It has been hard to avoid the General Data Protection Regulations (GDPR), which came into force in May 2018. In the run up to the regulations coming in, our inboxes were full of emails asking for consent to remain on mailing lists. Even though such emails should have now subsided, it is not the end of the story. The reality is that the GDPR is still there, looking over shoulders at every turn, making sure organisations are treating personal data with the utmost care and attention.

Data protection expert Thomas Chartres-Moore, who is head of the food and drink team at Stephens Scown, outlines the traps that businesses should avoid along with tips to stay on the right side of the regulations.


  1. “The GDPR doesn’t apply to me”

This is, by far, one of the most common mistakes made by organisations; assuming that the new data protection regulations do not apply to them.

Regardless of your organisation, whether you’re a brewery, a firm of solicitors or a zoo, it’s a safe bet that you are holding some form of personal information about people. This could be subscribers from your website, contacts on your customer database or even just your employees. If you hold any names, addresses or other information that serves to identify a natural person, you will have to comply with the GDPR.

  1. Legitimate Interests may not always be “legitimate”

Just because someone likes beer, does not mean you have a “legitimate interest” under the GDPR to contact them.

Under the GDPR “consent is king” and generally without it any contact with other individuals may be subject to scrutiny. As such, a lot of people are relying on legitimate interests in order to justify contact, particularly for marketing purposes. Often this is done without paying any attention to whether or not their interests are legitimate under the GDPR.

If you get caught out by this, and you have not done the requisite checks to show that you have a legitimate interest, you will be falling foul of the regulations and therefore could be subject to a hefty fine.

  1. Not training your staff

This is one trap that most businesses can get caught by, not just breweries.

As the GDPR is all encompassing, simply implementing a privacy policy on your website will not be sufficient in the long run. If (or when) a compliance issue crops up within your organisation, the first question that the Information Commissioner’s Office is going to ask is: “what training have your staff received?”. If the answer you provide is any less than “a lot”, you are likely to find yourself in hot water.

The best thing you can do is make sure everyone in your organisation, from factory floor staff to admin staff and sales people, is fully up-to-speed. This should include training on the processes being put in place by your organisation, as well as full training on the GDPR and its implications.




Even though the introduction of the GDPR may now seem like a distant memory, and you are no longer being bombarded by reminders that it is there, does not mean it does not still apply and that you do not have to comply with it. The key here, even if you have not taken any steps towards to compliance yet, is not to panic.

The Information Commissioner’s Office (ICO) is becoming more vigilant in respect of non-compliant organisations, but there is still time, however you need to approach it methodically. Make sure you map your data (see the next tip) to make you slightly more informed about the situation you are in with the data you hold. From there you can make a plan of how to approach data protection.

Ultimately, once you start on the road to compliance, being able to show that you are working on it will be more productive than not attempting it at all.

  1. Stay on top of the data you hold

The first step to dealing with the GDPR is to get a proper handle on the type and extent of data that you hold or process within your organisation. If you haven’t done this yet, it needs to be done without delay. Without it, you can’t move forward with your compliance.

It can be a long process, but it is one that is imperative in the eyes of the ICO.

Conversely, if you already did this in the run up to the GDPR coming into force on 25th May 2018, it is likely that data has grown or changed. As such, it is advisable to review the mapping procedure which you undertook all those months ago. It may be the case that, following a review, you need to reassess some of your policies and procedures.

It is vital to keep on top of this.

3. Don’t put it off

The GDPR is always watching, through its many different guises; be it an officious ICO employee, or a vexatious customer. If any of them deem you to not be complying, they will catch you out and your organisation could face a hefty fine and significant reputational damage, so the worst thing you can do is bury your head in the sand.

Make a start; show that you are attempting to comply, and if you already have, then don’t stop there.

So many businesses made some attempts at compliance in a rush before the regulations came into force and now have not looked a those attempts in months; consequently they have fallen behind or don’t realise that what they started was not sufficient.

Businesses that conduct such reviews of their mapping and processes in order to aid their compliance will benefit elsewhere, often leading to new efficiencies within the organisation.

So whilst it may be an extra chore to take on, it can be extremely beneficial in the long run.

If you would like to discuss the implications of the GDPR on your food and drink business or would like help with your organisation’s compliance, please do not hesitate to contact Thomas Chartres-Moore who is an expert in data protection and head of Stephens Scown’s food and drink team on 01392 210700 or email