GDPR – The clock is ticking….

GDPR will come into force across the EU on Friday 25th May 2018. This means all businesses must be compliant by that date.  Have you started taking action yet?

From a marketing perspective, the biggest shake up will be around how personal data can be used for marketing purposes, and how that data is stored and protected.

Under the GDPR you’ll only be able to send marketing communications to customers if they’ve opted in to receive them.  It will also be necessary to be able to prove that an individual has done so, by placing the burden on the business.  Individuals will also have the right to withdraw their consent at any time.

There is a lot of discussion around ‘what is the duration’ of consent.  I have done quite a lot of reading around this and I must say that I haven’t found any clear guidelines  However, it does seem to be implied that it does not last forever and should only be for as long as necessary.  At the moment, the ICO’s recommendation is to refresh consent ever 2 years.

It is important that you get into the habit of keeping good records moving forward to prove that an individual/customer has offered their information to you.  It is recommended that you should keep the following info:

  • Who consented
  • When they consented
  • What they were told at the time – what they were consenting to
  • How they consented – for example a copy of the completed data capture form with timestamp
  • If consent has been withdrawn – if so when.

One question that I am frequently asked is – does someone giving a business card at an event constitutes consent? The ICO has published draft guidance and gives the example of people at a conference putting their business cards in a box to take part in a prize draw. By putting their card in the box, they have clearly demonstrated consent to their personal details being used in relation to the prize draw but they have not consented to any wider use such as marketing purposes.

It gets a little confusing when you then look at oral consent which the ICO have highlighted as a valid unambiguous statement.  My take on this is – if you are networking and someone gives you a business card and clearly states that they want to receive your email newsletter, I would write the date, what it is they want to receive e.g. newsletter, the time and the networking event on their business card and keep this on record. I would also recommend that you send them a follow up email and ask them to confirm by opting in via the method you are using.

Key Steps you should be doing now:

  1. Review your current data that is held and understand your current consent provisions. Can you prove you have consent from everyone?  If the answer is ‘no’ then you will not be able to use this data after 25th May 2018.
  2. Start splitting your data by who has consented and who hasn’t
  3. Review your privacy policy and data capture forms to bring them in line with the information that is required to comply with GDPR. You must provide a mechanism that requires a deliberate action to opt in.  You also cannot rely on silence, inactivity, default settings, pre-ticked boxes etc.
  4. Review how you store and manged record information. Are you capturing all the information that you need to provide consent?   Also consider if you are keep unnecessary information!
  5. Decide how long consent should last for your business in terms of marketing communications. Incorporate this in your privacy policy and set in place a system to provide reminders to refresh consent or remove individuals when they lapse.

I hope this information has been helpful. It’s all about process and evidence.  I am working on writing other blog posts that will focus in on key areas such as ways you can gain consent from your existing lists for your future marketing communications.

For reference if is worth keeping an eye on these two websites as things are being constantly updated:

How to Prepare Your Business For GDPR

As we enter the last 7 months of countdown, more and more businesses are starting to worry about GDPR. At first, it was only the finance and IT industry that were wringing their hands, but soon business owners realised everyone would be affected by the new regulation. By now most business owners worth their salt have heard about the new GDPR. The savvy ones might have even started putting measures in place to get ready for it. But most of those are “big businesses”. You know, the ones who have infinite resources and entire departments dedicated to compliance and regulation. But that leaves the smaller businesses somewhat flustered and unsure of what to do. But never fear, Little Acorn are here to provide some more general guidance on the issue of GDPR.

What Is GDPR?

But first, what is this big bad acronym that has business owners rushing around like ants? GDPR stands for General Data Protection Regulations, and it’s essentially the EU’s answer to the Data Protection Act. However, unlike previous EU directives (which countries can choose to implement or not, and how), this is a regulation. This means it will apply to all EU countries in the same way. It also reaches outside of the EU to any organisation that handles EU citizen data, regardless of their location in the world. The regulation is already in place – we are partway through a transition period that allowed businesses to get their house in order before the regulation comes into effect on the 25 of May 2018.

The aim of the regulation is to unify and standardise data protection policies, shoring up weak spots and creating a strong base for personal data protection. The regulation provides a single set of rules for all member states to follow (including mandatory security notifications, new rules around user consent, a clearer definition of what could be personal data and greater rights for people to access and request deletion of the information companies hold on them). A special council will be created to oversee sanctions and provide guidance.

The Brexit Question

I feel I need a small note here. Before you ask, yes, UK businesses will still have to comply even if Brexit goes ahead. Not only will be still be handling EU citizen data (and therefore still subject to GDPR), but the government have also confirmed that they will be passing GDPR into UK law if we do leave. So, no matter what happens, you still need to prepare.

Areas of Your Business Affected by GDPR

The mistake a lot of businesses are making is assuming that GDPR will only really affect the IT department. And while it might be true that IT will certainly be hit hardest, that doesn’t mean the rest of the business is off the hook. In fact, there are 5 key areas of every business that will be impacted by GDPR:

Legal – One of the most important areas to be affected is the legal department (if you have one). There are many different changes that will need to be made to contracts, terms and conditions, policy documents throughout the business to ensure the consent rules are being met. This also means that the legal department will have to review and possible renegotiate contracts to meet this requirement.

Finance – GDPR will hugely influence the way accounting and financial processes function within your business. Huge amounts of confidential data pass through this department every day, so you need to be sure all your systems and policies are bulletproof. Because of the volume of data at risk, GDPR will impose heavy penalties on businesses that fail to guard their financial data adequately.

Sales & Marketing – Sales and marketing departments are the front line when it comes to dealing with customer data. They are usually responsible for the collection of data, so the consent rules need to be carefully followed. Sales and marketing need to make sure that their teams are addressing customers who have opted in or given their direct consent to receive it.

HR – GDPR will not only impact the way the business works, but it will also improve the rights of all employees too, giving them increased safety, security and control over their personal data. Everyone in the HR department needs to be updating contracts, ensuring that everyone understands their new rights and implementing them.

IT – And of course, the IT department are the first line of defence for all this data. The IT department is the foundation for the GDPR framework, which is why IT departments are currently running around like mad trying to get the systems updated and everything ready.

At Little Acorn Marketing, we are working with businesses in the Thames Valley to help them get ready for GDPR. Sure, we might not be able to help with the in-depth technical IT issues, but we can help review and improve your sales and marketing policies. Whether you just need a few tweaks or to redesign a new strategy to stay complaint, we are here to help. For more information, just get in touch today.