If you are still not sorted with what you need do to make your business GDPR compliant, then check out my blog which may cast some light on the subject – with the disclaimer that this is just my opinion and I’m not qualified to advise you on this!
Avoiding the GDPR hangover
I’m sure you’ve heard about GDPR and are likely to be somewhere between panicking because you’ve not looked at it or are totally confused and being totally ready. I’m guessing if you feel totally ready and are already compliant, you wouldn’t be reading this!
Wherever you are at it, you need to act fast as the legislation comes in on May 25th. If you’re not yet sorted on what you need to do, don’t beat yourself up. It is massively complex legislation and it’s been a total minefield to figure out for everyone because the legislation is very open to interpretation (which everyone is doing differently).
So, for me, I looked into it a while back and I thought I knew what I needed to do, then a lot of the understanding has changed as more information and guidance has come to light, so suddenly (this last 2 weeks) I’ve been hurriedly focusing on getting my head around it. Hence why this blog and email is so close to the wire!
With this blog, I just wanted to help anyone who was still confused or in overwhelm about it and give you some guidance on how to avoid a nasty GDPR hangover on May 25th.
Basically, if you hold any personal data (of clients or enquiries), you need to comply with this new legislation, GDPR.
As an authentic business with integrity, I am sure you’ll want to be compliant.
Before we start, I need to place a massive disclaimer here. I am not a lawyer, nor am I qualified to advise you in any way on this legal stuff! So I’m writing this from one businesswoman to another – that’s all. Anything you decide has to be based on your own research and be your own decision.
I am hoping to cast some light and to help you with some basics. How you proceed and what you implement will depend on your relationship to risk. As I’ve said the regulation information is very complex and it is not black or white – it is very open to interpretation. However, I will give you some hopefully useful information on how you can get it sorted.
What is GDPR
From 25th May 2018, new European legislation comes into force ensuring that businesses behave responsibly with the personal data they manage, under the General Data Protection Regulation (or GDPR as it is more commonly known).
Why it’s a good thing
First of all the legislation is a good thing. I know it can feel very much like it’s not, because as a business owner you have all this work to do to figure stuff out and things you need to change to be compliant and quite frankly it’s a pain in the bum.
However, it is forcing businesses to be more transparent and as an authentic marketer, I do welcome that!
So, it’s a good thing for you and your business.
For you personally; as it will reduce your email marketing ‘spam’ (hurrah) but do think about the small businesses you support or would like to continue to hear from. Are you getting value? If so, stay with them.
For your business; as you should have a more highly engaged email list (albeit smaller in size) which also means the deliverability rate should increase. It’s a chance to clean up your inbox as, if a high % of your list are un-engaged or not even receiving/seeing your emails (because they go into spam or a ‘promotion’ inbox), then it is dragging down the deliverability rate of all of your email campaigns and that’s not a good thing.
Do you need to comply?
Think about all the personal data you hold, have or process (eg email address, name, address, phone number, health information etc). This could be for current clients or previous clients, leads you’ve had that you’re following up with or people you have on your marketing email list.
It doesn’t matter whether this information is held on a spreadsheet, document, pieces of paper or in an email system provider like MailChimp. If you have the data and you use it, you need to comply with GDPR.
When it comes to your email marketing list, to continue to hold personal data you will need consent from the subject. Regarding this the regulation states “consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.”
What this means is that you have to be super clear what people are giving consent to, not bundle several things together, that they have to positively opt-in (rather being automatically added to your list or needing to opt-out), it must be easy for them to opt-out (without penalty) and people must still be able to buy from you without having to receive further marketing communications. You are allowed to send them reasonable communications related to what they bought but not market to them over and over unless you have consent.
Think of it like dating. If you got someone’s number (by whatever means) and you called them and left a message three times over a couple of weeks, but heard nothing back. It wouldn’t be OK to keep calling them – even though they gave you their number in the first place.
If you are holding information for reasons other than marketing, ie they’ve been a client or have made an enquiry to your business, then you should be able to prove that you hold their data for a legitimate business reason (called Legitimate Interest). To do this you need to complete a Legitimate Interest Assessment form.
What you’ll need (or need to look into)
What you’ll need to do will be unique to your business, depending what data you hold and how you use it. I work with service providers such as therapists, consultants, coaches and teachers (and I am one) so my guidance is geared towards those kinds of businesses.
- An up to date privacy notice (aka policy) on your website that covers all the legal information required about why you need their data, how you’re storing data etc.
- Re-consent your email list. No one will truly have been complying with GDPR as it stands now, so you will need to get consent again from your email subscribers (in a GDPR compliant way*) if you want to contact them after May 25th.
- If you get contacts manually in future (eg they attend your event or a talk you do), you will need a privacy notice for them to read and a privacy statement for them to agree to.
- Be careful emailing past clients, old contacts etc without being very clear about why you’re holding and using this data, under ‘legitimate interests’.
- If you hold sensitive information, eg about health, political views etc, you will need to get a higher level of consent from them.
- Behind the scenes, there are also other things you could need to have in place such as a data breach action plan and risk assessment, legitimate interests assessment, processor agreement, data transfer checklist,
- Record keeping, you should keep a record of how every person’s data came into your possession and exactly what they were told at the time.
- You also need to document your decision making around any of the above!
- Check whether you need to register your business with the ICO (Information Commissioner’s Office) here (I did!): https://www.gov.uk/data-protection-register-notify-ico-personal-data
*How to get consent in a GDPR-compliant way is probably the most controversial and confusing bit so I’m afraid I’m not going to go into it as everyone has a different opinion. What is clear, is that (in addition to the way you get consent – above) you need to link to your privacy notice and state how they can unsubscribe, at the point they give consent. You can check out my sign up form below to see what I’ve done.
How to get help
I know it’s very close to May 25th, I have to say I’ve been late in getting compliant too! In reality, as a small business, you probably don’t need to panic as there will be a grace period provided you are working towards being compliant. What you need to watch out for are those people (you know the types) that will pick you up on it and complain either to the regulatory authority or shout about it on social media. Obviously, you want to avoid either of those scenarios!
If you want to get clear on what you need to do and how to do it, quickly, from a trustworthy source, I recommend buying a GDPR pack from lawyer Suzanne Dibble, who has created a super comprehensive and simple pack with everything you will need to know (and more) to get your business GDPR-compliant. You can check that out here (which is my affiliate link so I will receive a small commission). It’s been key for me to get ready without going insane, in just a few days!
If you’re not sure what you need to do re: GDPR, you can download her FREE GDPR checklist here which will help you understand what you need to take action on.
Suzanne also has a free Facebook group but to be honest there is far too much information in it (like hundreds of videos and posts) which are useful (if you can find what you’re looking for) but be aware that as more clarity surfaced, information changed and so always look for the latest video on that subject.
There is also a lot of information on the ICO (Information Commissioner’s Office) website here.
For me, the huge amount of information around was such a minefield that I found buying Suzanne’s pack was worth every penny as it had everything I needed and was straight to the point, without all the extra information!
So, if you’re short on time, I would honestly just buy that and get it sorted asap!
DISCLAIMER (again) this is all simply my personal opinion and cannot be taken as advice, legal or otherwise. Go and do your own research and figure out what you need to do – then go an do it!
I hope that’s been useful. Please comment below and let me know how you’re getting on with GDPR. Thank you.
If you found this blog useful or interesting, I’d appreciate if you would share it on one or more of your social platforms.