On 25 May 2018, the new General Data Protection Regulation (GDPR) will come into force in the European Union (Note: Brexit doesn’t have any impact on this). It’s the biggest change to data privacy regulations in 20 years, and it could have a big impact on your small business – particularly on your marketing.
As the law will be changing in a few months, now is the time to read up on the new regulations and find out exactly what you need to do in order to comply with the law.
What is GDPR?
GDPR is a law which aims to protect the personal data of EU citizens and ensure that businesses are using this data in a fair, safe and secure way. As a small business, this means that the way you collect, store, use and share personal data will change.
GDPR applies to all businesses operating in the EU (from sole traders and small businesses like us, all the way up to huge corporations), as well as any business worldwide which are collecting data from EU citizens.
The law affects both online and offline data, and applies to internal communications as well as customer-facing data collection.
There can be fines of up to €20 million (or 4% of the company’s global turnover) for non-compliance, so make sure you start updating your privacy policies as soon as possible!
The Six Principles of GDPR
GDPR has six main principles at its heart. These outline exactly what personal data is, how businesses will be responsible for looking after data, and how you can ensure you comply with the new legislation.
- Lawfulness, Fairness and Transparency – you need to make customers aware of what their data will be used for, ensure it is used only in the way you have described, and that it meets the requirements of the GDPR law
- Purpose Limitations – personal data can only be obtained for specific and legitimate purposes, and cannot be used further without additional consent
- Data Minimisation – only the minimum amount of data required for the specific purpose should be kept
- Accuracy – data should be kept up to date, and any inaccurate data should be updated or deleted
- Storage Limitations – data should only be kept for as long as it is needed, and anything no longer required should be deleted
- Integrity and Confidentiality – data should be processed in a secure way that ensures it won’t be lost, destroyed, damaged or unlawfully used
What does GDPR mean for marketing?
Marketing is all about connecting with people and using their data to give them the information they want, so it’s really important to review your marketing strategy and ensure it’s GDPR compliant.
Consent is a vital part of the GDPR guidelines. Opt-out consent is no longer an option. When collecting customer data (for example in a newsletter mailing list), people must opt-in and then confirm that they give consent for you to store their data. This is known as double opt-in.
You must also be able to prove you have this consent, and customers may withdraw their consent at any time. Consent must be freely given so, for example, an exclusive content download cannot be dependent on someone consenting for you to have their personal data.
Chances are, you already have an email list full of customers. Has everyone on the list consented using double-opt in? If you started collecting data a few years ago, probably not. This means you’ll need to regain consent for all the people already on your list. Send out an email asking them to confirm their subscription (and make sure to let them know exactly what their data will be used for).
You also need to make sure customers can easily access their data and remove consent if they wish. This can be as simple as including an unsubscribe link at the bottom of emails, or having a section on your website which allows people to manage their email preferences.
Don’t forget to have a think about what kind of data you really need to be collecting. In order to keep things simple, collect the bare minimum of data you need – sometimes a name and email address is all that’s required.
You have to be able to prove you need this data, so make sure it’s actually relevant to your business. For example, if you’re an online shoe store then knowing someone’s shoe size is relevant. If you’re a freelance web designer, not so much!
If you think it all sounds a bit complicated, I don’t blame you! There’s a lot to take in but as long as you’re prepared, the new GDPR rules should fit nicely into your marketing strategy.
Just made sure you know exactly what you need to update, and leave yourself enough time to get it all organised before May.
Here are some great resources to help you understand GDPR even better.
- Business Gateway’s Digital Boost GDPR for Business Guide – lots of information about what GDPR is and how it will affect businesses, plus a handy checklist to make sure you’re compliant
- Claire Brotherton’s GDPR Guide on wpmudev – all you need to know about making your website GDPR compliant, including contact forms and third-party plugins
- Purple’s GDPR Toolkit – free download with lots of information about GDPR, particularly relating to how it affects marketing
- ICO’s Guide to GDPR – comprehensive guide from the UK’s data protection authority, including information about the steps you need to take now, and a checklist to make sure your business is compliant
Have a look for events and workshops in your local area which can help you understand GDPR further. GCI and Gilson Gray are running free GDPR workshops at Microsoft Waverley Gate in Edinburgh, and Edinburgh Chamber of Commerce also have an event focusing on how GDPR will affect marketing.
WANT TO READ MORE?
To read more about this topic, have a look at these:
How to Implement Customer-Centric Marketing for Small Businesses
Keywords for Beginners: What They Do & How to Use Them
Small Business Events to Attend in the UK in 2018
7 Networking Events and Clubs to Join in Edinburgh