How Strict Data Protection Laws in the U.K. Can Affect Your Business

How Strict Data Protection Laws in the U.K. Can Affect Your Business

When reading the likes of XBIZ and words such as “permission,” “consent,” “controller” “enforcement” and “punishment” bandied about, you’d be forgiven for expecting a feature on BDSM or kink trends of some sort. I’m sad to be the bearer of disappointing news, but in this case, it’s not to be.

If you’re reading this article and you’re somewhere in the European Union, your various email inboxes will already have been bursting at the seams over the past few weeks as all sorts of organizations went into panic mode as GDPR day — May 25 — came closer. In the U.K., one day before the GDPR (General Data Protection Regulation) became enforceable, the Information Commissioner’s Office website actually crashed under the deluge of last minute requests for information and assistance.

And while great focus has been made regarding sex- and body-positivity, isn’t it hypocritical if a manufacturer or retailer espousing such values isn’t also “data-positive?’”

If you’re outside of the E.U. however, don’t automatically assume you’re absolved of any responsibility. If you’re holding any personal data of an E.U. citizen — whether suppliers, customers, employees — then you’re bound to adhere to the GDPR too, regardless of whether you’re based in Tampa, Tokyo, and everywhere in between.

So why is the GDPR important? Put simply, it gives consumers a number of rights regarding their personal data. These are: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and finally rights in relation to automated decision-making and profiling.

In practical terms, this includes websites now showing the correct cookie notifications with settings allowing visitors to select the cookies they wish installed for particular purposes. There also needs to be a fit-for-purpose privacy policy. You may also have to review any signup processes for mailing lists and the like (hint: double opt-in is good).

There’s also the back-office side of things to consider. Everything needs to be ship-shape vis-à-vis how data is stored, how secure it is, and which lawful basis is used for different types of data. While there are several different lawful bases to process customer data, the most common ones employed will be those of: “contract”; “consent”; and “legitimate interest.”

In practical terms, sales enquiries or customer transaction details will obviously come under “contract.” If you offer a newsletter and your website visitors can sign up to receive it, then this falls under “consent” (Believe me, I wish I could have peppered this month’s column with more enjoyable plays on words, but suffice to say there’s no kinky Christian Grey motifs when it comes to the matter of consent). And while we’re talking about this, ensure there’s a double opt-in subscription and verification process.

If like me, you use popular apps such as MailChimp for your newsletters and other mailings, you probably can’t have missed their numerous notifications about it all. If you’re inputting E.U. citizen data into MailChimp then you’ll need an agreement in place between the two of you. Luckily, MailChimp have been very proactive on the matter of GDPR (they’ve always been big on consent and permission issues, even pre-GDPR) and there’s a whole gamut of relevant content on their website pertaining to this. And when it comes to the matter of the agreement, that’s outrageously simple to obtain as well, taking mere minutes for it to be arranged and emailed to you.

What about business development for B2B players? Some manufacturers and distributors may be feeling that with all this regulation concerning what they can and can’t do with data, prospecting or making connections is verboten. Relax, you can still hold and process this data under the lawful basis of “legitimate interest.” But in a similar vein do ensure you’re sourcing contact details and subsequently contacting them in the appropriate manner.

These words are of course no substitute for legal advice or the fine print of the new legislation. For English speakers, I’d urge you to read the introduction to the GDPR document produced by the Information Commissioner’s Office. Granted, it’s not the most entertaining PDF file you’ll read, but it is straightforward and fairly easy to understand. But read it you should. Furthermore, if you are holding and processing personal data such as sexual orientation, behavior, or relationship status, this requires additional attention.

These are of course merely some of the overt measures that are required of you. And not just required, but expected of you too, from clued up, privacy-conscious carnal consumers. Much as consumers are avoiding sketchy websites devoid of brand personality they may well be now using another key criterion as to whether to spend any more time on your website: your privacy policy (or lack of one) and commitment to robust data storage and proportionate processing.

Of course, if you’ve just become aware of this, and it all seems overwhelming, don’t panic.

Here in the U.K., the message apparently coming from the authorities is that they’d much rather have people make a commitment to compliancy — even if currently lacking in areas just now — and take appropriate steps in the right direction to achieve full compliance, rather than deliberately trying to avoid it all by pretending GDPR doesn’t exist. It does, and it’s here to stay. And while there are some serious fines (we’re talking about millions of Pounds or Euros) for offenders, this isn’t going to come out of the blue. Warnings and reprimands will be the first stages in enforcement.

Of course there will be businesses who will — unfortunately — be inclined to try and stay below the radar. But is this a worthwhile strategy to take? I guess it depends. How much trade comes from within the E.U.? If it’s hardly anything and you think you can recoup this from increased domestic or non-E.U. based transactions, perhaps there’s something to be said for blocking your website to web visitors from those areas and deleting any affected customer data already held.

But, what kind of a signal does such an approach say to the industry in general and to potential customers — wherever they may be? That your back office admin is a mess? That your data policy is non-existent? That customer details lack appropriate protection and security? In the absence of anything more visible or reassuring, this may become the default attitude.

In conclusion, if customers are choosing to purchase products from your company, surely the least you can do is ensure their data is accurate and secure? And while great focus has been made regarding sex- and body-positivity, isn’t it hypocritical if a manufacturer or retailer espousing such values isn’t also “data-positive?”

Furthermore, it’s no over-exaggeration to state that erotic and adult sectors are often targets for various social and political pressure groups and campaigners. Far be it for me to paint a dour and cynical outlook on things, but it’s also not a complete stretch to imagine such groups looking to cause trouble by making complaints about the lack of privacy policies or insufficient cookie notifications on selected websites.

Given the choice of either an erotic retailing company or a local florist falling short on their data protection, which one do you think a newspaper editor will inherently focus on? Yep, you guessed right. So, if you’re sex-positive, get data-positive too. Start now as there’s no time to waste.

Brian Gray is the founder and head consultant at Lascivious Marketing, based in Glasgow, U.K. With two decades of marketing experience in a variety of roles and industry sectors, Gray helps manufacturers, wholesalers and retailers in the erotic industry improve their marketing performance through strong brand creation, better customer understanding and insight, tailored marketing planning and communications through focused effort. He was also the founder of the London Gathering networking events back in 2010.

Gray can be contacted at, found on Twitter @LasciviousMktng and or phoned on +44 (0)141 255 0769.

More Articles


WIA Profile: Loretta Goodling

Women In Adult ·

A Look at the Psychology of Color in Branding

Brian Gray ·

How to Open Up to Gaping

Rebecca Weinberg ·

WIA Profile: Veronique Verreault

Women In Adult ·

Q&A: COTR Founder Alicia Sinclair Reveals Official Rebranding

Ariana Rodriguez ·

Is Packaging Hurting Your Profit Margin?

RJ McCarthy ·
Show More