GDPR will come into force across the EU on Friday 25th May 2018. This means all businesses must be compliant by that date. Have you started taking action yet?
From a marketing perspective, the biggest shake up will be around how personal data can be used for marketing purposes, and how that data is stored and protected.
Under the GDPR you’ll only be able to send marketing communications to customers if they’ve opted in to receive them. It will also be necessary to be able to prove that an individual has done so, by placing the burden on the business. Individuals will also have the right to withdraw their consent at any time.
There is a lot of discussion around ‘what is the duration’ of consent. I have done quite a lot of reading around this and I must say that I haven’t found any clear guidelines However, it does seem to be implied that it does not last forever and should only be for as long as necessary. At the moment, the ICO’s recommendation is to refresh consent ever 2 years.
It is important that you get into the habit of keeping good records moving forward to prove that an individual/customer has offered their information to you. It is recommended that you should keep the following info:
- Who consented
- When they consented
- What they were told at the time – what they were consenting to
- How they consented – for example a copy of the completed data capture form with timestamp
- If consent has been withdrawn – if so when.
One question that I am frequently asked is – does someone giving a business card at an event constitutes consent? The ICO has published draft guidance and gives the example of people at a conference putting their business cards in a box to take part in a prize draw. By putting their card in the box, they have clearly demonstrated consent to their personal details being used in relation to the prize draw but they have not consented to any wider use such as marketing purposes.
It gets a little confusing when you then look at oral consent which the ICO have highlighted as a valid unambiguous statement. My take on this is – if you are networking and someone gives you a business card and clearly states that they want to receive your email newsletter, I would write the date, what it is they want to receive e.g. newsletter, the time and the networking event on their business card and keep this on record. I would also recommend that you send them a follow up email and ask them to confirm by opting in via the method you are using.
Key Steps you should be doing now:
- Review your current data that is held and understand your current consent provisions. Can you prove you have consent from everyone? If the answer is ‘no’ then you will not be able to use this data after 25th May 2018.
- Start splitting your data by who has consented and who hasn’t
- Review your privacy policy and data capture forms to bring them in line with the information that is required to comply with GDPR. You must provide a mechanism that requires a deliberate action to opt in. You also cannot rely on silence, inactivity, default settings, pre-ticked boxes etc.
- Review how you store and manged record information. Are you capturing all the information that you need to provide consent? Also consider if you are keep unnecessary information!
- Decide how long consent should last for your business in terms of marketing communications. Incorporate this in your privacy policy and set in place a system to provide reminders to refresh consent or remove individuals when they lapse.
I hope this information has been helpful. It’s all about process and evidence. I am working on writing other blog posts that will focus in on key areas such as ways you can gain consent from your existing lists for your future marketing communications.
For reference if is worth keeping an eye on these two websites as things are being constantly updated:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
Little Acorn's Blog 