A guide for small businesses using data for marketing. This document does not constitute legal advice, it will answer some basic questions and signpost the more detailed information that is available free of charge for small businesses.
2. The story so far…
• GDPR stands for General Data Protection Regulation
• New rules come into force on 25th May 2018
• The principles of data protection haven’t changed,
but there are tighter requirements around taking
responsibility for protecting the data you hold and
getting permission to use it
• Fines for non-compliance can be up to 4% of
turnover or €20m whichever is greater
• The new rules are applicable to ALL personal data,
not just data used for marketing (i.e. staff records,
payroll data)
3. What about Brexit?
• However you feel about it, leaving the EU makes
no difference. We signed up to the new rules in
2016 and the laws will still apply from May 2018.
4. The Information Commissioners Office (ICO) states the
purpose of the regulations as follows:
“Personal data shall be adequate,
relevant and not excessive in
relation to the purpose or purposes
for which they are processed”
5. What does the new regulation
cover?
• The regulations apply to any information you
hold about a person that could identify them as
an individual.
• The regulations apply to ALL data, even if you
don’t hold it electronically
• So if you have a handwritten list of names and
addresses of potential customers in a drawer,
that’s personal data (not recommended!).
6. How does this affect me?
For small business owners using customer data for
marketing, the new rules cover three key areas :
• Looking after the personal data you hold
• Obtaining and managing permission to use
personal data for marketing
• Being open and transparent about how you’re
using data
7. Looking after the data you hold
• You are equally responsible for the security of
your customer data, even if someone else
processes it for you (this could be an email
provider like Mailchimp or a personal assistant)
• Any third party suppliers you work with must
comply with the rules too, so always make sure
you work with reputable suppliers. If they can’t
reassure you about their own compliance then
find someone else to work with.
8. More about looking after data
• You must keep any personal data you hold secure and
up to date. Some things to consider here are..
• NEVER email personal data to someone else or carry it around
on a memory stick.
• If your contact data is currently in a spreadsheet then
consider using a CRM system. This will help ensure the
personal data you hold (and are responsible for) is properly
protected.
• If this isn’t possible just now, then use password protection
on your Excel document and make sure your computer is as
secure as possible against viruses or hackers.
9. Getting permission
• You must obtain EXPRESS consent from someone before
you use their email address or mobile number to send
marketing information.
• Pre-ticked boxes, or statements such as “By giving us your
email address you agree to receive marketing emails” won’t
do the job.
• Consent must be separate from other terms and conditions
and can’t be a precondition of signing up for a service.
• You must make it easy for people to unsubscribe from
marketing emails every time you email them.
10. Do I need “double opt-in”?
• The double opt-in process includes two steps:
1. A potential subscriber fills out and submits your online signup
form.
2. They receive a confirmation email and click a link to verify their
email address, which is added to your email list.
• Double opt-in isn’t a requirement for GDPR compliance
but it is useful to verify the email address entered. (If
there’s an error or the email address is invalid, the
customer won’t receive the step 2 email so won’t be
added to your database)
• Most email providers have this built into their system for
you but if you’re not using one you don’t have to
replicate it.
11. Managing the permissions you
hold
• If you use data to send marketing emails, you must keep
records of the consent you have obtained.
• This means keeping a record of your data collection form with
the wording you use and recording when people give you
their consent.
• You can record consent by adding a Yes / No column or field
to your Excel sheet or CRM system and a date so this is
attached to each contact you hold.
• All reputable email providers will have a system in place to
record consent and the date it was given to help you manage
your data in a compliant way – ask them what they have in
place.
12. Do I always need to obtain permission?
• If someone buys from you, it’s perfectly reasonable that
you will use personal information they provided to
deliver products or services or provide follow-up
information so consent isn’t needed.
• If someone hands you their business card at a
networking event, it’s reasonable to expect that you
might contact them afterwards, to follow up your
conversation or arrange a meeting. In this case you
don’t need consent
• BUT If you then keep the personal information collected
in these cases and use it to contact someone in the
future about new products or add them to your mailing
list, their express permission will be required.
13. What about social media?
• You don’t need consent to contact individuals
through social media because the user agrees to
accept the Ts and Cs of the platform which
include privacy terms, so communicating within
the platform via your Facebook Pages or Groups
for example is not affected.
• You are not allowed to obtain personal contact
details of followers or connections (such as email
addresses) and use them to communicate
directly with those people unless you have their
express permission.
14. Being open and transparent
• You must be very clear about what you will do with the
customer data you collect. The way to do this is to write a
Privacy Notice for your business.
• The Privacy Notice tells people what personal data you hold,
how and where it is stored, how long you will hold it for and
how you plan to use it
• Although not legally required, it’s a good idea to display the
policy on your website since you have to have one anyway
and it reassures people you’re looking after their data.
• The ICO website has good and bad examples of privacy
notices here and consent wording so you don’t have to create
your own from scratch.
15. Individuals’ rights
Under the new rules, we as individuals have stronger rights…
• The Right to be forgotten:
• Every individual has the right to have their data deleted
• Subject Access Requests (SAR):
• Every individual has the right to ask what data you hold
about them
• If anyone asks for data to be deleted or asks what data you
hold, you must respond within one calendar month and you
must provide the response free of charge.
16. If something goes wrong
• If the data you hold is no longer protected (if your email
is hacked or you lose your laptop with an Excel
document on it) you must notify the ICO within 72 hours.
• The ICO will assess the likely impact on the individuals
involved and provide FREE advice about what to do next.
• The ICO is there to help you so do contact them straight
away.
17. What can I do now?
• Make a list of the data you hold, how you collected it and where
it is stored
• Check and update the wording on your data collection forms /
website. Use the ICO examples here to help you.
• Write a privacy notice for your business and include a link to it
on your website
• Contact everyone you hold an email address for now and
obtain permission to continue sending them marketing
information about your business.
• If they don’t give their permission, remove them from your
mailing list.
You will lose people from your list but it’s far better from
a marketing point of view to be talking to people
who actually want to hear from you!
18. In a nutshell…
You are responsible for the security and
protection of any personal data you hold
Don’t use personal data for anything you
don’t have permission for
Don’t panic, don’t be scared and remember
you don’t have to pay for advice on
GDPR
19. I’m not an expert!
Although I know some stuff, I am not a GDPR expert
and I’m not able to give advice on specific businesses
or issues
There is loads of free advice and the best place to
start is the Information Commissioner’s Office (ICO)
website
Or call the ICO small business helpline:
0303 123 1113 (Select Option 4)
(I have always found them helpful despite being under a lot of pressure just
now!)
20. If you would like to help navigating the minefield
that is marketing, hop over to my Facebook
Group, the Marketing Pop-In here.
If you have a marketing challenge you’d like to discuss
drop me a note via Quercusmarketing.co.uk
or call me on 07879 993744
A conversation costs nothing.