Unless you have a very well-pruned inbox, you’ve probably already received a lot of emails asking you to resubscribe to mailing lists, or confirm that you want to keep in touch. Some may even have explained why. It’s due to GDPR, the EU legislation that comes into full force on 25th May 2018.
But what is GDPR, and what do you need to do about it?
General Data Protection Regulation
GDPR requires active and informed consent to be given for the use of personal data. It also means companies must be transparent about how they plan to store and use that data. In the simplest terms, instead of asking someone to opt out of automatically being on a list, you’re now asking them if they choose to opt in.
Fundamentally, it’s a shift of focus – from the rights of businesses to acquire and use personal data, to the rights of individuals to grant permission for theirs to be used.
As a consumer, this is good news: no more ready-ticked boxes you didn’t notice when you submitted that form; no more unsolicited contact from companies you’re sure you’ve never subscribed to.
Despite the challenges, it’s also good news for businesses. An effective email marketing campaign is one which is sent to the right people: the ones who actually want to hear your message. A valuable customer database is one of genuine current or potential customers. It’s an opportunity for you to clear up existing databases, and ensure you’ve got your contact lists as clean and high-quality as possible.
It’s also timely. The recent Cambridge Analytica and Facebook data scandal has generated a new awareness and anxiety amongst the general public regarding the security of personal data. What better time to reassure your customers that you’re looking after theirs with due care?
How will it work?
To some extent, no one knows for certain. The GDPR was approved in April 2016, but the practicalities around the new regulation are part of a new Data Protection Act that hasn’t been published yet. That means the regulatory framework is still uncertain. Until the legislation is in place, no one knows the correct interpretation of some of the requirements coming from the GDPR.
Regardless of the grey areas, it’s vital that every organisation processing personal data demonstrates clear efforts to comply in time for the 25th May deadline. It’s not worth the risk to your reputation to hope you can get away with collecting and storing data the way you have in the past.
Can I ignore it?
Absolutely not. If you haven’t ensured the data you already hold is being handled correctly and with the right permissions, you’re no longer allowed to use it.
That means if you’ve dedicated time to building a customer or client database of valued contacts, you’re about to lose them all – or risk a fine of up to 4% of global turnover or £20 million, whichever is greater.
OK, I get it. What do I do now?
Hopefully, you and your workplace have already taken action. Many businesses have dedicated the past six months to a year to ensuring compliance, and upgrading systems as needed.
If you’re a larger corporation, organisation or public body, your company should already have a Data Protection Officer. But under GDPR, a company of any size including a small business (ie under 250 employees) must also appoint a DPO under the following conditions: if the company regularly processes personal data on a ‘large scale’, special categories of data (such as race or ethnic origin), or data regarding criminal convictions and offences. The DPO will ensure compliance not only with GDPR but the UK’s new Data Protection Act. The DPO is also responsible for reporting any breach of the regulations within 72 hours – so it’s an essential and highly skilled role.
If your business fits into those categories, check in with your DPO immediately to find out if you need to take action.
It’s not too late – yet. There’s still time to launch a simple re-engagement campaign. Just make sure you’re fulfilling the requirements of GDPR when you do so. Don’t offer any incentives or rewards to encourage people to click. If you offer a range of services, segment these and allow people to opt in only to those they prefer. Include links to your privacy policies, to ensure transparency.
Do small businesses have to comply?
Technically, busineses with fewer than 250 employees will not be bound by the regulations, per Article 30 (except for in the DPO cases listed above). However, that’s not in the spirit of GDPR. As consumers become more aware of their data rights, they’re less likely to look favourably on any business that doesn’t seem to take the issue seriously.
While it may seem less urgent, it’s still best practice to keep personal data securely and with all appropriate permissions.
What about Brexit?
It makes no difference. The GDPR applies to the personal data of citizens from all EU countries, so if you trade internationally you’ll need to be compliant.
In any case, post-Brexit, the UK government has committed to keep the UK data protection legislation in line with the European one, and possibly mirror the GDPR into UK Law.
The short version
GDPR is nearly here, and there’s no hiding from it. View it as an opportunity, and make the most of your chance to use data better – before it’s too late.