Its nearly 2 years ago since the new GDPR regulations came into force on 25th May 2018. We were delighted that Louise Hickman from Trusted Compliance Solutions was able to update us on where we have got to and how things have changed over the last 2 years – thank you Louise for the guest blog.
In the beginning, it wasn’t really clear what we were supposed to do or more importantly why on earth we were doing it. The amount of emails that I received, reeking of confusion and desperation was ridiculous. These companies that had opted me in to receive newsletters that I never read, were still really keen to send me useless things, which never resulted in a further sale. To me it just highlighted those companies I didn’t need in my life any longer. Opt in fatigue was at an all-time high.
Yet if they had a real reason to contact me they could, they didn’t need my consent for that!
Yet the actual purpose of the new legislation was often overlooked or unclear. Data, according to The Economist recently, is more valuable than gold. The GDPR regulations are designed to protect people’s rights, imagine it’s your children’s or vulnerable parent’s personal data and the importance becomes clearer.
A smaller and more engaged marketing database is far better than a huge one that really doesn’t want to hear from you. It’s a two-fold issue, you have to keep the data secure and accurate which costs you money, has additional risk and it won’t make you any money.
Let’s consider what the GDPR regulations mean for marketing activities. Direct marketing examples include: sales promotions or offering free services, to a specific customer or targeted audience. Indirect marketing could be website banners and market research as long as its genuine market research. Generally, GDPR applies to direct marketing and unlikely to apply to indirect marketing.
Direct or indirect, you need to process the data lawfully and fairly, you have to limit the purpose so only use if for the original intended purpose and you have to keep it accurate.
Consent is also an area that needs our marketing attention. GDPR does allow direct marketing as a legitimate interest. Yet it does apply to some areas and is the cause of many fines and ICO investigations. Opt in is often misunderstood, it is where you gain permission to contact that person at the point where you obtain their details. It must be as easy to opt out as it is to opt in and you cannot bundle opt in’s together. Say you run a children’s nursery you can’t combine permissions for giving calpol, applying suntan lotion and children appearing in marketing merchandise. They are all completely different so different consents are required. It makes sense!
You must allow the data subject to opt out of all marketing activities. You can still contact them for admin purposes. If a customer does opt out you must do it quickly and add the data subject to a do not contact list. It would make sense that you can’t email them to ask them to opt in, this would also apply if they have opted out of a national list. They have opted out for a reason and it would not be the start of a great future relationship if you do not respect their wishes. “Hey, you don’t want to hear from me but how do you fancy buying a huge amount of cheese?” The customer experience is king!
What the ICO are looking for is for individual’s data to be treated well. To have a specific reason for having it, a lawful reason to process it and to only have it for as long as you need it. You need to keep it securely, accurately and only use it for the specific reason you originally have it for. Data subjects have rights to their data and there are penalties for not complying with their wishes. An ICO investigation is a thing to be avoided. Believe me – they are thorough.
The ICO has been very busy investigating complaints and data breaches. At the time of writing there has been over 60 monetary enforcement notices which heading towards £15M worth of fines not including British Airways (£485M) and Marriott Hotels (£94M) which aren’t finalised as yet and will be record breaking when they are. Precedents are being set and we need to review these decisions regularly to ensure that we don’t fall foul of new ways of working. Thinking selfishly, let’s learn from other people’s mistakes.
Yet it’s not always about the money. Individuals have been found looking at personal data that they had no right to do so such as nurses and doctor’s receptionists. The fines were relatively small but the damage to a person’s reputation I expect would be irrecoverable. There is no price for trust.
The whole idea of it may seem bewildering yet there are lots of resources out there to help you. There are tools such as data flows to see how information wanders around your business world, legitimate interest assessments to check on your marketing activities and data protection impact assessments that can look at and reduce your data risks. The ICO website can help you too.
GDPR doesn’t have to be complicated – that I promise!
Louise is an experienced GDPR Practitioner and Commercial Manager with a background in law and quality management. She helps numerous sole traders and small to medium business to simplify their data, introduce data protection by design into their planning and avoid fines.