There’s been a buzz around GDPR for a while now, but many companies still don’t understand it or have a plan in place. We get it, you’re busy running a business and it is a fairly complex issue. While we’re not experts and certainly can’t advise from a legal perspective, we wanted to share our knowledge with you and do our best to begin to unravel the mysteries of GDPR.
GDPR stands for General Data Protection Regulations. You’re probably already aware of the Data Protection Act, which was introduced in 1998 into a very different world - before the creation of Google, Facebook, Twitter, and many other digital networks we’ve become accustomed to using in everyday life.
GDPR is essentially a progression of these laws, bringing them up to scratch for the modern era. They come into play May 25th 2018.
The simple answer is yes. UK businesses should certainly comply with GDPR. It’s largely recommended practice to protect your data and look after your customers. And it affects businesses of all shapes and sizes, small independent retailers to bigger enterprises with mailing lists, customer databases and booking records.
Although EU rules are involved, Brexit won’t get you out of this one.
As a legal requirement, the ICO (Information Commissioner’s Office) will have the power to impose these laws and may fine businesses who break the rules. You need to be able to show that you’ve made reasonable efforts to comply.
One key principle of GDPR is that you need to know what data you hold as a business, and why.
Some customer data you’ll need to fulfil your service. Some you may need to keep for a set period of time for accounting and tax purposes.
Make sure you know what data you have and its purpose. Make sure you have a process for discarding data you don’t need.
It needs to be clear to your customers what data you keep on them and why. From emails added to your mailing list to stats collected by Google Analytics, explain what you collect and why you collect it in your privacy policy and terms and conditions. You do have a privacy policy, right?
GDPR says for each person you store data about, you should have an audit trail to show not only that they gave this consent, but also when and how.
You may already be doing this, but the chances are you’re not. Start doing it as soon as you can - get your sign up checkboxes at the ready!
And what about the existing customer data you currently hold? While there are other laws in play that imply you can keep using the data of those you already have a relationship with, getting permission afresh is the safest option.
There are various ways of approaching this “repermissioning” process, just ask us if you need some assistance.
Email marketing should always be opt in. Don’t assume you can hide this in terms, or automatically pop new customers on your mailing list - they must explicitly opt in to receive marketing emails.
Emails should always include an option to opt out (unsubscribe) too. You must maintain a record of who’s opted out - don’t get your lists in a muddle and sign people back up.
As for print marketing, you can send promotional materials without permission if the mail is relevant and appropriate. But there must be an opt out option - e.g. small print saying “to stop receiving mail please fill in a form to unsubscribe on our website”.
It’s a similar rule for telephone marketing too - you’ll need to check numbers aren’t disallowed through the TPS (Telephone Preference Service) or CTPS (Corporate Telephone Preference Service).
Encryption means jumbling up data so only you can read it. There are two places you need to consider encryption.
The first is while data is in transit. You should have an SSL certificate on your website for this, and it must be configured correctly to protect data. SSL jumbles data as it goes from the browser to the web and back, it adds https:// to your web address and usually adds a little padlock and a hint of green to your web browser. It gives customers more confidence in you and is good for SEO too.
Secondly, if you keep private or personally identifiable information in a database, GDPR says you should think about encrypting that too. Encryption at this level isn’t 100% mandatory and can be a pain - but may be needed depending on your unique situation. Need any help with that? Let us know.
We’d strongly recommend registering with the ICO - you’ll nominate someone responsible for data within your organisation, and receive your own data protection number.
The price to register is pretty small, and they also provide resources that can help you create a pretty comprehensive privacy policy.
Expect the best, prepare for the worst. We hope you never ever suffer from a hack or data breach, but what happens if you do? You need to have a plan ready just in case - GDPR says you should notify those whose data has been compromised within 72 hours, if not sooner. How would you do this?
GDPR gives people a right to request a copy of their own data, and also the right to erasure - not that Erasure, erasure as in deleting their data entirely. How are you going to fulfil this?
Have a plan for everything, share that plan with customers.
While GDPR might just seem like another bureaucratic hurdle for the honest businessperson, treating data with care, and taking the privacy of others seriously is at the heart of it. Do that and you’ll be well on your way to ticking all the boxes.
GDPR is also about creating a security aware culture. Yes the boss is responsible, but everyone who touches data in your organisation has a part to play.
Be prepared and have a plan in place as soon as you can.
We’re not lawyers, but we are here to help where we can (and we are good with digital communications, marketing, web development and databases). We’d be happy to review your situation and make recommendations as to how we can facilitate practical solutions for you.
You'll receive an email update every 2 weeks with insight and advice to support you in your digital marketing journey. We treat your email address with care, and you can unsubscribe with just a click.