GDPR bites and mail bounces back

It’s been less than three months now since the GDPR came into force. We look at what has happened to organisations caught out by GDPR, what you can do to comply, and some surprising trends with businesses cashing in on its implementation across the EU.

The GDPR is actually good news, coming into being as a response to unscrupulous marketing and data analysis firms  harvesting and selling user data and distributing and spamming EU citizens with unprompted emails, mail and phone calls, without explicit user consent.

  • The General Data Protection Regulation came in 25th May 2018
  • EU wide Data Protection Rules that streamline the way all personal data, of all types, is stored and handled across all EU member states
  • In force in European Union (EU) & European Economic Area (EEA)
  • Addresses the export of personal data outside the EU and EEA

Previous UK data laws, the Data Protection Act 1998 (DPA) and EU Data Protection Directive, didn’t really have much in the way of fines for infringement. In drafting the GDPR, the EU recognised that it needed much stronger legal ‘teeth’, and financial penalties for non-compliance have changed radically with the GDPR, now enshrined in the UK’s own Data Protection Act 2018.

“Fines can be invoked of up to 20 million Euros or 4% of organisation total global turnover, whichever is the greater.”

How does GDPR work to benefit EU citizens?

Let’s take an example. If Joe Bloggs opens an unsolicited email from you that he objects to and hasn’t opted in to receive, he could report you under GDPR regulations. That’s a similar situation as before, but the difference under the GDPR is that far more power now resides with each citizen inside the EU on how their personal data can be stored, handled and processed . The enterprise sending Joe the email is liable for a caution or a fine under GDPR legislation.

In another example, Joe hears in the news that the EU based online dating site he has signed up to has been hacked, and that his personal data may have been stolen. Under the GDPR this report likely hit the news because all enterprises must report any data breach of user data within 72 hours, if they are likely to have an adverse effect on user privacy. Again, the enterprise handling Joe’s data may be cautioned or fined.

What are the fines so far for GDPR breaches?

It was initially thought that the approach of authorities monitoring GDPR compliance would be as it has been in the past, which was to ensure you’re at least working on compliance, and to gently push you in the right direction, rather than impose big fines at the outset.

That’s why everyone is watching the Dixons Carphone data breach reported in June. Even though the breach happened before GDPR came into effect, the data breach was later discovered to have affected a lot more personal records than initially thought. Under previous data protection rules the maximum imposable fine would have been £500,000, whereas under the new GDPA Dixons Carphone could face fines of up to £17.6m (€20m).

The Information Commissioner’s Office, in charge in the UK of looking into GDPR compliance related to data breaches said:

“Dixons Carphone reported a data breach to the ICO in June. The company has now confirmed that the incident affected the personal data of 10 million records, which is significantly higher than initially stated. Our investigation into the incident is ongoing and we will take time to assess this new information. In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”

The market reacted predictably to the news, with Dixon’s shares having fallen almost 8% since mid June.

But it’s not just about organisations directly hit by data breaches under GDPR regulations. Just ten days after the GDPR came into force, some companies felt the pinch of its effects on their future business. Publisher Johnston Press was one of the first media organisations to take a GDPR related hit, after the group at their June AGM cited the impact of more onerous European privacy restrictions as a contributory factor to a decline in their digital ad revenues. Their overall revenues fell 9% over the first half year.

Apart from the large potential fines, the requirement to disclose any user data breach is a key aspect for all organisations handling data, and where the GDPR is aided in ensuring it has a good chance of getting taken seriously and implemented right across the EU.

What’s ‘personal data’ and who needs to comply with GDPR?

Whilst GDPR requirements might appear onerous for many businesses, it conveniently provides just one set of regulations to comply with. Before GDPR, there were actually 28 sets of rules in place in different EU countries regarding personal data.

The GDPR contains provisions and requirements relating to processing of personally identifiable information (personal data) of individuals inside the European Union. It applies to the processing of the personal data of any person inside the EU by any enterprise established in the EU, regardless of the data subjects’ citizenship, and regardless of the enterprise’s location or even its size.

The GDPR applies as much to sole traders as it does to large corporates. Controllers of personal data within any enterprise must put in place appropriate technical and organisational measures to implement the GDPR data protection principles.

The GDPR assumes data protection by design and by default, which means each process handling personal data must be designed and built with consideration of GDPR principles, as well as providing safeguards to protect that data. For example, ideally all user data should be anonymised, as well as having the highest-possible privacy settings by default. This means that the user data is secure and not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.

The GDPR also says no personal data may be processed unless it is done under a lawful basis specified by the regulation, or unless the enterprises’ data controller or processor has received an unambiguous and individualised affirmation of consent from the data subject. Any person in the UE or EEA (data subject) also has the right to revoke this consent at any time in the future.

Any processor of personal data must clearly disclose any data that has been collected, declare the lawful basis and purpose for the data processing, and state how long the data is being retained, and also if it is being shared with any third parties or outside of the EU.

Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. All public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO). The DPO is directly responsible for managing compliance with the GDPR. Matthew Lea, Data Protection Expert, Herrington Carmichael Solicitors, said:

“Where you collect personal data of an individual, you are required to provide information such as who you are, how you can be contacted, details of your organisation’s Data Protection Officer (DPO) if you have appointed one, why you are processing their personal data, who you are sending it to, and if you are transferring their data abroad. You also need to provide information on their rights as data subjects, and say how long you intend to keep their personal data for.”

The six legal grounds for data processing under GDPR
  1. Consent has been given by the data subject
  2. Processing is necessary for the performance of a contract with the data subject, or to take steps to enter into a contract
  3. Processing is necessary for compliance with a legal obligation
  4. Processing is necessary to protect the vital interests of a data subject or another person
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  6. Necessary for the purposes of ‘legitimate interests’ pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Regarding point 6, you may be OK if you hold and process user data based on ‘legitimate interest’. To see whether this is the case with your data the best way is to assess this using ICO guidance – click here.

What do you need to do to get GDPR compliant?

There are many aspects of business that you need to look at. Most UK organisations have a website and user or customer specific data of some type stored somewhere, whether website or email newsletter registrations, or user data in financial, telephone, email, CRM, sales or marketing systems. Basically anything than can identify a user.

The simple first things you can do relate to your website and any user data you hold. Your website privacy notice can be amended to indicate how your organisation complies with GDPR requirements, as well as the text that goes with websites forms used to collect personal data, such as the ‘Contact us’ forms that many websites have. Another recommendation is to mention that you hold and manage user data in a GDPR compliant way.

You could do this by adding a link to your website privacy notice in your organisation’s standard email footer, which ensures all the people you communicate with directly have access to it.

Here’s a more detailed list of things to be fully GDPR compliant:

  1. Inform your organisation internally about GDPR
  2. Website privacy notice – create or update your page(s)
  3. Cookies – sort out your website cookie control and policy
  4. Forms – update client enquiry, email news and lead capture
  5. Records – record the user ‘opt-in’ process
  6. Campaign pages – GDPR compliant landing pages
  7. Improve your security around all your user data
  8. Consider GDPR compliance software and data insurance

Cashing in on GDPR

On the flip side, companies are also legitimately capitalising on the GDPR, sometimes in surprising and interesting areas.

Confidential waste specialist Russell Richardson has geared up to make life easier for businesses beefing up their data protection processes in line with GDPR. As shredding, archiving and recycling experts, they brought in a  multi-tasking mobile shredding truck which they have taken out on the road. Their massive mobile shredder can deal with up to 2.5 tonnes of confidential paperwork an hour at a client’s premises, and can destroy data-packed computer hard drives, CDs and memory sticks in seconds.

“Some companies used to throw whole computers in a skip with the hard-drive still in place. Now GDPR has imposed tighter rules, we scaled up to help companies who have to take extra care of their data. We’re seeing an increase in customers who prefer to witness on-site the certified destruction of data stored on computers and tech devices.”

Most enterprises with big customer and partner email databases have sent out individual special ‘opt-in’ emails to all of their users, to make sure they are GDPR compliant. Other smaller companies have just ditched their email or CRM contact databases, deciding that filtering them all for GDPR compliance is just not worth the hassle, or that continuing to send emails out to their whole contact database is now just too risky.

One interesting aspect of GDPR relates to mail, which may have an advantage versus electronic communications in meet conditions for what the GDPR calls ‘legitimate interest’. In this case you don’t need specific user consent for future postal marketing. This means that, despite higher mail costs versus email and electronic communication, many enterprises are now seriously reconsidering the option to post selected information direct to their customers.

Direct mail and print companies are also beginning to benefit from GDPR for the same reason and, after decades of decline in mail volumes and as we don’t now get much mail, it is likely to become very attractive to marketers to use mail to gain awareness of company products and services to customers.


The bottom line is that the GDPR is here to stay, and isn’t going to go away. “What about Brexit?” you might ask. Well, even though the UK voted to leave the EU, the Government decided we would still comply with the GDPR, and you have to follow the regulations.

So, instead of hoping to get around it, if you really haven’t yet got to grips with your obligations under the GDPR, see it for what it is. An opportunity to tidy up all of your customer data and mailing lists, consolidate them all into one secure system or location, and to implement systems and processes to ensure that all of your data related to individuals is stored, managed and processed in line with GDPR requirements.

The good news is GDPR means a lot of the spam emails and unsolicited calls and mail you used to get will disappear. You’ll also likely start getting targeted mail through the letterbox too, that is better designed, more interesting and useful to its recipients. As this happens, consumer confidence in communications from organisations will steadily rise, email open rates and click rates will improve and mail response will increase, as people only receiving information and offers from the companies they like and trust.

That can only mean that being part of the GDPR solution, rather than against it, is good news for future business communication.

Supercharging the speed of business

What if you could have your own motorway lane to get to work and then drive at whatever speed you wanted, rather than fighting with all of the other commuters for lane space and suffering all the usual speed restrictions.  You’d probably jump at the chance.

Fighting for space, what you experience going in to work every day, is what it’s like for millions of business users, employees and partners with poor internet speeds.

Internet speed is holding back British business

Let’s be honest, what was fast internet access a few years ago is pretty slow today. We’re all used to our new mobile moving to the latest ‘G’ when we upgrade every two years or so, and then suddenly we can see live streamed footage of our favorite sports team, seamlessly, in high resolution. So why hasn’t business kept up with high speed internet at the same pace?

These days high speed exchanges feed broadband internet into most UK towns and cities, and the UK now has 95% coverage for broadband with speeds of 24 Megabits per second or higher.  However, many  businesses are stuck at the mercy of the rickety old telephone wires that are limited in the speeds they can support. If it’s copper wires that link a business premise to the high speed exchange cabinet, which might even be miles away, then this can create grindingly slow broadband connections for staff.

For fast, reliable business broadband,  a full fibre optic cable connection is required. Fibre is capable of delivering Gigabit speeds, and one Gigabit is 1,000 Megabits, so it’s a big leap forward in connection speeds that could benefit you and your business into the future. But the key challenge for most smaller businesses has not so much been the cost of Gigabit speed line rental, but the high cost of installation of this type of high speed line to their premises.

UK Government Gigabit Broadband Voucher Scheme (GBVS)

Launched in March 2018 the GBVS is a £67m UK government fund that currently runs until March 2019. GBVS is a grant contribution to pay towards upgrading broadband to a high-speed Gigabit capable connection. To put it in context, to stream an HD movie you would need a connection speed of about 5 Megabits per second (Mbps), so with a 1 Gbps line up to 200 people could watch an HD movie simultaneously . Full fibre also supports symmetrical connections – meaning your upload and download speeds can be the same.

Most UK small and medium sized organisations, in all sectors, with 1 to 250 employees and less than £50m turnover, could be eligible for a GBVS grant of up to £3,000. This grant can be used to help pay for a high speed broadband connection as part of a group project, or directly to a single business premises.

This is how the Gigabit Broadband Voucher Scheme works, managed by the UK Government Department for Culture Media and Sport.

UK Government GBVS Gigabit Broadband Voucher Scheme

  • Find out if you are eligible for the GBVS scheme – click here
  • Find out how NUCO International has benefited – click here

Why high speed Internet is crucial for your business

Mobile devices are actually part of the problem many businesses now have. New faster mobiles and BYOD (Bring Your Own Device) programs, supporting workers’ own and business smartphones and tablets, incrementally grow the demand for Internet bandwidth. More people and more high speed Internet-linked devices in your company simply soaks up your limited bandwidth, and also the speed that bandwidth can deliver when accessed almost all the time. And it’s the same effect whether people are connected to your internet by cable, or using company Wi-Fi to manage business requirements on a PC or mobile.

At home, the lack of a high speed internet connection may be frustrating, with occasional breaks in your movie or the ‘spinning wheel of death’ as content buffers. But, with your business, slow internet speed is a potential future killer. It’s not just the lost productivity, when your staff can’t upload and download files they’ve been sent on email quickly, it’s the lack of options you then have to make your staff more productive, and to collaborate with each other more easily.

Don’t despair, here are just five of the opportunities that businesses with high speed Internet can make the most of straight away, today:

Cloud computing applications

Most people have heard of this and examples of cloud computing are things like mobile email, social media and Spotify that we all use at home. But, in business, growth in cloud computing services and resources can keep your employees more focused and more productive. For example they could use products like Microsoft’s Office 365 to access meeting details, contacts or emails on their laptop or mobile, or contribute to a team conversation via an online project site. And all of this information and data is synchronised in real time in the cloud, inevitably requiring a consistently fast connection to the internet. The longer the response time from an outside resource, like a cloud based Customer Relationship Management (CRM) system, the more that users can waste time and lose focus on their business task at hand. Since the number of applications hosted by cloud providers have jumped a hundredfold in the last five years, companies need to upgrade their Internet connections urgently to maintain quick response times, and so their staff can interact and contribute rapidly, and remain constantly productive.

Big emails and multimedia websites

These days businesses rarely send the two or three line emails of old. Email has become a lot more visual, and photos and graphics have become part of almost every message, helping to share ideas and better explain the wider concepts of projects. They say a picture is worth 1,000 words, but a 500 page document written in Microsoft Word is about the same size as one email picture attachment. Not only that, but modern websites have abandoned pages of text for shiny new websites with photos, logos, banners and, increasingly, high resolution videos. All of these inevitably require far more bandwidth, in order to avoid longer load times to view them. Video streaming takes even more bandwidth. Few will notice the speed loss when one or two staff click on the latest video on YouTube. But when you’re talking about streaming business webinars, as well as streaming instructional videos or online courses, your bandwidth can disappear in a hurry and other important work using the internet can very soon slow to a crawl.

VoIP telephones

VoIP stands for Voice over Internet Protocol. It has become the dominant technology as businesses have brought in new VoIP phones to replace older landline systems. There are many great reasons to switch to VoIP, including things like caller recognition, but each VoIP conversation takes about 100Kb of bandwidth each and every second. If your company has just a few employees then that’s rarely a problem, but if you have 20 staff on the phone at any one time, you could easily max out all of your upstream speeds on most common business Internet plans. Without the right speed connection, call quality and data traffic also both suffer. A high speed Internet connection requires an ample supply of upstream bandwidth to maintain high-quality, real-time VoIP conversations, but high speed fibre connection services will have carrier service level agreements in place to provide and guarantee these high quality voice connections.

Video conferencing

When every company is looking for ways to increase the pace of their business by improving collaboration, whilst at the same time reducing travel time and costs, it is no surprise that video conferencing has become a lot more popular. With many low cost video conferencing products now available, the lure to push a button rather than book a flight for business meetings is very strong for both business team managers and accountants. It’s easy to understand why more businesses are moving to video conferencing every day, and high speed Internet service means better video meetings and increased staff productivity. But since images require a lot more bandwidth than text, streaming video consequently demands plenty of Internet bandwidth. Slow Internet speeds mean bad meetings, broken connections and frustrated staff, especially if some contributors  in a different global location have got up specially to attend the video meeting.

Protecting your valuable data and files

Beyond basic local file backup, all companies recognise that backing up data offsite simplifies business continuity and disaster recovery planning. With more high resolution video, photos and diagrams, the amount of data backed up is constantly growing. Backing up their data using a slow Internet connection creates lots of problems, even if backup is scheduled to run overnight. High-speed Internet connections make rapid, complete backups possible, protecting your critical data and ensuring your business can continue, even if you suffer a data loss due to equipment failure, disaster or data theft. As of May 2018 there’s also the GDPR regulations to consider, where you need to make sure that any data that you hold on individuals is securely held, processed and backed up in line with stringent regulations that apply to all sizes of organisation.


Few of us would also have guessed at half of the devices that have arrived over the last ten years that use an Internet connection. Who knows what web-enabled bit of kit might hit the market next, especially with the Internet of Things?

Wouldn’t it be a crime if you couldn’t download that critical business email attachment simply because your Internet-enabled fridge was doing the drinks stock-up order at an online supermarket?

But, seriously, if you want to remain technologically fit for the future then the lack of high speed broadband could become a life threatening barrier to your business efficiency, or it could drastically limit your planned growth and success.

Get Gigabit speed connected. Find out about the GBVS today here.