A simple check list if you don’t plan to appoint advisors and don’t have cash to spend on this – or are choosing not to.
The reason for the title? Well, someone actually said this to me last week! This prompted my post – a simple commercial view on what you actually need to do, without extracts from legislation or any arse covering catch-all analysis.
What we know for sure
> GDPR is generating large fees for advisors.
> Millions of people will have new protection in respect of their data – and most of them couldn’t care less.
> Businesses of all sizes are tasked with another costly administrative burden that keeps them from focusing on growth.
> We’re all under heavy email fire from companies that have emailed us for years, who are now scrabbling around to try and get us to agree to that. I’ve had 10 emails from one such company.
1. Do you need to re canvass for consent?
If you have added people to your data list willy nilly over the years, then the answer is probably yes you do – if you want to be compliant. I’ve noticed a clear trend that the companies re canvassing opt-in consent from me, are the ones that never asked me in the first place whether I wanted to receive their emails.
If you asked for their consent way-back-when you collected their data, then you’re in the clear; you don’t need to ask again.
If you believe the people in your email list would have expected to receive marketing emails from you, on the subjects you’re sending them, when they gave you their email address – taking into account all the circumstances in which they passed it over – and each time you’ve contacted them there’s been an easy way to opt out, the risk of continuing to send them marketing emails after GDPR kicks in is not high – especially if they have received regular emails from you since that time.
Why not re canvass for consent anyway? You could, but there’s a high risk that you’ll lose most of your list if you do! Not because people don’t like your emails or your company (although of course, they might not), but because reading all your emails in a timely fashion might not be that high up their agenda. And to send that email suggests that you need to. So you’d be pretty much ruled out from contacting them again if they didn’t hit that confirm button.
If you’re going to re canvass, do it before the deadline.
If you decide not to re canvass but suspect that you probably should, don’t expect data officers to turn up on your doorstep on 25 May. You would need to be investigated by the regulator either off their own back (unlikely if you are small) or following a customer complaint. Luckily most people, apart from maybe my mum, have better things to do.
2. Security sense check – common sense rules
Is your data stored securely? With web hosting, the big companies (AWS, Rackspace) will probably have sent you an email to confirm that they are compliant. If you haven’t heard, cover your back and ask them.
With your CMS or website’s database, ask your developer. They might not know if you are GDPR compliant but ask them how they ensure the security of your data. Sense check it with them. See if you can uncover any holes.
With your employee, client and other data, ensure only the people who need to have access to it do, and that those people have appropriate terms in place regarding it’s use – check your employment contracts.
3. What data are you collecting?
Again, common sense prevails. Are you collecting only the data you need to collect? If you sell paint, someone’s ethnicity is not a data field you need to collect. However, for cosmetics the opposite might be true.
It’s useful to be aware that the rules for taking care of the data you collect are more stringent when it is classed as ‘sensitive’. This would include racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.
4. How are you collecting it?
People that leave you their details must give specific consent for marketing. So that means clear opt in wording. Tell them in plain English what they will be sent (and how – if it’s not obvious) and allow them to agree to that use. It’s not ok when a customer buys something to add them to your marketing list because they have accepted your terms and there’s something written about marketing in them.
It’s no longer ok to have just one tick box when someone makes a purchase for accepting the terms of purchase and for consent to marketing. This is not considered specific consent for marketing. It has been usual up to now to combine these.
And in case you were wondering, no, it can’t be pre ticked. Nor can you incentivise people to tick it by tying it in with competitions or prize offers.
In short, no funny business. Just a clear question about whether they want to receive marketing from you, with an equally clear way for them to answer. You might need to evidence this, so keep a record.
Look online. I’ve started to see some good sector specific GDPR compliant privacy policies knocking around.
What’s going to happen if you do nothing
Most likely, nothing. I understand that the team at the Office of the Information Commissioner is just 10 people, so the enforcement reach is limited and smaller businesses are unlikely to be the priority. However consumer groups and champions will probably be on the case and I have no doubt examples will be made of certain b2c businesses – I suspect large retailers will be in the frame.
And if you just do one thing?
I’ll re-paste it below.
“It’s no longer ok to have just one tick box when someone makes a purchase for accepting the terms of purchase and for consent to marketing. This is not considered specific consent for marketing.”
Do this because it is visible and really easy for anyone to check simply by signing up to your website. But mainly do this so that you have the correct GDPR marketing consents for the new data you collect, irrespective of what mischief you’ve been up to in the past.
Kate is hosting a 1 day Workshop on “Starting your business” later in June. It will give the core foundations you’ll need to start something new with confidence. More details here.
By Kate Jackson
Founder at TableCrowd