General Data Protection Regulation (GDPR) is here. Its aim is to dramatically increase the control individuals have over their personal data, so it affects all UK companies, big and small.
From May 2018 it is a legal requirement for all businesses to have the correct GDPR regulations in place. Get it wrong and you could face fines up to €20 million or 4% of a company’s global annual income, whichever is greater.
If you’re unsure whether or not GDPR applies to you, consider how regularly you deal with personal data – that includes present and past employees and suppliers, not just customer data. If you handle data then you should comply with the new GDPR rules.
‘But I deal with business data, not consumer, this doesn’t affect me right?’ Well not quite. If the data you hold is business-to-business (B2B) you can still use a soft opt-out approach for subscribers – this means that if they are an existing customer from a limited company you can give them an option to opt out of receiving your communications, rather than optin. However, if the data contains sole traders and partnerships they could be viewed as individuals or consumer data, therefore GDPR rules would apply. Plus, if a customer has provided any personal details like their Gmail address, even though they work for a limited company, it is treated as consumer data. Confusing hey? Most organisations would not 100% know whether their data would be classed as consumer or business, so it is best to follow the GDPR rules for all your data.
Our advice would be to apply the GDPR rules to your business if you process any personal data for customers (be they individuals or business), staff and suppliers.
What steps should you take?
- Start with a data audit. Evaluate how data is:
- Collected – get the specifics of your opt-in statement right (see below for ideas)
- Recorded – this must be provable
- Stored – privacy and safety is essential – is the data stored securely? If the data is obtained online is this secure? (See more details on making your site secure below)
- Retrieved – the recipient has the right to request access to data stored about them. Is this possible?
- Disclosed – you must be transparent about who you share details with and share responsibility with any third parties. (See privacy statement ideas)
- Erased – the data subject has the right to be forgotten. We also suggest you erase any data that you no longer use too
- Appoint a data protection officer. This only applies to large businesses, but there is no harm in deciding who will do that for smaller businesses too, so we suggest you appoint someone
- Create a new process for how you seek, record and manage consent. For B2C email and telemarketing, you need double opt-in (you get permission, then confirm this via their email – you can adjust this through your email marketing provider, or ask your marketing agency for help). For B2B limited company data you can have soft opt-in (they are existing customers and have therefore given permission to contact them). They must still have the right to opt-out and it must be clear – don’t forget this only applies to limited company details, so be careful. Even if they are employed by a limited business but they have provided a personal email address GDPR rules will apply. This also applies to cookies on the website. Users must be provided with simple opt-in/opt-out cookie consent choices. Our suggestion would be to start an engagement campaign now, so you can gain permission to communicate with your customers and prospects (more on this below)
- Review and update your privacy statement and ensure it is GDPR compliant.
- Review how to handle any requests for personal information and create a new procedure.
- Create the appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. This includes ensuring that any data you capture or hold is 100% secure (online, where it is stored in the cloud, transferred to you by clients etc). Are any parts of your website transferring data via third-party vendors – if so you need to ensure that they are GDPR compliant too?
Engagement campaign for your customers and prospects
You could simply email your existing database now (before GDPR begins in May) and ask them to opt-in, using double opt-in. However, this may lose you a great deal of your database. Create some great lead magnets; a free white paper, cheatsheet or webinar for example as a way of creating a level of interest in re-opting in. This will incentivise your customers and prospects to stay with you. You should explain how you got their details, why you’re emailing them, where the data came from and why you want to re-engage them (e.g. what sorts of information they’ll receive from you in the future). You’ll also need to give them details of how to manage their constent in the future. But hurry, you need to act fast to make this happen before GDPR or you won’t be able to contact them to request that they opt-in.
Making your site secure
We suggest you do this as a matter of course. Contact your web agency and ask them to purchase an SSL certificate and make your website secure. There are many advantages to this, not just GDPR compliancy. It will also help your search engine rankings as Google favours secure sites over non-secure. It also protects the integrity of the website, which gives your customers extra confidence in your organisation.
Ideas for opt-in and gaining permission
We really like some of the ideas presented by eConsultancy in this article.
Find out more
This article is just our quick-fire view, to give you a quick and easy take on our approach. However, to find out more we suggest you visit the ICO website here.