...and how it affects you

Main Content Area

Main Articles

First Things First!

Any person, business or organisation that keeps data that can be traced to an individual, needs to be registered with The Data Protection Register at The registration process involves stating what your business does and how you intend to make use of collected data. There is small fee associated with registration, which is based on the number of employees of the registrant; for ourselves and most of our clients, the fee will be £35.

View Betton Design’s Data Protection Registration


What is all the fuss about?

In a word - accountability. It is a common fact that our strengths can often be our weaknesses and this has shown to be the case with direct marketing techniques. Factors, such as its potential, effectiveness, affordability and reach, which have made direct marketing so valuable and essential to progressive and ethical business, have also been the incentives, which have motivated unethical, scamming and often ‘fly by night’ businesses to adopt this approach to ‘relieve’ people of their hard earned cash.

The perfect storm is created when direct marketing techniques are combined with unethically sourced data, individuals are targeted by unscrupulous businesses and their right to privacy is ignored. So to clean things up, from 25th May 2018, General Data Protection and Regulations (GDPR) will come into force.

What are the objectives?

  1. Establish clear regulatory guidelines for responsible direct marketing
  2. Insist upon auditable and transparency data management processes
  3. Insist upon clear communication between Data Controllers, Data Processors and customers, using concise plain language
  4. Insist that Data Controllers have a legal basis for processing personal data
  5. Police Data Controllers and Data Processors who fall short of compliance with the GDPR and
  6. Protect the individual’s right to privacy - providing a clear channel to control unwanted marketing

Some Definitions

Data Controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller shall be responsible for, and be able to demonstrate, compliance with the principles of GDPR - Basically the majority if not all businesses.

Data Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Typically a business that acts on a data controller’s instruction to distribute a mailout to the data controller’s database.

Some Examples

If Betton Design ask a 3rd party mailing house to post out a Christmas card to the Betton Design database, then Betton Design would be the Data Controller and the mailing house would be the Data Processor.

If Betton Design sends an email campaign out to it’s own client database, despite processing the data, Betton Design would still be the Data Controller.

If Betton Design is asked by one of its clients to build an eShot (email campaign) to send to the client’s database, then Betton Design's client is the Data Controller and Betton Design would be the Data Processor.

The relationship between Data Controller and Data Processor

Running through the core of GDPR is transparency and compliance. A Data Processor will need to demonstrate that they are compliant, importantly though, the converse is also true, before a Data Processor can carry out work for a Data Controller, a contract will be required, in which the DC will need to confirm that they are also compliant. Without the contract, the work cannot be undertaken.

Who will be affected?

Pretty much all business entities - whether a sole trader, partnership, limited company, PLC or a public sector organisation, each entity will be held responsible for its compliance with GDPR and so each entity needs to take action in advance of 25th May 2018.

What are the benefits to your business?

  1. Improved business reputation - ethical/legitimate
  2. Increased customer confidence - Good PR
  3. Improved data - more poignant
  4. Improved security - better informed and trained staff

What are the potential consequences of non-compliance?

  1. Risk of irritating your potential customers
  2. Risk of damaging a hard earned reputation
  3. Risk of scrutiny
  4. Risk of alienation from clients and prospective clients
  5. Risk of significant fines

Some Reference

  1. Read this guide to GDPR created by the ICO - this document outlines a 12 stage plan to achieve compliance with the GDPR.
  2. For more information about your responsibilities as a Data Controller, please refer to Key Definitions

Betton Design offer a full email marketing service, from design and build to email delivery.

View our email marketing information or enquire now to find out more.


It will be in force on 25th May 2018.
The UK will retain the GDPR post-Brexit.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
It applies to all companies processing and holding the personal data regardless of the company’s location.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or £17 Million. This is the maximum fine that can be imposed for the most serious infringements.
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Consent must be clear and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​ Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
The GDPR imposes a legal obligation on both parties to formalise their working relationship. Aside from the legal requirements, this makes practical and commercial sense and it will:
  1. Establish that the data being processed is compliant
  2. Establish the requirement of conformity to the GDPR by both parties.
  3. Establish an understanding of the obligations, responsibilities and liabilities - helping all parties to be compliant with the GDPR
  4. Demonstrate that both parties are clear about their role in respect of the personal data that is being processed
  5. Help the Data Processor demonstrate that they are compliant
Over the last few months, we have been working in the background to move towards compliance - there are 2 services that we offer, which have needed particularly attention, these being:
  1. Our bespoke HTML Emailing Marketing Service and
  2. Our Content Management System (CMS) Website Hosting provision

GDPR Disclaimer
The GDPR related information contained within Betton Design Ltd website does not in any way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.