We usually put extra effort into making our content fun and enjoyable to read. We go out of our way to provide our readers with tips we know can help you grow your online businesses. Unfortunately, in this instance, you’ll have to make-do with a serious piece of content.
Every single EU company that participates in any form of outbound marketing will be impacted by GDPR when it comes into full-force in early 2018. A recent study by Smart Insights found that only 6% of businesses are ready for GDPR – that is a very scary number and could result in your business breaking the new regulations! You have no choice but to be ready, you have to comply by May 2018. The key is to not to worry but to focus on getting prepared for the change in regulations. We hope this post will help you and your business better understand what GDPR is all about, whilst helping you to think about how best your business can prepare.
What is GDPR?
The General Data Protection Regulation, abbreviated to GDPR, is a new set of regulations set-out by the European Parliament, the Council of the European Union and the European Commission, that intends to strengthen and harmonise data protection for all individuals within the European Union (EU) across both offline and online channels. It will replace the previous 1995 Data Protection Directive from which the current UK Data Protection Act 1998 laws are drawn from. If you like to read legislative acts, you can view the official GDPR document here.
If you carry out any form of marketing strategy, then the new GDPR regulations are likely to impact your business. This includes email marketing, direct mail, outbound calls, AdWords remarketing and any other form of marketing where there’s a requirement to hold your customers/visitors personal data.
It’s important to explain from the outset that your customer data isn’t always as obvious as it might seem.
When you think about data, you will naturally be thinking about:
- Email address
- Physical address
- Telephone number
- Order history
However, it goes beyond that. Chances are, you keep customer/visitor data outside of the above, even if you might not realise it.
Here are a few more types of customer data you probably hold and record:
- AdWords cookies
- Conversion tracking cookies
- Remarketing cookies
- Analytics cookies
- IP addresses
These new GDPR laws are comprehensive and complex. It’s vital you plan now, ready for May 2018. Don’t leave it too late. Your website visitors (and customers) have the right to know what personal information you store about them, and what you intend to do with that information. As of 25th May 2018, failure to comply with GDPR could result in a business fine for non-compliance. To ensure your business is GDPR compliant, read this in-depth guide that covers the most frequently asked GDPR questions.
You will need to ask your visitors for their for permission!
GDPR clearly states that you will need to explicitly ask permission to use someone’s data. Auto-opt-in is no longer a viable way of conducting business. You can no longer assume you have permission – even if that website visitor places an order and becomes a customer.
It is also no longer OK to pre-tick a subscription box or use double negative words when asking visitors to sign up for your newsletter. You should work on earning that consent now. Don’t wait until the 25th of May 2018!
It doesn’t stop there. Making the sign-up process as obvious as possible isn’t enough. You also have to keep a record of when each individual gave you permission to contact them and note down exactly what they were shown when they opted into your communication channels.
There is a caveat, though. GDPR may conflict with other laws.
One thing that GDPR does specifically state, though, is that if it conflicts with any other law, you should pay attention to the original law, instead. This means the PECR legislation takes precedence over GDPR where there’s a conflict when it comes to email and telephone marketing.
Oddly, PECR does allow what they call ‘soft opt-in’. This essentially means that if you acquired a customers contact details when they placed an order then it is acceptible to communicate with them about the same kind of things they were originally interested in.
Just to make this whole thing even more complicated, though, PECR is possibly being replaced. Parliament is discussing stricter ePrivacy laws and nobody is sure whether ‘soft opt-in’ will remain.
For now, it is probably best to always aim to get explicit opt-ins from your customers. It might seem like everything is bad news, but there’s a huge advantage of explicit opt-ins – everyone in your communication list actually wants to receive contact from you! Anyone who prefers a large email list over a quality email list is just kidding themselves. Quality should prevail over quantity every single time.
You will need to clearly highlight how visitors & customers can stop all communications with you.
You should always accept requests from people who no longer want you to communicate with them, but unfortunately, there are lots of companies who ignore these requests. Well, not anymore!
You now have to make it easy for anyone to opt-out of receiving communications from you. You have to make it very clear how to opt-out in all your phone/email/print communications.
Once someone has opted out of receiving communications from you, it’s imperative that they no longer receive any form of communication from you otherwise you could land yourself in big trouble. To ensure these customers don’t fall back into communications, keep a ‘do not contact’ list and ensure these people are never added back to any of your marketing lists. Failure to comply could result in large fines from regulators.
GDPR requires your website and your data to be secure!
GDPR states that you have to provide a secure website when visitors pass their data onto you. You also have to store their data in a secure environment. This means you will need an SSL certificate if visitor/customer data passes to you from your website. Visitor data can be anything from an email address, phone number or even cookies. Ensure that any page on your website which asks for any information from a visitor is secured using an SSL. Read this beginners guide to understanding SSL and why it’s going to be extra important when GDPR kicks in.
It’s good to see that Google is actually ahead of the GDPR regulations in this instance. They announced earlier in 2017 that if there’s any sort of form on your website and the page is displaying insecurely via HTTP, they will show an insecure message to the visitor. This obviously only applies to people using Google Chrome at the moment, but other browsers may or may not follow suit in the near future.
GDPR regulation in summary. How can you best prepare?
If you only read one paragraph of this post, read this one.
GDPR is a complicated beast. Scrap that…a very complicated beast! However, it’s easy to stay on the right side of the law if you try to put yourself in the shoes of your marketing ‘victim’. It might even make your marketing and sales processes more efficient, as you won’t be wasting time on the wrong people.
If you have a bit of spare time to do some deeper reading then you should read this ultimate guide to GDPR. If not, then here’s a short list of GDPR compliance action points which should help you and your business:
- Ensure your website has an SSL certificate and any page where a visitor might process personal data to you is secure.
- Make it as easy as possible for anyone to opt-out of any communications from you.
- Make sure you no longer use auto-opt-in systems – ask visitors/customers for use of their data.
- Set up explicit opt-in processes using double opt-in techniques.
- Keep a do-not-contact list and check it each time you send out any form of marketing material.
- Keep a copy of everything (securely!). Take a screenshot of your opt-in pages and log any changes you make.
- Double check how GDPR may conflict with any other data laws your company currently adheres to.
- Invest in data security – build a system that is secure and up to date with the latest technologies.
- Think about what data you may be storing about your visitors/customers
- Read this 12 action step guide about preparing for GDPR