Your GDPR Responsibilities

GDPR replaced the 1995 data protection law on the UK on 25th May 2018. It applies to any business that holds personal data in any way.

Every business is different and you need to assess your own data collection and storage practices, seek your own legal advice and ensure that your business is compliant with the GDPR by the deadline, 25th May 2018.

ClientsFirst GDPR compliance

We have worked through our own GDPR project plan and have followed the ‘Getting ready for the GDPR’ checklist hosted on the ICO website which you can see here.

Our project activities included (but were not limited to):

  • Reviewing the data we hold as a business
  • Documenting the lawful bases for processing this data
  • Auditing and updating our terms and conditions and privacy policies
  • Changing processes in line with the new GDPR requirements
  • Training staff where appropriate on GDPR best practices

As an agency, our relationship with our clients is as a data processor. This means that ClientsFirst and our sub-processors are responsible for processing personal data on behalf of a data controller (your business).

Our sub-processors

We work with a number of sub-processors, such as Dotmailer, which affects our MailFirst clients specifically, that will also ensure compliance from a software perspective. Please note, it is the responsibility of yourselves to review data processes for the personal data held within this software.

Are you on track to be GDPR compliant?

As marketers, GDPR will have a big impact on how we approach our work, and yours. Many clients have come to us for advice to clarify whether their new processes would suffice in line with the new regulations. It’s important to reiterate that you must consult an attorney for advice on your interpretation of the GDPR data protection requirements and the accuracy of your understanding. We are happy to support you with putting processes in place, however, you are unable to rely on us to recommend a solution.

You may wish to refer to the ICO for guidance on your GDPR project. There is a checklist for Data Controllers which is designed to help you, as a data controller, assess your high level compliance with data protection legislation. This should highlight where you are up to with your journey and what you have got left to look into to make sure you are on track.

You will need to invest time and effort in order to be ready for GDPR – please take the time to prioritise this and get in touch with us if you require help in putting processes in place prior to the deadline. ClientsFirst will not be able to work with clients who cannot assure us that the data they store is GDPR compliant.

How we can help

To further assist in putting processes in place, you may wish to look at MailFirst Advanced Training which will take you through the additional features and functionality MailFirst has to offer, such as: double opt-in, segmentation & preference centres, to name but a few.

As well as your email marketing communications, ClientsFirst will also be able to assist with alterations to your other data entry points such as website contact forms, newsletter sign ups and landing page forms for any campaigns that you are currently running. Please get in touch with us to discuss your requirements and we will be happy to help.

Useful resources

Full text of the GDPR

Hubspot GDPR page

Dotmailer GDPR resources

Infographic: The GDPR and you

What Is GDPR And How Will It Affect Professional Services Firms?

GDPR: Are You Focussing Too Much On Consent?


Is ClientsFirst GDPR compliant?

We have completed our ICO data processor checklist and have an ongoing GDPR programme in place.

Is ClientsFirst a ‘data processor’ or a ‘data controller’?

As an agency, our relationship with our clients is as a data processor.

A processor (ClientsFirst) is responsible for processing personal data on behalf of a controller (your business). As your data processor, we are committed to support you in compliance with GDPR. It is important to note that responsibility and liability for adhering to the GDPR guidelines is a shared responsibility between your business and ClientsFirst.

Do your terms and conditions include the new GDPR mandatory provisions?

We have updated our Terms and Conditions to include GDPR. The new terms and conditions can be found at this link.

Who has access to our data?

ClientsFirst will only process your personal data lawfully and fairly, and in line with the principles set out in the GDPR legislation.

ClientsFirst does work with third party providers / sub-processors to enable us to provide some of the services we offer to you. Where we use a third party we request that they are compliant with GDPR.

If we believe that it is required by law to disclose your personal data to a third party, whether in compliance with any applicable law or regulation or by court order or in connection with legal proceedings, we may do so without recourse to you.

How long does ClientsFirst keep data for?

ClientsFirst will hold your data for no longer than it is necessary. There may be some circumstances where your data is held for longer periods of time such as for archiving purposes and in order to comply with any legal requirements.

Do you work with sub-processors?

ClientsFirst works with a number of third party providers / sub-processors to enable us to perform various functions to assist us in providing you with the services we offer. Where we use a third party we request that they are compliant with GDPR.

If you require further information on the third parties / sub-processors we use for processing your data please contact us on

Will you provide a contract or do you expect us to do so?

Our new Terms and Conditions in relation to our contractual arrangements with you to ensure we comply with GDPR can be found at this link.

We do not expect to sign individual contracts provided to us.

What measures do you have in place to ensure the protection of personal data?

We have in place relevant data handling, security and protection policies and procedures which ensure your data is secure and protected.

Do you have a policy in place to ensure the accuracy and rectification, where required, of data?

It is your responsibility to inform us of any changes to your personal data, or personal data that you pass to us to process on your behalf, so that we can ensure your personal data is kept up to date. When notified of changes, we will take reasonable steps to ensure your data is updated and any inaccuracies rectified as soon as they are discovered.

What will ClientsFirst do if it receives a Subject Access Request?

Upon receiving a Subject Access Request we will respond to this promptly and within one month of the request.

If you are a MailFirst client you are the ‘data controller’ of any data stored in your MailFirst account. Therefore, if we receive a Subject Access Request from one of your clients, we will pass their request for data on to you immediately so that you can manage their request.

Do you have a documented breach policy?

Yes, we have an internal breach policy which helps us to maintain our excellent reputation and to minimise the risk of breaches in the data we handle.

If you are a MailFirst client, you are the ‘data controller’ for any data stored in your MailFirst account. Therefore, if we are made aware of any personal data breach to any of your clients’ personal data we will notify you of the breach as soon as possible and no later than 24 hours after discovering the breach.

If we discover a data breach relating to one of our direct clients that is likely to result in the risk to people’s rights and freedoms, we will report the breach to the Information Commissioner’s Office within 72 hours.

How can I use MailFirst and Hubspot to help me on my GDPR journey?

If you’re a MailFirst client and are looking into how the system can assist you in your GDPR journey, have a read of our functionality updates, hints, tips and more here.  A feature called ‘Consent Insight’ is available to all accounts, making it possible to store consent against your contacts. There have also been recent changes made to how contacts are exported and deleted within the platform, making it easier to comply with Subject Access Request. You can also visit the ‘help’ section in your account for a full overview on any features.

Hubspot has advanced GDPR functionality, which can be enabled within the system by turning on one single option. If you would like to discuss how Hubspot can help with GDPR then just get in touch and we will organise a call with one of our experts.