GDPR And What Not To Do
Every organisation is affected by Europe’s new General Data Protection Regulation or GDPR as it’s known. I’m sure you’ve heard plenty about it.
GDPR represents one of the biggest shake ups in the privacy and data protection laws since the internet. The recent Cambridge Analytica and Facebook incident involving misuse of hundreds of Facebook profiles has only added to the significance of GDPR.
GDPR is a complex piece of legislation which applies to every business whatever its size. If you have names, phone numbers, email addresses of customers, prospects, employees or suppliers, then GDPR affects you.
GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with data protection laws as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.
Chaos And Myths
So, there is chaos currently as myths have come about to the effect that after 25 May you cannot communicate any more with customers, or leads who came on board before 25 May. Some businesses sending out these emails have no clear idea why they are sending them. It’s sometimes a knee jerk reaction, and therefore ill thought through. They risk having to stop communicating with many of their existing lists, and past subscribers.
You don’t have to do that. However, there are certain processes you do need to put in place and decisions you need to make as a business owner to allow you to continue communicating with your subscribers.
GDPR isn’t the simplest of laws. There are numerous regulations that come under the GDPR umbrella. There are grey areas and until there is a body of case law, it’s not completely clear how certain aspect of the law will be interpreted. The key point is that you don’t have to send one of these emails telling your customers that you won’t be communicating with them anymore. There are strategies you can adopt to avoid being one of those businesses sending out these emails which are clogging up people’s inboxes.
Opt In Forms?
And if you capture data on a website by offering useful information, or letting site visitors request a call back or information, GDPR covers this too and there are a series of steps you need to take as a business to know how to carry on doing that. There are some myths that have built up around this too. You don’t necessarily need to add tick boxes. You can comply without one, and if you do add one you need to make sure you understand why you’re adding one. Otherwise, you could still end up non compliant despite paying web developers to add them. Depending on the form and what you want to achieve you may be able to avoid adding a tick box by changing the terms of your offers. I talk about that later in this series of 4 training blogs.
Compliance with GDPR involves a number of steps, including putting in place documents to be able to show your compliance should the Information Commissioner’s Office (ICO) need to investigate you for any reason. These are the key points to be aware of.
This mini training tells you what you need to know to work towards GDPR compliance. Whether you do this in time to meet the deadline of 25 May 2018, or come to it later after the deadline has passed, as many will, it’s important to realise that compliance with GDPR is not optional, just as operating PAYE, or other legal obligations are not optional. Nor is it something you do once and then forget about.
The Right Steps To Comply
Better to take some steps, albeit imperfect ones, than to take none at all towards compliance. But make sure they’re the right steps. Avoid taking quick decisions to send ill-considered emails asking for consent or to add tick boxes to your web forms. First make sure you have adequate information and legal guidance to properly assess the situation you face. Then decide what steps to take to address the different categories of data you currently hold. The aim is to preserve your ability to communicate with your people.
And nothing in the regulations require you to delete data in a hurry. If you conclude that you cannot market to a list of people you do not need to remove them from your system before 25 May.
Future Proofing
In terms of how to deal with collection of email addresses in future, make sure you are clear about what you want to achieve. Then properly understand what you need to do to be compliant. For example, what will you do when you go out networking and collect business cards? What changes will you make to existing forms on your website? It will vary depending on the form in question. What changes do you need to introduce? Then proceed to organise changes once you have an overall plan. Don’t do things in a piecemeal fashion.
I will say this. You may not need to engage your web developers to add opt in and opt out boxes on your forms. Before you proceed with development work take stock and set an appropriate strategy and document your decision. In the Marketing element of this training I’ve got some ideas for you on how you might address this but first it’s important to understand what these GDPR laws are aiming to achieve, as you’ll be better placed to implement your compliance plan.
The next blog in this series is Why GDPR?