GDPR deadline is looming

Posted on Apr 26, 2018

As I’m sure you know the GDPR deadline is looming and hopefully isn’t sending you all into too much of a spin. Many of you have been asking for GDPR advice and although we are not lawyers and what follows isn’t legal advice, we have tried to summarise some basic steps you could take towards compliance. This advice is aimed at small businesses, the advice below may not be wholly relevant to your business and if you need concrete legal counsel please do talk to a lawyer.

This sweeping new GDPR law (coming into effect on 25th May 2018) applies to all companies that collect and process data belonging to European Union (EU) citizens, even if this is done outside of the EU.

If you collect personal data (of any EU citizen) and store this data (this may just be a name and email) usually collected for marketing purposes… you need to take action.

Many of our clients are small businesses who usually don’t hold enormous databases of personal data, if you do, you will hopefully be well on the way to being ready for the 25th May deadline.

Now before we go any further, a bit of perspective: new regulation can be scary. There’s already a fair bit of anxiety out there about the GDPR, and the usual mix of information overload, misinformation and misunderstanding that accompanies new regulation on this scale. What we have tried to do here, rather than overload you with jargon and the complexities of the law, is apply common sense, reviewing techniques already adopted to summarise what simple steps you could take towards compliance and some working examples.

Embrace this as an opportunity

Now don’t panic, it’s extremely unlikely that the EU authorities are going to start dropping noncompliance fines on small businesses. Having said that it is worth embracing this as an opportunity to reconnect with your audience and reassure them that you take the protection of their personal data seriously, streamlining your lists and so improving your marketing by targeting those who do wish to receive your marketing rather than those that don’t. This is also an opportunity to get your house keeping in order, so if the ICO (the Supervisory body in the UK) do come calling (however unlikely) you are ready.

As a small business, we are going to make a couple of assumptions for this article. Many of you will have either or both of the following which will need some action:

  • A contact form on their website that collects basic personal data.
  • Mailchimp lists (or other email marketing software) containing basic personal data.

We’ll concentrate on these specifically as they are of relevance to our clients.

Contact form

If your website has a contact form, you will be collecting personal data (probably a name and email address). Under the new law explicit content is required for data collection. This means you need to add a check box to all contact forms for explicit content (this box must be unticked by default), also linking to a privacy policy outlining why you are collecting that data, what you will be doing with data (particularly any plans to share this data) and how this data is stored (obviously securely!). There are many sample privacy policies on the internet to be used as a guide, we would recommend having your privacy policy checked over by a lawyer to ensure you are covered.

See example form below:

consent form

Mailchimp lists

If you collect personal data in a mailchimp list (or other email marketing software), the new law states that you must be able to prove that you have explicit consent from those you hold data for, you must be able to prove how the consent was given and when.  Those who have given explicit consent should be able to unsubscribe at any time and you must ensure you hold their data securely.  Again, it is important to link to your privacy policy for further information.

To obtain explicit consent (if you don’t have it already), many companies are emailing their current subscriber list and requesting that they re-opt-in to obtain explicit consent. This is our recommended approach, this also enables you to reconnect with your audience and reinforce that you take their security seriously, while also streamlining your lists. You will invariably lose subscribers, but your database will be leaner and your marketing therefore more targeted.

An excellent example we have seen of an ‘opt-in’ email is for Pizza Express.

Pizza Express

Rather than just saying you are emailing because of the GDPR law, they are turning this into an opportunity for you to win £100 and stay signed up to receive ‘extra treats, like birthday gifts’, their subject being ‘QUICK, £100 UP FOR GRABS!’. This works for a few reasons:

  • Incentive to ‘Keep me in’ with the £100 voucher
  • Giving a time constraint, basically do it now or miss out.
  • Giving options to ‘Keep me in’ or ‘Sorry, I’m out’ – asking people to decide there and then is more likely to get a positive response than just giving them the option to ‘Keep me in’.
  • Discouraging them from clicking ‘Sorry, I’m out’ – who doesn’t want ‘exclusive treats’?!
  • Includes a link to the privacy policy.

Another important note is that you can legally send ‘opt-in’ emails to your subscriber list before 25th May, you can also send as many reminders to act before 25th May. After that date legally, you can only email those that you have explicit consent from, so worth acting now.

So, to summarise with 4 key action points:

  • Review and update your privacy policy
  • Add explicit consent to contact forms
  • Send opt-in email
  • Keep any personal data you hold secure

We hope you have found this article useful, if you have any GDPR related queries please don’t hesitate to give us a call on 0207 112 9117 or email helen@freshpies.co.uk.