GDPR is coming. On the 25th May 2018 to be precise. And it is going to affect all of us.
If your business uses email marketing, sends out direct mail or makes sales calls, then the new General Data Protection Regulations will affect what you can and can’t do. At Feelingpeaky Ltd we are in the process of getting to the bottom of how GDPR will affect our own day to day business, so we thought we’d share our learnings with you along the way.
Installment 1 – “It’s all about data right?”
Most businesses collect data in some way or another. And some methods are less obvious than others. For instance, if you use any tracking tools on your website, such as Google Analytics, then you are collecting data and people will have the right to know what kind of personal information you are storing about them. And how you plan to use that data.
The new GDPR is extensive, complex, and not everyone’s idea of an easy read. So, as a starter for ten, we’ve put together some practical suggestions on things you need to do to start to be compliant.
Privacy Policy
If your site doesn’t have a Privacy Policy, it will need one to comply. The Privacy Policy needs to tell people what you’re going to do with the data you have collected about them. The new regulations applies to any data which could be traced back to an individual. That even includes things like their computer’s IP address.
Permission is Paramount
From May 2018 you will need to explicitly ask permission to send someone email marketing. They must opt in. It’s not ok to assume you have permission. And it’s not ok to pre-tick a box which people have to untick.
“Opting in is key. It is no longer about opting out.”
Managing Consent
Getting people to opt-in is only just the start of it. You also need to record when they gave you permission to market to them. And log precisely what they were shown when they opted in. Email notifications of when someone registers for your newsletters, or checks out from you ecommerce store may be enough to comply. Provided that you store the email securely and it clearly shows what the tick box said.
Brand New Customers Only?
“What about my existing customers? Can I continue to market to them?”
This is where it starts to get really complicated and downright confusing. According to GDPR, if there is another law that conflicts with it, you should pay attention to that law instead. Email and telephone marketing is legislated by PECR (Privacy & Electronic Communications Regulations) and therefore PECR takes priority – which is handy as PECR allows ‘soft opt-in’.
‘Soft opt-in’ means that if you have got someone’s email address when they bought something from you then it is OK to send marketing communications to them. So good news!
But! PECR is being replaced with new stricter ePrivacy laws and who knows if the outcome will mean that ‘soft op-in’ will continue to be allowed…
Therefore the safest option is to get explicit opt-in when you can, even from your existing customers.
Time to take a GDPR breather – but watch out for installment 2 coming soon!