Do you know how GDPR could affect your business?
As the General Data Protection Regulation (GDPR) implementation date draws ever closer, small business owners have been asking us questions around how this will impact on their digital marketing and website – by Mark Bowden of elucidate.
In this blog we offer guidance on some of these hot topics of debate.
Emails and consent
Email marketing under GDPR is a grey area, with the decision to email your list after 25th May – or not – seemingly resting on how risk adverse a business owner you are.
GDPR supersedes the Data Protection Act 1998, but differs to existing Privacy and Electronic Communications Regulations (PECR). PECR gives people specific privacy rights in relation to electronic communications, e.g. phone calls, faxes, text messages, video messages, emails and internet messaging.
Whereas GDPR requests a proven opt-in from every data subject (living person), the ‘soft opt-in’ under PECR allows businesses to contact their existing and previous customers without major issue.
PECR specifically reads: ‘The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.
The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (e.g. from bought-in lists). It also does not apply to non-commercial promotions (e.g. charity fundraising or political campaigning).’
Therefore, emailing your existing and previous customers on a business to business basis seems to be ok post GDPR, as long as you provide a clear opt-out in your marketing and follow guidance carefully.
The confusion arises around whether emailing individuals (including sole traders and partnerships) or prospects is permissible under GDPR, as this remains unclear.
We advise on this by looking at each business and their preferred marketing activity on an individual basis and how this compares to the GDPR’s 6 lawful basis for data processing.
If in doubt, don’t send that email! Its best to have an email list of quality over quantity and avoid being at risk of a complaint or hefty fine.
Opting in and out
What is very specific in the GDPR is that you must provide a clear way for individuals to opt-in to receive your marketing. This cannot be a pre-ticked box, hidden in terms and conditions or be a ‘precondition of service’.
You must also show a clear way for recipients of your marketing to opt-out, by providing guidance on how to unsubscribe.
You also need to name any third party controllers you will need to share details with, and to keep records about how and when you obtained the consent.
If you use a Customer Relationship Marketing system (CRM) such as Mailchimp, Active Campaign, Salesforce to store your database, you can create a form to add to a new ‘opt-in’ page on your website and link to it in all your digital marketing. This will enable your customers to change their own preferences.
Your website
If your website features a log-in facility or an online shop, it may be holding customer data. In here could be your customer’s name, email, delivery address and even payment details.
Think carefully about your website security. Is your site hosted in Europe or overseas? Can you remove or encrypt old data? How can you minimise the risk of a data breach if your website were to be hacked?
At the very least, your website should have an SSL (Secure Site Licence or Secure Sockets Layer). This changes the http:// at the beginning of your website address to https:// and gives it an additional layer of security by encrypting sensitive information and helping to protect your data from cyber criminals.
If you use a Customer Relationship Marketing system (CRM) such as Mailchimp, Active Campaign, Salesforce to store your database, you can create a form to add to a new ‘opt-in’ page on your website and link to it in all your digital marketing. This will enable your customers to change their own preferences.
Your inbox
Unfortunately, your inbox may hold all sorts of secrets about your customers – their login details, addresses, even health information if it is relevant to your line of business. Why not use GDPR as an excuse to do some spring cleaning, removing sensitive data from old emails and deleting attachments?
It’s best to create processes where you minimise where data is held, so you can keep track of it more easily. You could save information from an email directly into your CRM for example, and remove it from the email itself.
Your social media
The good news is that social media sites such as Facebook, LinkedIn, Whatsapp and Twitter, etc will have privacy notices built into them. You may have already seen messages asking you to review these notices and your settings. Facebook have made some very significant changes following the Cambridge Analytica incident.
However, do be mindful of sending marketing within facebook or LinkedIn messenger, for example. Whilst this is not specifically denied within the GDPR, it’s not good practice. These platforms are designed to build relationships, not for spamming people you are no longer allowed to reach via an automated email.
