3 Reliable Steps to Ensure the OPCC is GDPR ready

Posted on February 6, 2018

On 25th May 2018, the General Data Protection Regulation (GDPR) will come into effect throughout the UK. This new ruling marks a huge change for the way data is collected, handled, and stored for marketing and communication purposes, and applies to anyone who uses or collects data for specific purposes. Just in case you’re not yet up to speed on this new legislation, we’ve put together a summary to help you get properly prepared.

What is GDPR in a nutshell?

The main aim of GDPR is to reduce the misuse of data. Buying and selling mailing lists, data mining, and spam email are all common problems and have been deemed breaches of privacy. The GDPR rules that any personal data collected (names, email addresses, postal addresses, and more) can only be recorded if consent is given, and this consent must be collected and verified. Only after you have recorded consent can you process the data you have been granted access to. Processing the data could be sending out promotional materials, email newsletters, text message alerts and more.

Consent must also be actively given, rather than passively assumed. For example, a user would have to physically click a box saying that they agree for their data to be collected and used for communication purposes, rather than this being assumed as part of a terms and conditions agreement.

It must be very clear as to what the user is agreeing to as well – you must explicitly state for what purposes the data will be used to ensure there is complete clarity. Organisations will be required to keep up to date records of when consent was given, and these must be securely stored for data protection purposes.

How does this affect the OPCC?

For OPCCs, many key forms of communication to the public will be affected when GDPR comes into force. It’s important to bear in mind that there is no grace period following the introduction of GDPR, so everyone must be ready come the 25th May. The top things you’ll need to do are:

Assign a Data Protection Officer. This could already fall under an individual’s job description, or it may require a new position or to for the duties to be divided between a few different members of staff. The Data Protection Officer is responsible for ensuring that the organisation is compliant with the GDPR, for example making sure data is being recorded and stored securely and that communications issued are compliant with the consent that has been given.

Review and gain consent for any data you have collected. It’s very likely that the majority of data you have recorded will become obsolete, so look for ways you can reach out to your audience and gain their consent following the introduction of GDPR. Many mailing services such as MailChimp are offering templates for campaigns to help you send out the right message.

Introduce a system for recording and storing personal data and consent. This could be a password-protected spreadsheet or encrypted cloud system. You must have records of when consent was given and for what purposes, so you can prove this in cases of disputes around misuse of personal data. An example of a reliable system to use might include our very own software: glowt. 


Introducing GDPR compliant practices to your organisation may seem like a daunting task. Our team can advise on best practice and offer solutions to help with storing data – contact us for a discussion or chat about how to move forward: https://publicsector.agency/contact-us/