Your GDPR journey with ClientsFirst

On 25th May 2018, the new European privacy law, General Data Protection Regulation (GDPR) came into effect. We have worked through our own GDPR obligations, which you should have also completed. You may have seen this blog we wrote to raise awareness of the new regulations to prepare you for your new obligations.

ClientsFirst’s role as your data processor

A processor (ClientsFirst) is responsible for processing personal data on behalf of a controller (your business). As your data processor, we are committed to support you in your GDPR journey. It is important to note that responsibility and liability for adhering to the GDPR guidelines is a shared responsibility between your business and ClientsFirst.

We have in place internal processes and procedures to ensure we comply with GDPR, and review these on an ongoing basis.

Your role as the data controller

A controller (you) determines the purposes and means of processing personal data carried out by ClientsFirst. The ICO states as the controller, where a processor (ClientsFirst) is involved, the GDPR places obligation on you to ensure you have in place a written contract with processors which comply with the GDPR.

The contract should provide clarity so that both your business and ClientsFirst understand our responsibilities and liabilities in relation to the data being processed. The GDPR sets out what is required to be included in the contract. You may wish to refer to the ICO for guidance or seek legal advice when putting together your contract between ClientsFirst and your business.

We would recommend you take action now in relation to putting together such a contract. Once you have produced a contract in line with the GDPR guidance, please share it with us at the earliest opportunity to review, allowing plenty of time before May 2018, as we may have our own questions or queries before signing.

GDPR compliance

It’s important to note that while GDPR comes into effect from 25th May 2018 and all businesses who deal with personal data need to prepare now, this is just the beginning. A big part of GDPR involves businesses carrying out risk assessments and ensuring the right controls and measures are in place to protect the data held. Compliance doesn’t guarantee safety, but it will go a long way to mitigating risk. The GDPR journey for all businesses will involve carrying out the continuous improvement of processes and procedures beyond May 2018.


ClientsFirst have a long standing relationship with a sub-processor called Dotmailer, who we use when processing on your behalf the data held in your MailFirst account with us. Both ClientsFirst and our sub-processor have expert knowledge and procedures in place in order to protect your clients’ data held within MailFirst. In the lead-up to GDPR implementation, we will be providing helpful hints and tips to help you prepare, but you may wish to seek legal advice in order to ensure your business is fully GDPR ready for May 2018.

Good practice actions for you to take now include (but are not limited to) cleansing your data, putting in place processes to audit the data you hold, and reviewing how you obtained consent for the data you hold. You will need to invest time and effort, as well as reviewing your internal processes, in order to be ready for GDPR.

Website Hosting

ClientsFirst have a relationship with a sub-processor, called WP Engine to host your website. ClientsFirst and WP Engine take the security of your website hosting and the personal data stored within your website content management system very seriously.

There are a number of best practice measures you can start to undertake now, such as (but not limited to) cleansing the data you hold in your website content management system and putting in place processes to audit the data you hold.

We want to make it straightforward for our clients to prepare for GDPR, so as soon as we have further tips about steps you may wish to take to get your website ready for GDPR, we will make these available to you. Equally, you may wish to seek your own legal or compliance guidance, and we will be happy to support the implementation of recommendations you wish to undertake.