There is a lot of noise and panic around the updated GDPR laws coming into effect on May 25th 2018, so I thought I would try and break it down in simple terms for you:
Here is what you need to know about the GDPR
- GDPR stands for general data protection regulation
- It applies to all businesses within the EU or processing data belonging to citizens within the EU
- Although introduced in April 2016, it will be officially implemented on May 25th 2018
- It is the biggest update of the Data Protection rules since they were introduced in 1995
- GDPR is being introduced to give the power back to citizens over use of their personal data
- GDPR introduces ‘the right to be forgotten’ meaning they will be able to request that businesses delete their no longer necessary or accurate personal data.
- Expansion of individual rights means they are able to access, correct, amend or delete their data at any time.
- The maximum fine you can receive for not complying with the new rules is up to 4% of global turnover or 20m euro (whichever is greater)
So how does the GDPR effect my business and what do I need to do?
One of the fundamental changes for your business when is comes to the GDPR is consent and how it is obtained.
You will now need to obtain consent from your subscribers and customers for every usage of their personal data, the best way to do this is through explicit consent at the point of capturing their data (when they sign up to your mailing list)
Things you definitely need to know about obtaining consent:
- Consent must be specific to the exact purpose
- Pre ticked boxes, no required activity or presumptive opt in does not constitute consent; subscribers must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for each processing activity, so you must be super clear about how the data will be used when obtaining consent.
How to best prepare for the changes and make sure you are compliant:
The best way to make sure you are ready for the changes is to refer to your email marketing provider. Mailchimp have been working on their GDPR plan for over a year and have a thorough GDPR document which you should definitely familiarise yourself with.
They will be introducing updated sections in your Profile and List area for you to complete so you are compliant. As providers, they also have increased responsibilities (more so than us as collectors) so are working hard to make this easy for us to comply with.
Repermissioning existing subscribers:
Are you confident that you can demonstrate that each of your current subscribers gave express consent? If not, you might need to consider repermissioning in order to be compliant with the GDPR. You may have seen a rise in companies asking for you to ‘update your records’ with them – this is them preparing for the new regulations but getting your express consent for them to collect, store and use your data.
Wetherspoon’s recently deleted their entire email marketing list after a data breach which saw 650,000 records being stolen, landing them a fine of £400,000 – when the GDPR comes in, the fine would be £59m!!
I woudn’t advise following their lead (on any level!) but if you have records that you can’t prove consent, then you need to either repermission the subscriber, or DELETE!
My general advice would be not to panic – these rules are way over due, having not been updated since 1995 (I didn’t even have an email address in 1995!)
There are a load of dodgy practices that will be dealt with by bringing in the new regulations – no more scraping data, adding Linkedin email addresses to your company mailing list or signing up for one thing and being contacted multiple times about something completely different.
Your responsibilities as a data collector will mean that you have to make it clear what your subscriber is signing up for, contact them in the way you said you would when they gave consent, store their data in a responsible way, and if they request that you correct, amend or delete their records, that you do completely and permanently.
If you are currently compliant with data protection and follow the advice of your email marketing provider, you will be fine – but please take this seriously, data breach is becoming more and more of a threat and they WILL be dishing out fines to make examples of companies who disregard the changes.
Have any questions about this? Join me in my private Facebook group and let’s chat some more!