It’s fair to say that there’s been quite a lot of scaremongering about the upcoming GDPR laws flying about the internet and running across offices. You’ve also probably received an Armageddon of email spams from every company under the sun asking you to agree to be spammed for many more years to come.
But before you fall to the ground and raise your hands to the sky and ask what to do, don’t worry all is not lost – and you most certainly don’t need to do a ‘Wetherspoons’ and delete your entire database just to protect yourself.
All shook up
Let’s rewind for a second and talk about why GDPR is coming around the bend and what has triggered the EU government to act.
There is currently a bit of a shakeup going on between businesses and governments, especially when business is done online. Before, the internet was thought of as a boundless and utopian information sharing tool. The very essence of the internet was to have plateaued and free information. But our technological advances have been moving so quickly that governments have been struggling to keep up and protect citizens properly. And so with all this freedom came a darker side to the internet, and one of those murkier realms has always been data collecting.
It’s common knowledge that companies have been collecting personal data records from us without adequate consent for years. We never really liked it but what could we really do about it?
Well, the EU government has now stepped in to push for more transparency and auditing trails from companies to protect the privacy rights of its citizens. And GDPR is the practical application of the EU government’s wish to create a stricter version of our data privacy laws, which will unify EU member state laws and give more power to the people.
The law will come into action on the 25th of May 2018 and will specifically protect EU citizens from organisations using their data irresponsibly and gives citizens more visibility about what information is shared, as well as where and how companies use their data.
Pretty good stuff right? So why is it sending jitters across the business world?
I think we all agree more data protection for citizens is a good thing, but the challenge now for many companies is to understand what GDPR actually is and how they can become 100% compliant. Any businesses found not following the regulations could be fined up the 4% of the company’s global annual turnover. Although this penalty will be reserved for serious breaches, it is understandably a huge risk to be taking if you don’t swat up enough about how to handle your data properly.
The Big Bad Wolf
There is also a shed load of misconceptions about GDPR laws and it’s sending a lot of companies into a bit of a kerfuffle. The regulations aren’t as scary as most will have you think, and they definitely aren’t a wolf in sheep’s clothing.
So, what can you do?
You can lawfully process personal data without consent if it is necessary for:
A contract with the individual: for example, to supply goods or services they’ve requested, or to fulfil your obligations under an employment contract.
Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.
Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the person in question or someone else.
A public task: if you need to process personal data to carry out your official functions or a task in the public interest or you have a legal basis for the processing data under UK law
Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
Wash my sins away
Providing consent is being talked about a lot for good reason. Companies now need an audit trail or record of when contacts in your database give consent (or permission) to marketing, being contacted or having their information shared. If the reason you are contacting someone doesn’t fit in the above list or you don’t have any tangible proof of consent for your current contacts you need to go and get it. And when I say tangible proof I mean that you need the date, time, source, IP address and consent statement.
How? Most companies are directly emailing their contacts to ask them to confirm they still want to be contacted and are using a ‘double opt-in’ process. It’s crucial that the consent is freely given, traceable and that they have a choice to not give it.
Another good tip is to give your database a good cleanse. This prep work will mean that you can delete any irrelevant contacts, eroded data or contacts that appear twice. Doing a data cleanse will save a lot of time in the long run because it will stop you or your team contacting an unnecessary amount of people.
It’s also good to keep in mind that 80% of your business comes from 20% of your contacts. Spending time analysing your contacts and sorting them into importance will help with prioritising your GDPR campaigns and help build stronger relationships with your core customers. It’ll also give you a planned strategy and stop you and your team running around like headless chickens.
If you haven’t sorted out your contact consent by the 25th of May you could be subject to penalties, right? Yes, but don’t panic.
The 25th of May is a cut-off point, but if you haven’t sorted out all your contacts and you aren’t 100% compliant by then just ensure that you have proof that you are enacting the requirements and that you are finalising your data consent or ‘opt-in’ plan. Showing that your data processing is ongoing could stop any infringement fines from occurring. So get your finger off the ‘delete all’ button and start sifting through your database.
Another crucial basis of the GDPR law is that you can send contacts (who haven’t given tangible consent) information if it is in their ‘legitimate interest’. If you can prove the information you are sending could be useful or could interest the person you are contacting, then you are legally allowed to and will be compliant with GDPR. Or in other words, you can choose between double opt-in consent or legitimate interest – music to all marketeer’s ears.
But what does the wonderful vague term ‘legitimate interest’ mean? Can you send adverts about your dance classes to anyone in the vicinity who has two working limbs? No. What you can do though is contact people based on their industry and job title. So what you are emailing them has the potential to benefit their business, themselves or be of interest to them.
As clear as day
There are some things that we all don’t know or can’t predict because the law needs to be alive and kicking to see how the regulations will come into action and how that will affect businesses and individuals. Questions like how does the right to erasure affect archives, how high will the fines be and will suppliers need to raise their prices to account for the loss of lead generation? The fog can only start to lift after the 25th of May when the law becomes a practical day to day regulation that we all work with.
What we all do know though is that GDPR is going to completely change how we receive information and how customers view their own data. GDPR is giving back ownership of our information in a time when information has never been more valuable.
What businesses now need to do is buckle up and except that we aren’t in Kansas anymore, but that Oz might not be such a bad place to do business in. If we accept that we might have to lose a lot of contacts but that we actually gain insight into our most loyal customers, we can actually use the changing times as a way to nurture existing relationships and create valuable content. GPDR will hopefully create a much stronger two-way bond between your business and your contacts, who have opted in to still listen to you.
If you would like to find out more, you could do a lot worse than start with the ICO’s guide for small businesses.