GDPR Compliance - How Did You Do?
GDPR 2 months on…
Well unless you’ve been living on Mars it can’t have escaped your attention that all businesses should have reviewed their data policies and marketing activity this year to make sure they are compliant with the new General Data Protection Regulation (GDPR).
If, like us, you got sick of all those emails asking you to opt in to stay on their list you’re probably wondering what all the fuss was about. Our inboxes are still full of marketing emails and you can’t get on a web page now without getting rid of the huge cookie notification pop up. So was it all really necessary?
The 3 ways businesses dealt with GDPR
Although we had almost two years to prepare for GDPR, there seemed to be a real panic and media focus in the last few months leading up to that May 25th deadline. It’s fair to say that many small businesses without the benefits of departmental experts in data protection and marketing permissions were really confused and weren’t sure what they were meant to be doing, so what we saw were three main types of reaction.
So which one were you?
The one that did nothing
It may be that you’re already super-confident you had policies and practices which put you ahead of the game – well done you. For many though it was more of a let’s bury our head in the sand and hope we don’t get caught out. For many small businesses who have good relationships with their customers they would have a “legitimate interest” to keep in touch with them using marketing messages, more on that later. What most businesses failed to comprehend was that for many, to be compliant, all they had to do was simply tell their customers what data is held about them, what it is used for and how it is stored. Most companies did this using a simple privacy policy notification inviting customers to review it.
The one who went overboard
Yep, you know who you are. You emailed absolutely everyone five times asking them to opt back in with discount codes, telling them they’d be missing out. Now, that’s all well and good if you’re trying to keep a list of prospect customers who haven’t expressly given their permission to receive marketing emails, or indeed customers who you added to a mailing list without their permission – these would have been out of bounds after 25th May. However, many businesses did that to their existing customers who had previously given consent too. There’s the dentist surgery who invited patients to opt in so they could continue to receive SMS appointment reminders. This type of communication does not require permission, it’s a service update not a marketing message. If you were sending them a promo on a new tooth whitening procedure then that’s a different matter, however even then as an existing customer you are permitted to continue marketing products that could be deemed in their interest. As long as there is a clear way to opt out you can still market to existing customers with similar products and services to that which they have already purchased.
The one who did what was necessary
If you fall into this category then hats off. Much of the guidance was confusing, a bit intimidating and very open ended in some areas which makes it difficult to be sure you’re doing the right thing. Even specialist marketing professionals struggled with the guidance and even now the lines around legitimate interest are blurry and left for the business to decide what that means for them.
Businesses vs consumers
Did you know that the current GDPR regulations only apply to consumers, sole traders and certain types of partnerships? So, if you are a business that sells to other businesses you need to check what the business type of your customers is, as limited companies and local authorities aren’t bound by the same rules. An opt out for marketing is still permissible, however to be safe it’s best to err on the side of caution – who knows when the regulations may change and then you have to review your policies and processes all over again.
So what should you have done?
Well, as we know, each and every business is unique in how it needs to work with customer data, but as a general rule of thumb if you cover off these points you should be well on your way to being compliant:
Have a privacy policy available which states clearly which elements of personal data you hold, how you store the data, how long you keep it (and why), the ability and process for customers to request access to their data plus the right to be erased
Install some security software across all aspects on your company IT network to encrypt data and protect from hackers and viruses – check out our Maas360 products for an easy, cost effective way to cover this on your mobile devices
If you use a data backup system (which we recommend you do) make sure that is also protected to the same degree as your primary IT infrastruture
Make sure you place a cookies notification on your website
If you are sending marketing messages to customers, then you need to have a record of them opting in to specific channels of communication (this didn’t have to re-requested if you already had it from the original sign up). You must have separate, express permission to send marketing messages on email and SMS
You also need to capture additional consent if you are intending on sharing your customers’ personal data with any 3rd parties and what their policies are
Legitimate interest is a term used to talk about the type of products and services they are marketing to customers. It’s perfectly OK to talk to existing customers about new products and services that are likely to be of interest related to what they already buy from you, providing there is a clear way to opt out
What NOT to do
Don’t purchase lists of data from companies who can’t guarantee marketing opt in permissions
Don’t automatically add customers to your mailing lists without their express permission
Don’t share your customer data with 3rd parties without express permission
Having a box already ticked as part of a customer enquiry or online account set-up form to opt customers into marketing is NOT acceptable – these must be proactively selected by the customer to be compliant
We hope this has provided a bit of clarity around the subject for you. Even though the GDPR deadline has passed, it’s not too late to get it right. GDPR compliance should now become a fixed element of your business process reviews, it’s not a one-off job that can be put to bed until the next change in legislation. Businesses change, systems evolve and it’s your responsibility to ensure you stay compliant.