Category Archives: digital-marketing

A Basic Guide to GDPR for SMEs

If you are reading this, you are probably aware that Data Protection Laws are changing on 25th May 2018 – less than 2 months away! While many people are worried about the new regulations, we are here to assure you, there is no need to panic! For many companies, you may even be complying with many of the new laws already.

For a small company, complying with GDPR can feel particularly daunting so we have put together a short guide to help you get started. The purpose of this guide is to assist you with the initial steps to prepare you for the 25th May. Much of this information is pulled directly from the Information Commissioner’s Office (ICO)  guidelines – but hopefully, we have clarified it and presented you with real-world solutions that you can directly incorporate into your company or organisation.

Just to be clear, this guide should not be your only reference when it comes to complying with GDPR. While this is a great place to begin for SMEs, you must also do your own research when it comes to your organisation’s specific case. If you’d like to chat to us further about how we can help you prepare, please get in touch here



So, let’s start by going back to basics. What exactly do the new laws mean by ‘personal data’?

The ICO defines ‘personal data’ as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

But what does this mean in practice? Very simply, data is any information you collect on any individual directly or indirectly. Data could come in the form of an email address, phone number, an IP address, the individual’s interests such as whether they like ice cream or pizza… you get the picture.

Data includes cookies on your website, any online forms that are collecting information, and data you collect using third party apps such as Google Analytics or MailChimp. 



You must have a lawful basis for processing data. There are 6 lawful bases and you must fall into one category (and include it in your privacy notice).

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)




Very simply, you should make the appropriate parties aware of GDPR changes within your organisation or company.

This means that anyone who is responsible for or party to collecting data on behalf of the company will need to understand how their responsibilities will change.



A good place to start is to identify the information and data that you collect, who you share it with and how/if you record it. This includes any data you have collected by non-traditional avenues (i.e. not via a form that has been filled out on your website).

The ICO draws your attention to any data you have collected in the following ways:

– observed, by tracking people online or by smart devices
– derived from combining other data sets; or
– inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.



It is a good idea to put your privacy notice clearly on your website if you have not already done so, and review the information you have detailed in your privacy notice. It is worth spending time on this since you can refer any data protection queries to this page in future.

You must ensure your privacy notices are transparent which means they answer these questions clearly:

– What information is being collected?
– Who is collecting it?
– How is it collected?
– Why is it being collected?
– How will it be used?
– Who will it be shared with?
– What will be the effect of this on the individuals concerned?
– Is the intended use likely to cause individuals to object or complain?

Or more simply:

– who you are;
– what you are going to do with their information; and
– who it will be shared with

You may also want to include the lawful basis you have for processing data.

This should be provided in clear, concise, easy-to-understand language.

Online is not the only way you can communicate your privacy notice. If you are going to a conference, for example, and intend to collect email addresses for your e-newsletter, there are other options of communicating your privacy notice.

Your privacy notice can be communicated:

– Orally, face to face or when you speak to someone on the telephone (make sure to document this with a date and signature).
– In writing – printed media; printed adverts; forms, such as financial applications or job application forms.
– Through signage – for example an information poster in a public area.
– Electronically – in text messages; on websites; in emails; in mobile apps.

Just ensure you keep records of how each individual received your privacy notice!



These rights include:

–  the right to be informed;
–  the right of access;
– the right to rectification;
– the right to erasure;
– the right to restrict processing;
–  the right to data portability;
– the right to object; and
– the right not to be subject to automated decision-making including profiling

This means that you must clearly give individuals the choice in how their data is being used. They will have the right to amend or delete their records and you must be able to comply.

At this point, you must ask yourself: can you locate and delete an individual’s data if it is requested? If requested, can you provide an individual with a report detailing how and when their data has been used historically?



If an individual requests for you to send them a report on how their data has been used or for their data to be deleted, you will have one month to comply with this request.

The good news is that if a request is unfounded or excessive, you can refuse to comply.  If you do refuse, however, you must do so within a month and give a clear explanation as to why.



You will need to review and refresh your consent processes if they do not comply with GDPR laws.

The first thing you must consider is which lawful basis you are operating under to process an individual’s data. In many cases, this will mean that if you are unable to locate and document how/when you gained consent to use an individual’s data, you must ask them for their consent again.

If you have been seeking permission to use an individual’s data and recording it in a way that already complies with GDPR, then you do not have to re-seek permission from your existing email list.

Keep in mind that consent must be given with a positive opt in. In other words, a pre-ticked box or equivalent silence will not be acceptable and it must be given separate from your terms and conditions.

When asking for consent, include:

– the name of your organisation;
– the name of any third party controllers who will rely on the consent;
– why you want the data;
– what you will do with it; and
– that individuals can withdraw consent at any time



If you are processing personal data of children, you will need to take extra care and read the guidelines carefully. Largely, the laws around children’s data protection is the same as it is for adults however, clarity and transparency should be central to all of your data processes.

If your lawful basis relies on consent, you will need to be aware that only children over the age of 13 years old is able to provide his or her own consent. Otherwise, you will need the consent of their parent or guardian (although there are mitigations for this).

See more here:



You must designate a DPO if you are a:

– a public authority (except for courts acting in their judicial capacity);
– an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
– an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions

If you do have to designate a DPO, ensure you research the responsibilities of this individual.


Please note that this article represents the views of the author solely, and are not intended to constitute legal advice. 



Social media is an online stream of content that facilitates the creation and sharing of ideas, whether it be in the form of images, text, videos, gifs, an infographic or anything else available online. Billions of people around the world are searching for interesting and engaging information about the things they love, want or need.

Although there are many social media platforms, the ones which harness the largest online communities are Facebook, Twitter, Instagram, Pinterest and Google+


Facebook – 1.79 billion active users
Facebook – 3.2 billion likes per day

Twitter – 317 million active users

Instagram – 500 million active users
Instagram – 3.5 billion likes per day

Pinterest – 170 million active users
Pinterest – 5 million pins per day

Google+ – 1.4 billion active users


The social streams were all developed for one purpose: to enable users to find like-minded people and share content. For a business, this is a sales dream come true. If you sell a specific product – let’s say iPhone cases – then you will be able to find large communities of people worldwide who are interested in iPhone cases.

With over 1.8 billion Facebook users, your product or service could be very niche and yet, you will still be able to find the communities who are interested in what you do. Social media is not about how big it is or about how many people are on it, it is about how specific it can be. The world is a big place, full of people with different interests, needs and desires. Social media allows you access to them.

If you build a following of interested users, you can advertise your service or product to them multiple times a day at no cost. This becomes a serious consideration if your following surpasses 10K. Print publications would charge over £800 for advertising space at a similar distribution!

And the more targeted you are in building your community, the better the results. If you are successful with your content, then you can build brand advocacy resulting in others sharing and recommending your content to their following.


Social media is actually a surprisingly safe place. If your community growth and content strategy is tactful then the responses will generally be very positive. We hear of many people worried about getting negative feedback or ‘trolls’ causing problems. The general rule of thumb with ‘trolls’ is to ignore the bad and praise the good.

Social streams move very fast. If you make a mistake, your audience will have moved on and forgotten it by the next day – so don’t draw attention to it. If there is a genuine problem, look to resolve it elsewhere (email, direct message, telephone or in person) and then release the successful resolution story in a positive way. The more positivity you put out there, the more you will receive!

Loughton Contracts – Community Management




Loughton is one of the UK’s leading flooring contractors.

Their ambition was to increase their reputation online within the market and build stronger relationships with clients, contractors, suppliers & manufacturers.


15.5K growth in twitter followers in 10 months

Their content currently reaches over 4 million people per month

The total campaign reach was 40,561,626 people

Cannatella and Colletti – Community Management


Instagram – @cannatella_colletti

Twitter – @CannaColletti


Cannatella and Colletti produce carefully crafted sauces from traditional Italian recipes, conscientiously cultivated in the UK. Their authentic sauces are available on Ocado:

They came to us with the goal of expanding their online reputation among consumers.


Working within the budget that suited them, we started a twitter and instagram account for Cannatella & Colletti. We worked closely with them to understand their brand, their brand persona and brand message, and built a long term social media content plan to achieve their goals.


We manage the content and community growth of both accounts on a long term basis. Our results so far include:

Gained 2.4K followers on instagram in one month

Received 18,128 likes on instagram in three months

Reached 2.1 million people on twitter in three months

Screen Shot 2017-05-08 at 17.34.54

Screen Shot 2017-05-08 at 17.35.43

Consulting Market Traders – Community Management


Twitter – @infotradingreal


Consulting Market Traders provide real, hands-on learning for anyone in or out of the trading industry. They strive to break the mould of the trading world and turn it into an honest successful industry using the right tools, the right techniques and the right education. 

CMT came to use to help them grow their social media following to allow them spread their message more widely.


Gained 3.8K followers on twitter in one month

Gained 1.5K followers on instagram in one month

Reached 624,000 people and received 4.2K likes in a month

PMSL – Campaign Management


Twitter – @pmsldotcom
Instagram – @pmsldotcom


PMSL is a popular culture news channel. It’s key purpose is to attract young audiences by providing entertaining content. Their primary goal is to increase the visitor numbers to their website site in order to justify increasing the advertising revenue generated.


We suggested our Campaign Management service to assist with their goals. Working closely with the PMSL team, we put together a social media plan that would target  a large audience and produce shareable humorous content including gifs, videos and images. We managed the follower growth and content across twitter, instagram and facebook.


Traffic to the site increased from an average of 34 visitors per day to 604 visitors per day in just two months

Gained 5,025 followers on all channels in two months

Reached 194,870 people in one month

Chester Barrie – Campaign Management



Chester Barrie is a made-to-measure men’s clothing brand and one of the leaders of Savile Row tailoring. They wanted help launching their new collection – London Collections Men – on social media.


We commenced a targeted and multi-platform social media campaign. We launched the official Chester Barrie instagram account, live tweeted from their fashion week events, engaged with key influencers in the fashion world and pushed awareness through advocates.



As a result of this campaign, Chester Barrie gained 1.2K followers on twitter in one week and 1.1K followers on instagram.

The campaign received a great response from fashion industry figures, including David Gandy, and contributed significantly to the successful launch of Chester Barrie’s new menswear line.