Why You Need to be Aware of GDPR8 March 2018
Hopefully by now you’re at least somewhat aware of GDPR. The General Data Protection Regulation comes into force on 25th May 2018, but according to a YouGov GDPR Survey, 62% of UK businesses don’t understand what it means, and 72% of Brits haven’t even heard of it! In a nutshell, the everyday consumer will have a lot more control over their personal data. Businesses that collect data need be up to speed and compliant with the new regulations by 25th May 2018 or face some pretty steep fines of up to €20 million. Ouch!
On the bright side, most businesses can easily adapt to the new regulations by applying a little thought into how they use and store their customer data.
Consent & Legitimate Interest
Under the new regulations collection and use of data is only considered legal if it falls under one of the lawful bases for processing. You need to identify which one of these you will be working under before you collect any data. The consent you require differs between B2B customers and individual consumer customers. It also differs when it comes to how you will use the data. Consent is a major element of GDPR, as it puts the consumer in control of their own data.
Legitimate Interest is another lawful basis for collecting and storing data, so you can store data if you can argue that it is beneficial to both you and the data subjects. Legitimate interest can include the storage of data of your customers with whom you already have a relevant relationship, or for direct mail purposes where you might be sending out an offer to prospective customers, and to store data of opted out customers so that they don’t receive direct mail by mistake.
It’s all about making sure individuals have a choice and control over their data. It must be a genuine choice, specific and clearly laid out, and there absolutely must be a way for consent to be withdrawn. No more pre-ticked boxes, or “tick this box to NOT receive emails from us”. Most people don’t read terms and conditions, so to address this issue consent options should be provided away from main terms and conditions to avoid confusion.
You must also be able to prove that an individual has provided consent, how you received that consent and through what medium.
It seems like a lot of changes to data protection regulations and it might seem a little overwhelming but all you need to do is make sure you are giving your customers a genuine choice over whether to share their data with you. You can do this by taking away the pre ticked boxes, review the language you use to make it as simple as possible, explain exactly how their data will be used, make it easy for customers to withdraw their data if they wish to, keep any consent boxes away from other terms and conditions, and keep good records of how and when you gain consent from individuals.
Objection, Erasure and Rectification
If a customer contacts you to say they no longer wish to share their data with you, you need to respect this choice. Unless you are processing the data for legal reasons or you can demonstrate other reasons for legitimate interest, there are no grounds on which you can refuse. You should make it very clear to the customer at the first point of communication that they have this right, and if they do indeed wish to be removed from your list, you cannot charge them for the privilege.
It follows that if a customer no longer wishes to share their data with you, they will probably want you to delete it. This is the right to erasure and refers to “the deletion or removal of personal data where there is no compelling reason for its continued processing”.
Customers also have the right to rectification. They might not want you to delete their data, but they might instead just want it to be correct. Make sure your database is kept in a tidy and orderly manner, so that it is easy to find and correct an individual’s data should a request be made.
GDPR requires businesses to keep records of their data processing activities. If you employ more than 250 people, you must maintain records of all your data processing activities, if you employ fewer than 250 people you must keep records only of high risk data processing. This includes special categories such as genetic data or criminal records, or data that could put the rights and freedoms of an individual at risk, such as recording someone’s ethnicity, putting them at risk of unlawful discrimination.
Documentation requirements include how you keep the data you store safe, your security measures, and who has access to it.
Marketing online might become a little trickier when GDPR comes into effect, leaving some businesses wondering how to effectively and lawfully communicate with potential customers. There are many opportunities available through various direct mail channels. Although you must still provide an opt-out on all direct mail pieces from 25th May 2018, you can quickly and easily run your data against the Mailing Preference Service to ensure people who don’t wish to receive unsolicited mail aren’t on your list. Royal Mail door drops are anonymous, and are not affected by the new regulations, so you can let them target by household type, age, affluence, or postcode, to name just a few options, with no worries about GDPR whatsoever.
Infiniti can offer a wide range of direct mail options to keep you in touch with existing customers and reach out to new ones. Call us today on 0800 915 5417 to find out more.
This is a very quick guide to GDPR, we highly advise all readers to undertake their own review GDPR, for more information visit the Information Commissioners Office website.