“Privacy means people know what they’re signing up for, in plain language…… Some people want to share more than other people do.” – Steve Jobs, Entrepreneur
The General Data Protection Regulation came into effect on 25 May 2018. It updates and strengthens the previous data protection rules.
It’s largely focused on personal data, such as names, addresses and other information held about individuals. Unlike the previous data protection rules, it applies to records held on paper as well as those held digitally.
If your organisation holds detailed sensitive information about people, or information on children or young people, get expert advice on how the rules apply to you.
GDPR strengthens the individual’s ‘right to be forgotten’. People can ask to be deleted from your records and expect for that deletion to be carried out.
Organisations that break the rules face the threat of massive fines, up to the higher of Euro 20 million or 4% of global sales.
GDPR and Digital Marketing
Many businesses are concerned that GDPR makes marketing more difficult, particularly marketing via email. They’re concerned that if they can’t prove that someone asked to be included on the list, they may be in breach of the rules.
However, you can email people working for limited companies, limited partnerships and government institutions, as long as you give them a route to opt out.
You do need to get permission to email private individuals, sole traders and those working in unincorporated businesses.
Getting permission means being clear about what you’ll do with any information they supply and having them make a clear choice to ‘opt-in’.
To remain GDPR compliant, it’s good practice to regularly clean up your marketing records, and to have a single secure database, rather than multiple files. Redundant contact information should be deleted, not stored indefinitely.
GDPR and Business Data
Even the smallest business accumulates a mass of data over time, and it’s often stored inconsistently and insecurely. Where that data contains information about individuals, it probably falls under the scope of GDPR.
To achieve and remain GDPR compliant, you should regularly conduct an audit of all the data in your organisation. This includes everything from your HR system to a spreadsheet of contacts that a member of your sales team maintains on their laptop.
Consider creating a map of how personal data flows through your business, from the point of capture (such as sign up to an emailing list) to all its potential uses, and its eventual deletion.
If you don’t already have them, you probably need policies around issues such as:
- Preserving privacy.
- Handling requests to review the information you hold.
- Dealing with ‘right to be forgotten’ requests.
- Accountability for processing of personal information.
Don’t hold more information on someone than you need to. Minimisation is a key principle of GDPR.
Take steps to create a culture of privacy that respects the rights of customers and contacts, balancing the needs of your business with the obligations of GDPR.
GDPR and Data Security
Any data you hold on individuals should be secured to prevent unauthorised access, and you should consider regular audits of your security.
All businesses should also have procedures for handling a data breach. It’s possible to predict, based on the nature of data you hold, the form of information that could be lost in a data breach. This allows you to have contingency plans for notifying the relevant authority and, if appropriate, contacting those whose data may have been taken.
It’s safe to assume that rules around data privacy and security will continue to tighten, and the penalties for non-compliance will get tougher. Businesses that want to thrive in the age of data privacy have adapted how they operate and are looking to take advantage of having better quality data available to them.
Staying compliant with current marketing legislation can seem challenging, however it is essential that you do! By keeping ourselves up to date on the latest guidance we are able to provide you clear advice and a process to follow as you develop your internal procedures.