We have covered GDPR in our previous article back in 2017 here, however in 2025 this topic is still very relevant and of interest to businesses.  So here is a quick refresher.

In an age where data is currency, privacy regulation is no longer just a compliance checkbox—it’s a fundamental part of business. The European Union’s General Data Protection Regulation (GDPR) and the United Kingdom’s post-Brexit UK GDPR both set strict standards for how businesses handle personal data.

Whether you’re collecting email addresses through lead forms or tracking user behaviour for marketing, understanding your legal obligations under these frameworks is essential. This article breaks down the requirements, explains the implications for your business, and offers a practical checklist for compliance.

 

What Is GDPR and UK GDPR?

EU GDPR (enforced since May 2018) is a data protection regulation governing how personal data of EU citizens is collected, processed, and stored.

UK GDPR came into effect on January 1, 2021, after Brexit. It is largely based on the EU GDPR, but it is now separate legislation under UK law. It works alongside the UK’s Data Protection Act 2018.

Key takeaway:
If your business operates in both the EU and UK or handles data of residents in either jurisdiction, you must comply with both EU GDPR and UK GDPR.

 

Why GDPR (and UK GDPR) Matters to Your Business

If you collect or process personal data—names, emails, phone numbers, IP addresses—of EU or UK residents, these laws apply to you, regardless of where your business is located.

You are particularly affected if you:

  • Run marketing campaigns targeting EU or UK customers
  • Collect personal contact details through your website
  • Use cookies or analytics that track user behaviour
  • Store or process customer data for communication or profiling

 

Key Requirements Under GDPR and UK GDPR

1. Consent Must Be Explicit and Freely Given

You must obtain clear, informed consent before collecting personal data. No more pre-ticked boxes or silent opt-ins. Consent must be specific and unambiguous.

Tip: Use separate checkboxes for marketing opt-ins and explain what users are signing up for.

2. Transparency and Privacy Notices

You are required to provide individuals with a privacy notice that explains:

  • What data you collect
  • Why you collect it
  • How it’s used
  • How long you’ll keep it
  • With whom you’ll share it
  • Their rights under the law

3. Individual Rights

Both GDPR frameworks guarantee these rights:

  • Right to access their data
  • Right to correct inaccuracies
  • Right to have their data deleted ("right to be forgotten")
  • Right to restrict or object to processing
  • Right to data portability

You must respond to such requests within one month.

4. Minimisation and Retention

Collect only the data you need for a specific purpose. Don’t store data longer than necessary. Set clear retention policies for contact records, marketing lists, and analytics logs.

5. Security Measures

You must have appropriate technical and organizational safeguards in place. These include:

  • Encrypting personal data
  • Staff training
  • Role-based access controls
  • Regular audits and breach monitoring

6. Breach Notification

If there’s a personal data breach that risks individuals’ rights, you must notify the relevant authority (ICO in the UK, or the appropriate EU supervisory body) within 72 hours.

 

Key Differences Between EU GDPR and UK GDPR

While the two frameworks are nearly identical, note the following:

  • Supervisory Authority:
    In the EU, businesses report to national data protection authorities (e.g., CNIL in France, DPC in Ireland). In the UK, the Information Commissioner’s Office (ICO) is the governing body.
  • International Transfers:
    Transferring personal data from the UK to the EU is permitted. However, transfers from the EU to the UK may require additional safeguards (such as Standard Contractual Clauses), depending on adequacy decisions.
  • Representative Requirement:
    If your business is based outside both the UK and the EU but processes data from both regions, you may need to appoint a representative in each.

 

GDPR and Marketing: What Needs to Change

Marketing teams face some of the biggest adjustments under GDPR/UK GDPR. Key points include:

  • Email Marketing:
    You must use opt-in methods—no more pre-filled forms. Use double opt-in for extra clarity and include easy unsubscribe options in all emails.
  • Lead Forms and Contact Pages:
    Clearly state why you’re collecting personal info and what it will be used for. Don’t combine consent for different purposes (e.g., marketing and terms of service).
  • Cookies and Analytics:
    Consent must be obtained before setting non-essential cookies (e.g., for tracking or remarketing). Use consent banners with granular control options.
  • CRM and Data Storage:
    Regularly audit your CRM and email platforms to remove outdated or unconsented records.

 Checklist

 

  1. Collect explicit consent for all personal data
  2. Publish a clear, up-to-date privacy policy
  3. Allow users to easily opt out of marketing
  4. Respond to access, correction, or deletion within 30 days
  5. Collect only necessary data
  6. Enforce data retention limits
  7. Use secure systems and staff training
  8. Document all data processing activities
  9. Be prepared to report breaches to the ICO or EU body
  10. If required, appoint a UK or EU representative

 

 

Final Thoughts

Whether you're subject to EU GDPR, UK GDPR, or both, the burden of compliance is real—but so are the benefits. Clear privacy practices help you build trust, avoid reputational risks, and stay on the right side of the law.

Getting compliant might require revisiting your forms, policies, systems, and marketing processes, but it's also an opportunity to tighten your operations and demonstrate respect for customer rights.

In short, privacy is good business and Webcraft is here to help.  Contact us to learn about the solutions we provide to automate and help you stay compliant efficiently.