Not half as exciting as a hero in a half-shell… but extremely important. Here’s our lowdown on everything GDPR.
What is GDPR?
Back in May 2018 the data protection rules and regulations for the UK and EU changed. Essentially the General Data Protection Regulation (GDPR) modernised the laws around the protection of personal data.
In a nutshell, it meant that any company marketing (email, post, SMS, phone calls etc.) without proven consent could be fined up to 20 million euro or four per cent of the offending businesses turnover. Prior to this, the ICO could only fine up to £500,000… so just a bit of a step up.
“Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.”
So if it was a law passed in 2018, why are you talking about it now?!
Great question! A lot of smaller businesses still haven’t taken the steps to ensure they are acting compliantly with this regulation. Probably a combination of thinking they won’t be pulled up on it and a lack of understanding of what needs to be done. But with fines like these, do you really want to risk it…
If we’re leaving the EU, does it really matter?
Yes. The ICO (Information Commissioner’s Office) states that:
“The GDPR will be brought into UK law as the ‘UK GDPR’, but there may be further developments about how we deal with particular issues such as UK-EU transfers. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review”
Ok, how do you prove consent?
Firstly, by making sure all sign up forms are crystal clear on what you’ll be doing with that individuals data. For example, if it’s an email database, you’d need to state frequency, content and if you share your database with any third partners.
Once you’ve done that, you’ll need to do the following:
#1 First and foremost, you must ensure all data is kept securely and only those who need to access the data can. As a company, it is also your responsibility to ensure your staff understand GDPR to minimise any violations.
#2 Set up your sign up forms to have a double opt-in mechanism behind them. Most email service providers will now have this as a standard practice, but some don’t. What this means is once someone submits their data on your form, they’ll receive an email asking them to confirm they intended to sign up to your database.
#3 Once they have confirmed their intent, your CRM or database should store the date and time stamps the sign up.
#4 Have a clear unsubscribe link in every communication channel. This also means an inbox that is monitored so if for any reason the link doesn’t work, you can be contacted directly. This doesn’t need to be a personal inbox but one that is monitored regularly.
What data can I collect?
Basically only collect what you need, and be prepared to explain why you’re using it. For example, if you’re collecting date of birth in sign up forms be clear as to what you’re doing with it. It might be to track a child’s development, send age appropriate nutrition recommendations for a pet or simply to send birthday discount codes.
If you can’t explain why, then you shouldn’t be collecting it. End of story.
What do I need to do to make sure my website is compliant?
So we’ve summarised what you need to do with data collection, but what about the legal statements you need on your website.
Over the last few years, you’ll have gotten used to seeing banners across the top of bottom of all compliant websites. They’ll ask for you to consent for cookies to be collected on your session and sometimes beyond.
- Essential cookies: these are required for the operation of the website, such as logins and sign up forms (e.g. direct data capture)
- Analytical cookies: you guessed it, anything that allows the web team to analyse how the website is used. It helps them make improvements based on usage.
- Marketing cookies: these allow the web team to personalise content for you, remember your preferences and log things like pages you’ve previously visited.
You’ll need to outline exactly what you’re doing with data you’re collecting, how you’re handling it if you’re sharing it with any third parties, why and who they are.
Basically, you need to be absolutely transparent about what you’re doing with any data and why.
How do I make sure my database is compliant?
Stop. Storing. Data. In. Excel. There. Ok, actually there’s more to it than that. But it’s a start! And yes, we know for a fact this still happens and it shakes us to the core.
You can do it in four simple steps:
#1 Store your data in a secure, cloud based CRM.
#2 Minimise access to only those who need to handle it. For example, finance teams will need to see customer data, but not marketing information. Sales and marketing teams will need analytical data and opt-in, but won’t need access to financial records. Simple.
#3 Don’t leave yourself logged in to databases when you’re not using them!
#4 Only send marketing collateral to opted-in subscribers.
Do I need a legal team to review my documents?
Probably. It’s not for us to say, but it’s often a good idea to have someone with a recent legal background or a data protection officer review what you’ve done and make recommendations if you’re not quite there. If you don’t have one, have a look for a legal team with GDPR compliance experience.
Any website designer/developer or marketing agency worth their salt should know how to make sure your website is compliant. If you’re working on a redesign or refresh, they should make sure that your new data collection forms, privacy and cookie policies all meet the regulations set. And if you have further questions on what you need to do, just ask them!