• Careers
  • Contact Us

Is Your Family Business Data Compliant?

on Thursday, 11 May 2017.

There have been some recent developments around data protection law. What are they and what do you need to do?

Marketing Compliance

The ICO (the data protection and privacy regulator) is taking a very robust line in relation to marketing as evidenced by its recent enforcement action and guidance.

You should ensure that your marketing practices comply with data protection law. It is also worth keeping in mind that the definition of marketing is very broad. It goes beyond selling products. As such, an email to a customer telling them about the plans for your business or products is likely to count as marketing.

When carrying out marketing you should keep the following in mind:


You should ensure that individuals are told how their personal data is used for marketing purposes. This should be done via the appropriate privacy notice.


Some fundraising practices require consent. It is usually unlawful to send a marketing email or text unless the recipient has consented. Consent must be freely given, specific and informed. It must also be accompanied by a positive action. As such, a statement such as "You consent to us sending you marketing emails. Please email us to opt out." is not valid consent by any standards.

In order to cover off the transparency and consent requirements, we envisage more family businesses using 'opt in' tick boxes to obtain consent as appropriate with a detailed description of how personal data is used for marketing purposes.

In respect of emails and texts an alternative to consent is what is known as the 'soft opt in'. This provides that you do not need consent to send marketing emails or texts where:

  • you have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person
  • you are only marketing your similar products or services
  • you have given the recipient a simple means of opting out, both when first collecting the details and in every message after that

Existing Data

Even if you are satisfied that your family business has a compliant privacy notice/consent form in place going forward, you will also have to consider what steps to take to make your existing database compliant.

New Regulations

The General Data Protection Regulation (GPDR) will replace the Data Protection Act from 25 May 2018. Although implementation is still over a year away, you should be taking steps now to ensure that you are compliant.

  • Review information security arrangements to check that they meet the standards required by the GDPR
  • Check policies and procedures for GDPR compliance
  • Consider how to meet the requirement under the GDPR that all businesses must be able to evidence compliance with data protection law
  • Update privacy notices which will require additional information to be included. Eg, under the GDPR, individuals must be told about their right to complain to the ICO


Emails are particularly vulnerable to sophisticated cyberattacks. Eg, a fraudster might intercept an email from a supplier to your family business and replace the supplier's bank details with their own. Another common attack involves the fraudster sending an email to customers requesting payment of invoices, but again, the payment details are the fraudster's and not the family business's.

Family businesses should take steps to ensure that they are adequately protected against such risks. This includes:

  • checking that your IT systems are sufficiently robust so as to prevent your business systems and email accounts from becoming compromised
  • training staff to be vigilant and how to spot the risks (such as suspicious emails)
  • considering whether your current practices are secure - is it really appropriate to send the business's bank details to customers via email?
  • having a security breach action plan in place - this can be used as a checklist so that your business can respond quickly should a breach occur

How Can We Help?

We can assist with all aspects of data protection compliance including with the issues set out above.

For further information, please contact Andrew Gallie in our Family Business team on 0117 314 5623 or Claire Hall on 0117 314 5279.

Leave a comment

You are commenting as guest.