GDPR will become effective from May 25th 2017 and Brexit isn’t going to stop it (though the law may be amended at a later point).
What is GDPR and why should I care?
GDPR is essentially the existing Data Protection Act, which we all know and love, with bells and whistles added. The main reason the European Union are bringing in this new set of legislation around data usage is to ensure data protections across the Union are applied universally. Currently each country has its own interpretation of data protection law and some are better that others (the UK data protection act is one of the best).
As a business owner, the punishment for non-compliance with GDPR can be severe in cash terms, the fines can be very large, but also reputationally which may cost you even more in the long run than a fine.
How will GDPR affect your marketing data?
First thing is don’t panic. If you have always been very clear about what you are going to do with the data you are collecting and have explicit consent to use it in that way, and you’ve never sold it or used it for a different purpose. You should be fine.
Crucial to this is the fact that you have kept your data up to date and ensured that if any of our customers have opted out of communications you have honoured it.
This can be tricky if you have really old data, in which case you have two choices.
If you really need to contact that data but haven’t for a while, get on with it quickly! In this contact ensure that you ask them if they want to continue to hear from you and be clear about what you are going to send them. Make sure you honour their right not to be contacted if they don’t opt-in. One plus side of this is that if people don’t want to hear from you and opt-out (by not opting-in) you won’t waste future effort on taking to people who aren’t interested in your service.
Archive the data and don’t contact them anymore. Don’t delete the records. This is crucial, you need to retain those in case they return to you at some point to re-engage, or they want to review or have a copy of the data you hold on them.
How do I ensure the data I collect is GDPR compliant going forward?
If you’ve been following the steps set-out above, in general your data will be fine – Keep up the good work.
However, it is well worth reviewing all your processes and forms. Forms on your website should be pretty easy to review. A check to ensure you are very clear about what will happen with the data you collect will cover your back.
If the data may be used for several applications then I’m afraid there’s no way around this – you’ll need a tick-box to get explicit permission for a customer to allow you to contact them for that reason.
I found a great article on GDPR tick boxes written by Steve Henderson, Compliance Officer for the DMA. The biggest takeaway for me is that if you follow the Guardian example, and make the context around the sign-up clear, then there’s no need for a tick box in the first place.
How do I ensure my sales team are GDPR complaint?
That can be tricky! There are not opt-in boxes from the customer to tick, your internal teams will be taking this explicit instruction verbally. This means you must have very clear processes and instructions for them. Ensuring that every single person who give you data is fully aware of what you will do with it is very tricky. Getting this right is going to come down to culture, and ensuring that your staff are well trained and understand why GDPR is very important.
Clearing up any confusion on GDPR
If all this sounds far to complex, and I agree it can do, then the Information Commissioner’s Office has published draft advice regarding getting consent, which you can download from their website.
Here’s the TLDR version at a glance
- The GDPR sets a high standard for consent.
- Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard.
- Consent means offering individuals genuine choice and control.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and granular. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent a precondition of a service.
- Public authorities and employers will find using consent difficult.
- Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate