You have probably heard of the new General Data Protection Regulation (GDPR) that will come into force on 25th May 2018, but you may still be confused by the specific details and what exactly this means for your business. Our priority is to make sure that we offer our clients the relevant advice and information regarding GDPR, the changes and what you can do to prepare.
GDPR is an improved and tighter privacy law that will directly replace the existing Data Protection Act. The new law will give consumers more informed control and rights when it comes to allowing a business to hold any data about them. For instance, an individual will be able to decide what personal data a business can hold, how this data can be used and when it should be deleted. If an individual does provide consent for any data to be stored and used for marketing purposes, a straightforward option for this consent to be withdrawn must also be provided at all times.
The new GDPR laws and regulations will concern any business that maintains any data of an EU citizen, regardless of where the business themselves is based.
Below we have put together an overview of some of the software and platforms that may be relevant to your business and their advice with regard to the new GDPR laws.
Email & Mail Chimp
MailChimp has already made a lot of changes which conform to the guidelines of GDPR. However, they are currently reviewing and updating their system to ensure that they themselves and their system complies with the new changes. Their review includes making sure that every requirement is met so that you, the user, are still able to correctly and legitimately store EU personal data within MailChimp and that MailChimp can legally proceed with obtaining and handling said data.
MailChimp has put together their own GDPR Guide for their customers which goes into further detail as to what GDPR is, what MailChimp is doing, and what you can do.
With regard to email marketing generally, GDPR rules are very consent focused, meaning that it will no longer be possible to send an email to an individual who has not directly agreed to and provided a solid ‘yes’ to be contacted about your services and products. This means that the individual will actively and unambiguously be required to tick a subscribe box removing any pre-checked tick boxes. A business will also be required to hold verifiable records of how and when an individual consented for personal data to be stored or processed.
Action:
1. Read the MailChimp GDPR Guide
2. Make sure that your website does not have any pre-ticked checkboxes and that any statement requesting for personal data of the consumer allows them to make an affirmative, personal decision to opt-in or opt-out.
Google AdWords
As always, Google is dedicated to compliance. They suggest that they too are updating and reviewing their current procedures to ensure they absolutely comply with GDPR rules. Google has also stated that in time for the GDPR deadline, they will be releasing information and solutions for the new consent rules for publishers. More information can be found here: https://privacy.google.com/businesses/compliance/#?modal_active=none
Action
Read the information provided by Google
Double check that your website and policies for cookies etc comply with GDPR
Social Media
For most social media platforms, including Twitter, LinkedIn, Facebook, Instagram, they themselves act as the data controller and therefore it is their responsibility to make sure that they are GDPR complaint. In an official statement, Facebook makes it clear that they are deeply involved in making sure that their services will meet the necessary requirements of GDPR, with their three main dedicated focus areas being control, accountability and transparency.
With regard to businesses and social media, everything will work the same way it does now, but as soon as the business becomes the data controller, they must take responsibility in making sure that they personally comply with GDPR rules. In their statement, Facebook state that when they become the data processor, such as when a business sets up custom email audiences for an Ad campaign, it is the sole responsibility of the business to ensure that all the data provided is GDPR compliant. The official Facebook statement can be seen here.
Action:
1. Make sure that any personal data, such as mailing lists, that may be passed to a social media platform comply with GDPR.
CRM Systems & Customer Databases
As with the information provided above, it is vital to remember that any consent that is provided once the GDPR law takes place must be verifiable. Even if this consent has been provided over the phone, the same rules apply. It must also be made clear to consumers whether this information will be passed on to third parties, and if so, these parties must be named.
From a business perspective, it is vital that anyone within the company who uses a CRM System or customer database of any form, must be appropriately trained to ensure GDPR compliance is met.
It has also been suggested that if using your CRM for email marketing purposes, then you should have a double opt-in set up whereby the individual must personally provide consent for their email to be used but also confirm and validate their email as being their own.
Action:
Make sure that any staff who use your customer database are both aware and trained on the new GDPR rules and what this means for the system.
Make sure that all email addresses and personal information that has been consented is verifiable and a record of their consent can be provided.
Websites & Cookies
Alongside all of the information above, the Terms & Conditions and Privacy Notice on your website will also need updating to match GDPR regulations. For example, it must be clear as to why you are collecting this data and how you are doing this. It must be declared how long data will be stored for on both your website and customer databases and it must also be stated what you will do with the data once you are granted consent to use it.
For e-commerce websites, where information is passed on to a payment gateway, you must clarify how long you will retain the information after it has been passed on.
The Information Commissioner has provided an example notice that can be used.
With regard to cookies, the same consent regulations as with tick boxes applies. Information regarding cookie policy has to be clear, with the consumer making an individual decision with no pre-ticked boxes. Again, they must also be able to withdraw consent as quickly and as easily as they gave it.
Action:
Make sure that your privacy notice and terms and conditions are updated following the advice above.
Data can only be stored for a certain amount of time so you need to apply an appropriate and relevant time frame.
Make sure your cookies policy is clear and informative, allowing consumers to make the decision for themselves whether to opt-in.