What’s the fuss all about?
If your business uses email marketing, sends direct mail or makes sales calls, the law is changing what you can and can’t do. Some things you might do today will no longer be allowed. From 25th May 2018, General Data Protection Regulations – or GDPR – come into force. You’ll hear about this a lot. Because it’s kind of a big deal. It’s tempting to think “I’ll deal with it in May”. But there’s some easy things you should do right now, which mean you won’t run into trouble later. The new GDPR law is complex and extensive. It goes well beyond what we can fit in this guide. However, we’ve put together some practical advice on things to help you start to comply.
What data are you collecting?
You might be thinking, “nah mate, I’m not collecting any data”. If you use any tracking tools on your website, like Google Analytics, then yes. Yes, you are. People have the right to know what personal information you’re storing about them. And what you might do with that data. The law applies to data which could be traced back to an individual. That even includes things like their computer’s IP address. If your site doesn’t have a Privacy Policy, it needs one to comply. It needs to tell people what you’re going to do. We can provide a template. Edit it for your business and remove the bits that don’t apply. Ask us to add a Privacy Policy page, starting at £49.
You need to explicitly ask permission to send someone email marketing. They must opt in. It’s not ok to assume you have permission. It’s not ok to hide it in your privacy policy. And it’s not ok to pre-tick a box which people have to untick. Those things might have been allowed in the past, but not any more. Start getting consent now. Don’t wait for the deadline. On your website contact forms, registration forms or check out pages, we can add tick boxes if you don’t have them. Or if you have pre-ticked boxes, we can re-programme the default setting. If we’ve designed your site already, ask for our Opt-in, tune-up service which starts at £99. If we haven’t, let’s talk about getting your site compliant. Contact us now to discuss what your website needs to do.
When did they say it was ok?
So we know we have to ask people to opt-in. Is that enough? No. There’s more. If you want to use someone’s personal data (eg their email address), they must give you ‘explicit consent’ to do so. This means no pre-ticked opt-in boxes by default. The individual must have always chosen to tick the box. You need to record when they gave you permission. And you need to log exactly what they were shown when they opted in. If you get an email notification when someone registers or checks out, that may be enough to comply. Provided you store the email securely and it clearly shows what the tick box said. If you’d like to manage consent better, ask us about adding a customer database to your website.
What about existing customers?
Now here’s the thing. GDPR says, if there’s another law that conflicts with it, you should pay attention to that law instead. When it comes to email and telephone marketing, PECR legislation takes priority. The good news is, PECR allows a thing called ‘soft opt-in’. PECR says, if you got someone’s email address when they bought something, or negotiated to buy from you, then it’s ok to send marketing about the same kind of thing they were interested in. Nice. The bad news is, PECR is being replaced. New stricter ePrivacy law is being debated in parliament. Nobody knows whether soft opt-in will be allowed. So it makes sense to get explicit opt-in when you can.
Opting out
People have the right to tell you to stop marketing to them. And you must make it easy for them to opt-out of receiving future marketing. From today, make sure marketing emails tell people how to unsubscribe. That could be saying ‘reply with “unsubscribe” in the subject’. Or make it smarter, with a link to click. On printed mailers, tell people what to do to stop receiving mailers. Perhaps a number to call, an address to email or a link to visit. Don’t wait until May to do this – make sure your mailers comply when you next reorder. The second – and most important – part, is keeping a ‘do not contact’ list. Once someone has opted out, it’s critical you stop sending stuff. Or face stiff fines from the regulator. Ask about building an Opt-out landing page for you – these start from £199.
What do I need to do now?
1) Ensure you get a positive opt in for email marketing. Customers must provide a positive opt in to be sent email marketing. You must add a checkbox to any contact form or registration page on your website and you must record when and what the client agreed to. You should audit your existing website and identify any opt-in forms that do not comply and update them. If we have built your existing website and you need help with this contact us.
2) Check your website has a privacy policy. You need to ensure you have a process for providing GDPR rights and that this is clearly explained in a privacy policy. You also need a way to amend information you store on them (such as access to a account profile for membership or ecommerce sites). Customers can request data erasure (meaning you delete their customer on the website and any contact form or comments)
3) Make sure your website is secure. To avoid getting a data breach notification your website needs an SSL certificate. You know the little padlock symbol you see in your browser bar? That shows whether a website is secure. It technically means the website has an SSL certificate. (If you’re wondering, SSL stands for Secure Sockets Layer. Bet you’re glad you asked.) If you’re storing any personal data on your website, you absolutely must have an SSL certificate. This encrypts transmission of the data. In October 2017, Google implemented the second part of its plan to label any sites without an SSL certificate as non-secure. So even if your site only has a contact form, unless it has an SSL certificate, your visitors might get a nasty warning. That will probably freak some people out, so it’s best to take action today. We can add an SSL certificate from as little as £25 per quarter if we host your site, or £49 per quarter if we don’t.
4) Be aware of your duty to notify the relevant supervisory authority of a data breach.
There’s lots to take in. We know. Take a look at this flowchart. It covers the different steps you should make now. A common misconception is that GDPR only applies to personal data. And that somehow businesses aren’t covered. Even if you sell B2B, GDPR applies to you. Even if you only email corporate addresses, the law still applies.
Want to read more?
The laws are explained in detail here https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
12 steps you should take now: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf