ENISA: Handbook on Security of Personal Data Processing

“The overall scope of the report is to provide practical demonstrations and interpretation of the methodological steps of the ENISA’s 2016 guidelines for SMEs on the security of personal data processing. This is performed through specific use cases and pragmatic processing operations that are common for all SMEs.”

https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing

[UK] ICO’s Liz Denham on direct marketing consent

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/02/dma-data-protection-2018/

Detail of the e-privacy regulation is still being debated, but a default for all consumer marketing to be opt-in is in the current draft.

Until the e-privacy regulation comes into force, PECR will sit along side the GDPR.

That means electronic marketing will require consent. Yes, there is potential to use legitmate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it.

It seems to me that a lot of energy and effort is being spent on trying to find a way to avoid consent. That energy and effort would be much better spent establishing informed, active, unambiguous consent.

You say you will lose customers. I say you will have better engagement with them and be better able to direct more targeted marketing to them. You will have complete confidence that your customers have given informed consent.