The letters on business owners’ lips at the moment are GDPR – or the General Data Protection Regulation.
Some say this could be a huge fuss over very little, or it may completely revolutise the way we communicate with our customers and spell the end of marketing as we know it. In practice it is most probably somewhere in between.
Whatever impact it has, it is something that every business needs to know about and take steps to comply with. When it comes to GDPR, now is not the time to bury your head in the sand. It is the time to engage.
What exactly is GDPR?
GDPR is new European Union legislation that’s designed to provide individuals with more protection, and more transparency, about how their personal data is used. It concerns how businesses handle, store and use information about individuals. These individuals could include your previous and current customers, as well as leads that may have come from anywhere – such as trade shows or competition entries.
And the concern is that GDPR hasn’t just been announced – the draft wording was actually confirmed in April 2016, but businesses have been given until May 25, 2018, to comply with the changes. Anyone failing to do so could face a hefty fine of up to 20m Euros or four per cent of global revenue (whichever is higher). As you can see, the penalties are much greater than those that can be currently imposed for breaching the UK’s Data Protection Act 1998.
GDPR specifically refers to how businesses use ‘Personal Data’, and the definition of this goes well beyond what we currently consider to be covered under existing law. Personal Data can be obvious things such as name and contact details but now also extends to any identification numbers or an online identifier. If we focus on online identifiers, we see that IP addresses, cookies, device IDs and even search engines will fall under the scope of GDPR. So pretty much everything then.
As this is EU legislation you may be thinking that it’s a moot point due to Brexit. However, GDPR comes into effect in May 2018 and the UK has confirmed that the GDPR is Brexit-proof, so you still need to act. In addition, broadly speaking, if you deal with customers in the EU you’ll need to become GDPR compliant regardless.
Steps to compliance
So now you know that everything you have that identifies your customers comes under GDPR’s beady eye, here are just some of the steps you’ll need to take to comply:
- Detail what personal data you hold, how you got it, how long you plan to keep it for, and, if you intend to use that data for marketing, what consents you got at the time of collection.
- The importance of consents can’t be underestimated. You need to be able to prove that the individual gave you express, informed and freely given permission to use their data in the way that you are. This consent needs to be actively-given for everything you intend to use their data for, so ticking a box to agree with a very clearly-worded statement is to become the norm, but a pre-ticked box in the middle of a load of jargon will not be acceptable, nor will making consent a condition of receiving a service.
- You can no longer charge for dealing with requests from individuals for a copy of their personal data and the time frame to respond is a lot shorter. You now only have a month from the date you receive the request (where as before you had 40 days from when you received payment for the request). You need to make sure that you are able to turn requests around within this time frame.
Obviously there’s a lot more to GDPR than this and we recommend that you read up on the subject and take action sooner rather than later (a good way of getting engagement on GDPR is to mention the possible level of fines!). But taking these steps can at least start you on the road to compliance.
If you have any queries about GDPR our experienced marketing consultants will be able to advise, so do get in touch.