Part 5: GDPR and managing a ‘do not contact’ list

In this series of blogs on GDPR, I’m helping small businesses understand what this change in our data protection law will mean for them and also share tips and advice I’ve found useful for my own business, Sayers Solutions – Marketing and Strategy for Small Businesses.

Catch up on the previous blogs here:

To recap, GDPR stands for General Data Protection Regulation and will replace our current data protection laws from 25th May 2018. It is the biggest change to our data protection laws for over 20 years and is being introduced to strengthen EU citizens’ privacy rights.

What is a ‘do not contact’ list?
Before making business communications you should always refer to your ‘do not contact’ list.  A ‘do not contact list’ contains people that opted not to be contacted by you or unsubscribed from your mailing list, as well as people you have opted not to contact (for example clients you don’t wish to work with again, people that have failed credit checks or perhaps someone with a conflict of interest).

I find that the ‘do not contact’ list is one of the trickier parts of compliance. The risk of having records on your system noted ‘do not contact’, increases the risk of accidental human error – I am sure we’ve all taken that phone call or seen an email list after the campaign has gone out and noticed someone you didn’t want to connect with.

As a business owner, you also need to think about the consequence of a disgruntled employee taking a copy of the list for themselves. Or any of your data for that matter … but that’s another subject I don’t intend to tackle here.

But to ensure that you do not repeatedly contact people that do not want to be contacted, and to comply with GDPR, it is recommended that you manage a ‘do not contact’ list.

Under GDPR, it will now be necessary for the reason the organisation is processing data to be transparent and granular. This means letting the data subject know exactly what they are subscribing to and getting specific consent for specific things (vague or blanket consent will now not be enough).

Email marketing services, like Mailchimp, manage your email lists and do not let communications be sent to those who have unsubscribed from your mailing list. Email services like this do not let you send emails out without the ‘unsubscribe’ link included. If someone clicks this link, they will be unsubscribed from your mailing list, and future emails through that email service will not be sent to them.

However, it would be ideal to also offer ‘unsubscribers’ the ability to review their preferences for how their data is processed by your company. When someone unsubscribes from your mailing list it might not mean they don’t want to ‘buy’ from you in the future or don’t want you to contact them again. They might just want to vary the frequency or types of communication. It’s therefore a good idea to outline what unsubscribing means and offer a way of updating their preferences and choose what they do want to continue to receive from you.

A good example was noted in the article on eConsultancy (2017) that demonstrated the Guardian’s efforts to allow users the right to erasure: “When you do this from within your account settings, there’s lots of clear information about how it will affect everything from the comments you have made to any paid subscriptions you have in place.”

Further to unsubscribing, there is the request for erasure, where the data subject can request for their data to be deleted.  And this is the tricky bit – well at least in my head at the moment – you must also have a record of the deleted record.

Of course, when there is a contractual obligation, the data subject does not always have the right of erasure. If you think you want to give this further thought, I would suggest you check your contract and seek legal guidance.

Email marketing services also have the ability to bulk unsubscribe individuals as well as subscribe. Before sending a mailshot, the ‘do not contact’ list should be uploaded, which will remove contacts that don’t want to be contacted from your mailing list, before the email campaign is sent.

Another way that businesses can keep their data tidy is to securely delete unnecessary data, including those spreadsheets that are exported from systems; to be filtered and drilled for information and reports, potentially imported into other systems, but then go out of date. At Sayers Solutions I recommend to clients that they at least make sure they delete the personal identifiable data elements that are not necessary.

To enable you to do this, I suggest that when you export and save files, make sure you add or change the date of the file, i.e. 01042018. Similarly, I would recommend you date stamp business cards and other permission slips. At Sayers Solutions, I suggest that you write on the card when and where you met the person – maybe marking whether and why you might want to contact them – and then mark where you have uploaded the data to.

Look out for my next blog covering GDPR and the notion of do no harm.

Want more now?
Download the entire blog series in PDF here for free

If you would like to discuss your GDPR compliance, or any other marketing activity, then please get in touch.  Sayers Solutions are well connected with experts on this matter and would love to help support your business.

If you want to arrange a conversation, we can chat over the phone or potentially skype. Give me a ring on 07790705223 during reasonable business hours (yours might be more generous than mine, so please don’t ring too early! #SchoolRunMum).

If you are in the Huddersfield/Wakefield/Leeds area let’s arrange to meet to discuss this or your marketing activity further.

Or email me through the website contact form

Like what you’ve seen?
If you’ve found this article useful and want to receive more carefully crafted advice and support tailored to small businesses please join our mailing list:


Merewyn Sayers
Sayers Solutions – Small Business Marketing and Strategy