A week off work had prompted me to force myself to spend at least a few hours focusing on the spectre that is GDPR. It’s omnipresent, my Facebook feed is filled with posts about it, as is LinkedIn and Twitter and my clients are looking to me for reassurance. So, I feel a sense of responsibility to learn as much as I can, to at least be able to guide them in the right direction.
I must first point at that as with all knowledge, it is second hand knowledge… What we learn we must learn from someone else. I have followed Suzanne Dibbles Facebook group, watched many of her webinars and videos as well as consumed as much information as possible online, so what I am sharing is my take on what I’ve learnt.
So, here goes…
We all need to be GDPR compliant by 25th of May 2018. Yes that feels soon, but it has been two years in coming so it shouldn’t come as a surprise to any of us.
What can happen if we bury our head in the sand and pretend it’s not relevant to us? Well, there are potential fines of up to 4% of your global turnover but, in fairness, this is probably some way down the line for those that refuse to comply and blatantly disregard the regulations. More importantly, I feel, as we move forward, consumers who are unhappy with the way their data is being processed / handled will not only be able to complain, they will also be able to claim compensation. In a society that seems to have developed a passion for compensation claims, this is a big worry. Over and above this, if you do not handle people’s data in the most professional manner possible, you risk damaging your own professional reputation.
If you as a small business owner are aware of GDPR then you can bet your bottom dollar that the man on the street is aware of it, and they will not hesitate to complain to the ICO going forward if they feel their data is being “abused”.
So this is the end of marketing as you know it, right?
No, not at all. There has been a data protection regulation in place for years and all this is doing is tightening up on that. You should never have been scraping email addresses off websites, you should never have been spamming people with unsolicited emails, so if you’ve been doing that then STOP IT right now! Think of GDPR as an opportunity to clean your database, ensure that your marketing is more targeted (because you will be marketing to people you KNOW are interested in you / your product / your service) and see an increase in engagement with your audience.
Personal data is exactly what you think it is – name, phone number, email address etc. Processing data is collecting it, storing it, holding it, using it etc.
The key message throughout the changes being brought about by GDPR is TRANSPARENCY.
- Tell people what you are doing with their data.
- Use the data for the specific purpose that you have obtained it for.
- Only take the details you need and only keep the data as long as you need it.
- Hold the data securely.
- Use a recognised GDPR compliant third party, like Dropbox.
- If you are a business that holds hard copy data, ensure that you keep that secure too – locked filing cabinets etc.
Legal grounds for processing data
There are various legal grounds for processing data, but the ones we need to really think about are consent, contract and legitimate interest.
Consent must be a clear, affirmative act and should be as detailed as possible. Do not bundle consent, be as granular as possible and give options that people can consent to.
One of the big questions that many business are asking is “do I have to get consent from my existing list”. I have seen many contradicting answers to this question, and here is my answer…
You do not have to get consent from your existing list IF you can show that the original consent you have from them is GDPR compliant consent.
As such, my honest answer is, yes, you do need to go back and get consent from your existing list to carry on holding and using their data. Why do I say this? Because I think it is HIGHLY unlikely that most businesses have been using GDPR compliant consent prior to the GDPR regulations being brought in. So yes, your contacts may have opted in to your list, but it is unlikely that the opt in falls in line with the new regulations.
Now is the time to create and run a re-engagement campaign, refresh your contacts consent and remind them that they have the right to withdraw their consent at any time.
The onus of proof of consent lies with you, the data controller. You must be able to show what your contacts have consented to, when and how they consented.
Contract covers the right to hold data for delivery of goods or services, and also for employees.
Legitimate interest is the trickier one. This seems to be the heading that marketeers were going to hang their hat on but unfortunately you DO still need consent for marketing.
For legitimate interest to come into play, there must be a “relevant and appropriate” relationship – so for example if a customer has purchased a product and you are emailing them about an upgrade to this product or sending then some additional details that might enhance their experience.
As a business or business owner processing data, you are ultimately accountable and are the “data controller”. There is a fee payable (some companies are exempt so please do check) which is a Data Controller charge and ranges from £40 to £2900. If your organisation has over 250 employees then you will need to designate someone as Data Protection Officer and they will be responsible for data protection compliance.
What to do now
If this all feels like information overload then my suggestion to you would be to break it all down and deal with it in bite size chunks.
Head to the ICO website and ascertain what Data Controller fee you are liable for and pay that.
Ensure that all data processors you use guarantee compliance with GDPR (payroll handlers, email marketing software etc).
Assess what data you hold, where it came from and how you use it.
Decide how you are going to refresh consent. You may even decide (if it’s historical data that you don’t use / don’t need) to destroy all old data and start afresh with GDPR compliance.
Make a record of your new policies and procedures so that every time a new lead magnet is created or a new email marketing campaign is built, you know that all elements will be GDPR compliant.
Ensure that you have a system in place to cover the rights of the subjects. People can now request the data you hold on them for free and these requests must be actions within one month of receipt. The contact has the right to rectify and erase the data held.
Put systems in place to ensure that you are able to keep record of consent from your contacts.
I hope that you find this breakdown useful. It is by no means all encompassing, and I’m fully aware that there are more areas to be covered (cookie policies, t&c’s etc) but I am sharing with you what I have learnt so far and if it saves you a few hours of scouring videos, podcasts and blogs then in a small way I have been useful!