amount of data required for the specific purpose should be kept.
  4. Accuracy – Data should be kept up to date, and any inaccurate data should be updated or deleted.
  5. Storage Limitations – Data should only be kept for as long as it is needed, and anything no longer required should be deleted.
  6. Integrity and Confidentiality – Personal data should be processed in a secure way that ensures it won’t be lost, destroyed, damaged or unlawfully used.

What does GDPR mean for your marketing?

Marketing is all about connecting with people and using their data to give them the information they want. So GDPR makes it really important to review your marketing and ensure it’s GDPR compliant.

Here are the four main areas where GDPR has an impact on your small business marketing:

1. Privacy policy

There’s no need to panic – collecting data is still absolutely fine. You just need to make sure you’re doing it properly and letting people know how and why you’re using their personal data.

Start by updating the privacy and cookie policy on your website. And then have a think about all the other ways you collect personal data in your small business.

Make sure you know where you collect what kind of data and what for and keep it safe. Take a note of what third-party systems you use to store personal data of your customers and employees.

Additionally, you need to define how long you’re going to keep the data after, for example, the last transaction with a customer. Put a routine in place to regularly clean up data in your small business and make sure it’s always up to date.

2. Double opt-in

GDPR for small business marketingConsent is a vital part of the GDPR guidelines. And it means that opt-out consent is no longer an option. When collecting customer data (e.g for your mailing list), people must opt-in and confirm that they give consent for you to store their data. This is known as double opt-in.

You must also be able to prove you have this consent and give customers the option to withdraw their consent at any time. Also, consent must be freely given. That means an exclusive content download cannot be dependent on someone consenting for you to have their email address anymore.

Chances are, you already have an email list full of customers. So ask yourself: Has everyone on the list consented using double opt-in? If you started collecting data a few years ago, probably not.

This means you’ll need to regain consent for all the people already on your list. Send out an email asking them to confirm their subscription. And make sure to let them know exactly what their data will be used for and to link to your privacy policy.

3. Access

You also need to make sure customers can easily access their data and remove consent if they wish. For example, this can be as simple as including an unsubscribe link at the bottom of emails.

Or you can add a section on your website which allows people to manage their email and cookie preferences.

You also need to be able to show any of your customers on request what data you have of them and what you use it for. So don’t forget to add your small business’s contact details to your privacy policy.

Customers have the option to request deletion of all their data from any company and you have to be able to comply within a short period of time. So make sure you always know what data you hold where at any given time.

4. Relevance

GDPR for small business marketingDon’t forget to have a think about what kind of data you really need to be collecting. In order to keep things simple for yourself, it’s good to collect the bare minimum of data you need. Sometimes a name and email address are all that’s required.

You have to be able to prove you need this data. So make sure it’s actually relevant to your small business. For example, if you’re an online shoe store knowing someone’s shoe size is relevant. If you’re a freelance web designer, not so much!

There are no fast rules in the new regulations which data you can keep and for how long. You simply need to be able to explain why you are storing the data in question. And you’ll better have a good reason for it.

GDPR resources

If you think it all sounds a bit complicated, I don’t blame you! There’s a lot to take in but as long as you’re prepared, the new GDPR rules should fit nicely into your small business marketing strategy.

Here are some great resources to help you understand GDPR even better:

Also, have a look for events and workshops in your local area which can help you understand GDPR further.


To read more about this topic, have a look at these:
5 Tips to Boost Your Small Business With a Newsletter
10 Tips for Growing Your Mailing List
Does Direct Marketing Work for Small Businesses?
7 of the Best Resources for Small Businesses in Edinburgh


Denise Strohsahl brand and marketing consultant for small businesses

Hello, I’m Denise from sandstonecastles, a brand & marketing consultancy based in Edinburgh, Scotland.

I help small business owners like yourself to find the right marketing that’s in line with your brand and values.