The questions that have been asked, what you should be asking and what you should be doing!

What should be in my privacy policy?

It should start with your Company name, location, contact information and at least the following;

  • What information you’re collecting from them; including names, email addresses, IP addresses (cookies), and any other information;
  • How you’re collecting their information, and what you’re going to use it for;
  • How you’re protecting the data;
  • Whether or not it’s optional for them to share that information, how they can opt-out and the consequences of doing so;
  • Any third-party services you’re using to collect, process, or store that information (such as an email newsletter service, or advertising network).
Proof of consent – what should be included?

GDPR is all about proving you have the consent to hold someone’s details, aim to have:

  • A timestamp of subscriber consent (time, date, location)
  • The source of the opt-in (website, social media, etc.)
  • Proof of opt-in form used to obtain consent (this can be as simple as a screen shot)

Consent can also be through; contract, legal obligation, vital interests, public task, or legitimate interests. For email marketing, consent is the most common legal ground. 

‘Legitimate interest’ – what is it?

This basically means that you have a relationship with the customer and to carry out your service, it is expected that you carry out data processing.

Can people subscribe just by entering email without ticking a checkbox?

So long as you are asking them to consent to one thing, such as receiving your newsletter.

Emailing revalidation emails after May 25th – is that okay?

Unfortunately this is an unclear area, I have come across many companies doing this -but- I have also witnessed the backlash they have received from this. My opinion? It’s better to be safe than sorry so I wouldn’t contact them unless you can prove that it is a ‘soft opt-in’

Subscribers who didn’t revalidate – is that game over?

GDPR is all about giving the customer the “Right to be forgotten”, however, if they have previously consented in some way (i.e supplies their contact details, submitted a form…) and have been given the chance to unsubscribe but haven’t, then you can contact them. However, you must always give them the option to opt-out. 

People contacting for more information – is that consent?

If your newsletter provides product/service information then you are most likely able to rely on legitimate interest as legal ground.

E-newsletters to my customers – can I do it?

If your subscribers are your customers then they should somewhat expect you to use their data in that way.

B2B? Can you contact other companies for potential business?

Business contact information represents a legal entity and therefore GDPR wouldn’t apply.

Access to personal data

If you have someone’s information, you need to make sure it is safe, protected and accessible. You have to be able to supply your customer with this details in a format they can read and you can export – e.g a PDF. 

What are the consequences?

It all depends on the case – there could be fines or temporary or permanent ban on data processing or a suspension of data use. 

Violated data but it’s not your fault as you’ve been hacked?

You have 72 hours after having become aware of it to notify the personal data breach to the supervisory authority.


Either give people the option to opt out or “Accept” cookies, don’t assume that just because they are on your site, they have given you permission. 


Please note this is not legally binding and solely WMiW’s opinion on the matter.