GDPR applies to consumer data, so if your business processes personal or sensitive consumer data, the GDPR will apply to your business.
Most businesses use direct marketing to communicate with customers and prospects, most have a website which gives consumers the option to get in touch by submitting personal data, and most use website analytics to analyse the consumer behaviour. This means that as a business owner, you will almost certainly need to take action to ensure your company complies with new data protection laws which come into effect on 25th May 2018.
If you think leaving the EU will mean the new regulations will be scrapped, you are wrong! Currently EU rules apply, and will do so until we leave the EU. The Government has announced they will enforce similar rules following Brexit.
Some things you are currently doing may therefore need to change as a result of the new General Data Protection Regulations (GDPR). The first task will be to review how your business currently handles data, including where it came from, if you have consent to use it, where it is stored, if it is still needed, where it is going and who you are sharing it with.
There are 8 individual rights outlined by the GDPR and you will need to ensure that your procedures and policies can deliver these rights.
8 Rights Outlined in the GDPR:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. The right not to be subject to automated decision-making, including profiling
Key Actions to Prepare for GDPR
1. Assess current data handling activities including the data source, consent processes, current use of data, longevity of data and third party access. Also check if data is securely stored and delete unnecessary data.
2. Gain more knowledge on GDPR and train your staff to understand the key elements to be assured of compliance now and in the future.
4. Evaluate and review Consent processes in preparation for GDPR – you must have a positive Opt-In (but there are exceptions, please see below for further details on this.)
5. Accountability – transparency is key, so you will need to provide evidence of compliance and be able to provide information to individuals who request it under the GDPR. Compulsory information may include identity and contact details, the purpose of processing their data, who you share the data with, how the data is protected, retention period of data, be clear on opt-in/opt-in clauses.
6. Consider appointing a DPO (Data Protection Officer) who can be responsible for your data obligations under the GDPR.
What is the penalty for being in breach of the GDPR?
The fines for non-compliance are now much higher and could be as much as 4% of your annual turnover or a maximum of £20 million, whichever is highest, so it is strongly recommended that you start putting things in place to achieve compliance now. Review your current position, tighten up your policies and procedures and protect your business from risk.
Gaining Consent from Individuals for Direct Marketing Communications
One of the key changes to the Data Protection law relates to ‘consent’ by the individual to be contacted by the company for marketing purposes.
Consent must be given freely, it must be specific, informed and unambiguous. There must be a positive Opt-In (such as a tick box) that is then documented and can be shown as evidence – this is called ‘Explicit Consent’.
Let’s suppose you are currently sending emails to a prospecting database but you have only given the individuals an Opt-Out option (such as ‘unsubscribe here’), and you hadn’t gained Explicit Consent to send marketing communications to them when you collected their personal data. In this instance, you will be in breach of the regulations. This is termed as ‘Implied Consent’.
By only giving them the option to ‘unsubscribe’ or ‘contact us to opt-out’ you are making an assumption that because the individual has not taken action to request removal from the database, they have given consent. The GDPR states you must have Explicit Consent to avoid the risk of being fined for non-compliance.
Marketing to Existing Customers
For Email and telemarketing, the current PECR legislation states that if you have an existing customer relationship, then a Soft Opt-In is going to be sufficient as long as you are only marketing similar products or services to what the customer originally purchased.
This means if the customer consented to the use of their data on initial contact, you may continue to email them as long as you can show evidence that you gained their consent at the time of data collection.
B2B Email Marketing
The DMA stated in August 2017 ‘direct marketing sent to ‘natural persons working for legal persons’ requires prior consent. For example, emailing Joe.Bloggs@dma.org.uk would require consent. However, consent would not be required when contacting generic email address such email@example.com. The European Data Protection Supervisor has also echoed this opinion.’
Details of sole traders and partnerships are considered to be personal information, so you will have to gain Explicit Consent through an Opt-In process to mail these people.
Companies that are Ltd, PLC, LLP, LBG or public sector organisations and charities DO NOT need to Opt-In to receive marketing communications, but they must be given an opportunity to Opt-Out.
If you send printed marketing materials by post, you will be pleased to hear that you DO NOT need Explicit Consent from recipients. As long as the brochure, catalogue, letter or promo mailer clearly gives the recipient an option to Opt-Out of receiving future mailings, this will be allowed under the ‘legitimate interests’ of your business.
Your website is your online shop window, so you need to ensure it complies with current data protection legislation too. Assess what information you actually need to collect online and only collect what is relevant and of value to you.
1. You must have Cookie Control in place to give the user the option of giving consent or not consenting to you storing cookie data files on their computer to use for marketing purposes. You need to be transparent about what information you are collecting and what you are going to do with it. This explanation needs to be prominent on your website.
2. You have responsibilities to protect personal information that your website collects and uses. If you are storing personal data on your website you must have an SSL Certificate and host your site on a secure server. Ask your IT supplier for advice on encrypting information and ensure your staff are adequately trained and know how to look after the data properly.
3. If you have an ecommerce site or your site has contact forms, quote forms, enquiry forms where you are collecting personal information such as a name, email address, telephone number or mailing address, and you intend to use this information for marketing purposes, ensure you have Explicit Consent by way of an Opt-In tick box to give them the choice of receiving further marketing communication from you.
You can find further information on https://ico.org.uk/for-organisations/business/ and if you are a member of the FSB, there is a lot of information available on GDPR and the Legal Hub provides templates, guidance notes and check lists for members to refer to and use.
Whizz Marketing is totally committed to providing up to date advice, guidance and support to SMEs for online marketing and SEO. If you would like further support to ensure your website and marketing processes comply with the new data protection regulations, please contact Louise on 01252 622129 or email firstname.lastname@example.org