In this article we address the all-too common question of ‘does GDPR affect me and my business?’ from a marketing and website perspective. So, let’s get started with typical scenarios, case studies and what you need to know.
What is GDPR?
GDPR is the EU General Data Protection Regulation – a law about Data Protection, based on a set of common-sense principles:
The Right to be Informed
The Right of Access
The Right to Rectification and Right to Be Forgotten
The Right to Restrict processing
The Right to Object
The Right to Data Portability
But what exactly is it?
GDPR are a set of rules by which all organisations, regardless of size or legal entity, must follow when recording, handling and managing people’s data (or Personal Data as it is formally known).
- A charity that gathers details of people who donate to their cause and they contact to communicate the charity’s messages.
- A business (of any size or industry) that collects and stores their customer’s details, whether for administration or marketing purpose of any kind (emails, brochures, calls).
- An organisation that gathers details from people who use their website.
- An organisation that gathers and sells data about people with who they contact by any means (website, personal contact, telesales, direct marketing, events, social media platforms.
The above list is a broad description and by no means exhaustive but in short, if you gather and store information about people with which you come into contact (or seek out for the purpose of marketing), it affects you and your organisation.
So, as you can see – it’s going to affect a lot of organisations.
However, let’s get one thing straight. This is not the end of the world and won’t cause millions of organisations to go under as a result of having to abide by the miles of red tape.
The rules are common-sense and morally right and most organisations will find it very easy to make a change in practice if they are not already following the principles.
Does it affect you?
We need to establish a few meanings first. The definition of “Personal Data” encompasses a wide range of information, bringing almost all organisations into the scope of GDPR:
In spite of Brexit, it will still affect the UK, through the adoption of EU laws being undertaken by Parliament; it will also govern any interaction with organisations within EU member states post-Brexit.
It will begin to be enforced on May 25th, 2018.
Taking a moral viewpoint
Think of it from your own personal perspective. You would fully expect an organisation that held your name, address, phone number and email address on record to look after it and treat it with due care and, if you request for them to remove you from their database, they do so without quibble.
It’s just that.
Taking care of people’s Personal Data in a moral and honest way. Any organisation that doesn’t abide has every reason to be brought to task.
The ‘brought to task’ bit of it means that, in theory, the ICO (the Information Commission Office) can bring action against any organisation that has not abide by the rules persistently and does not change its practices to protect their contacts’ Personal Data. Stories of headline-grabbing fines up to 4% of an organisation’s turnover (up to a maximum of €20M) fill everyone’s newsfeeds at the moment but more on that later.
Places and methods of data collection and storing include:
- A website – from a simple enquiry form, an eCommerce/online sales website, to online user accounts that have your profile details saved.
- Telesales – organisations that have names, numbers for their agents to call or receive in the line of sales.
- Direct mail – the completion of order forms in catalogues and offers that come in the post that require your details, which include competitions.
- Customer service departments that field and take calls from (potential) customers and record those details.
- Personal contact – from an exchange of business cards to a trade show or exhibition.
Case study #1
You are a local business that has a simple website with your services presented on it and a contact page that has an enquiry form that potential customers complete. Those details, when sent, come to you as an email to follow up.
- Is that data encrypted and does the website have an SSL certificate?
- When the email arrives with the contacts’ Personal Data on it, where is that stored? Do you delete it or print it out? Or;
- Do you transfer those details to another system, such as a CRM?
- Do you have a policy that states how you collect, store and manage their data?
However, this is the document or page that essentially states how you handle all of your customers’ Personal Data’. Read it. Does it make sense?
The same applies to larger eCommerce websites that tend to gather a lot more details. Interestingly, your credit card details are rarely stored in the same place and are stored by the payment gateway companies. The credit card details and how that data is handled is already managed under what’s known as the PCI Compliance.
Case study #2
You are a charity or volunteer organisation and you have street fundraisers gathering regular donations or maintain a database of people with who you have had contact over the passing of time and communicate your messages to regularly.
Whether an email, brochure, flyer or phone call, the Personal Data will fall under the new GDPR rules and the organisation will have to abide by them.
How to stay compliant
- Review all the areas on your business where your customers’ details are either gathered or stored. Make sure that you take reasonable precautions to ensure it is secure and, as much as possible, encrypted.
- Provide means for your customers to request that their details can be removed from all of your records at any time and actually remove their details when they ask.
- Make sure that all individuals in your organisation understand the principles of good data protection – and that they don’t write people’s details down on a piece of paper that could go astray, end up in a bin or get taken home on computers or memory sticks where the information could be stolen.
- Make sure that your website is encrypted with an SSL certificate and that any data gathered is stored in a safe and secure environment once it reaches you.
If you ignore the guidelines, it takes just one customer who has repeatedly asked you to remove them from a mailing or email list and you have not done it for whatever reason, to report you. If they do report you to the ICO, they could review the evidence and may choose to investigate the matter further. It does not mean an instant €20M fine.
However, what it does mean is that your data management practices will be questioned and could take huge amounts of time and money to handle during the investigation and this is what, particularly small businesses, fear.
So how do I become GDPR compliant?
Put simply, review your practices and make sure that, to the best of your ability, you look after the data as if it were your own.
This article is not intended to be authoritative but more of a guidance to help you better understand the basic aspects of GDPR. We recommend you seek professional legal advice that relates directly to you, your organisation and its compliance.