GDPR and marketing - what does it mean for a small business?
It has been a while since the General Data Protection Regulation (GDPR) was the talk of the town. But it is here to stay, and many businesses still find it confusing to know what they need to do. After it was introduced nearly two years ago, many businesses stopped direct marketing, in particular email marketing. It hit marketing hard.
I talk to Julianne Green a GDPR specialist from JXG Management Solutions with nearly 30 years experience in the banking and compliance industry. To date she has helped over 25 business of varying sizes, from across a range of sectors become GDPR compliant.
Here are the vital things you need to know as a small business owner and what it means for marketing.
What does being GDPR compliant mean to a small business owner?
GDPR compliance is a requirement of all businesses, whatever size or sector you might be in. Even Sole Trader’s need to make sure they comply.
I often liken it to an Insurance policy, it’s one of those things that’s a pain to sort out but if you haven’t got it in place and something goes wrong, it could be a very costly mistake!
GDPR is all about accountability, evidence and processes, there is a lot of thinking ‘what If’ much like the insurance scenario.
How does it impact on marketing?
GDPR was never designed to be a barrier for business and shouldn’t stop you carrying on with your previous marketing activities. What has changed is the thought process behind the consent you have to actually contact someone. Have you got their express permission to call/email them, can you evidence that they have given consent or that you have a legitimate interest in making contact?
For example, if you are a company that sells children’s clothes on-line. You’d probably have a database of customers that have bought from you. On the back of a purchase, you might add them to a monthly mailing list for a catalogue. This is fine as there is a legitimate interest here as they have purchased from you. However, GDPR requires that customer’s can now unsubscribe or opt out of receiving these types of emails without consequence. So, they might still want to buy from you but not get regular emails.
You should also have a way of capturing their consent to ‘stay in touch’ this could be an opt in box on an order form or you could ask them out right, just make sure you have a way of evidencing their consent.
You also need to think about what actual information you are holding on individuals – is it all relevant, and how long have you had it? I would suggest databases are reviewed on a yearly basis and to be honest, if someone hasn’t bought something from you for 18 months, you should probably delete them from your database – don’t keep things you don’t need! Having a retention policy in place will also help with this and let your staff know when they should get rid of things.
Can you still email prospects or send them letters in the post?
Yes, but think about how you got their information in the first place. Buying in databases is a big NO under GDPR as there is rarely evidence of consent for the information being passed on. You just need to think– do I have permission or a legitimate reason for contacting this person?
If they have given you a business card or you met them at a networking event or trade fair then yes, that’s both legitimate and consent.
If you’ve seen an advert for a business you think might be useful to work with, again this is legitimate, and their advert is giving you consent.
However, cold calling and mass email marketing is a much broader topic. Under the Privacy and Electronic Communications Regulation (PECR) and the Telephone Preference Service (TPS) individuals have specific rights and control regarding electronic and mailing contact and you should always check the rules on this first before starting any marketing campaign.
The ICO, which is the UK’s independent authority and governing body for Data Protection have had a big crack down on nuisance calls, especially in the claims management services sector. Here is the link to the ICO section on electronic and telephone marketing .
And existing customers?
As previously mentioned, existing customers will either have given their consent or you will have legitimate interest in contacting them because they have bought a product or service from you. Just make sure you give your customer’s the option to opt out or unsubscribe if they want to. And also make sure you have a way of monitoring this, so they don’t accidently get sent something! Keep your databases refreshed on a regular basis and get rid of redundant customer info.
How does it impact on a company website/what measures do you need in place?
You should have a Privacy Notice on your website, especially if you collect ‘contact details’ from people. If you are selling anything over your site, and taking payment, you should also make sure your site is secure (with the padlock symbol). A cookies policy is also useful, but this is dependent on the type of functionality of your website.
What is a Privacy Notice, and does everyone need one?
A Privacy notice is basically your evidence to your customer’s that you are GDPR compliant and you take keeping their personal information safe, seriously! However, just sticking a Privacy Notice on your site does not make you compliant unless you have done all the work that sits behind it!!
When I work with clients on their GDPR compliance, the Privacy Notice is the very last thing I look at, almost as a sign off that we are complete. Your Privacy notice needs to demonstrate that you’ve done a Data Audit (i.e. You know what you’ve got, where it is and what you do with it), you’ve done due diligence on all your 3rd parties as to who you share data with and what they do with it.
Also, if any of your data gets sent outside the UK (if you have third parties involved), you need to know the answer for them as well! It also evidences that you have processes and procedures in place should you have a data breach or are tasked with a Data Subject Access Request.
It is your responsibility to know the trail of where your customer data goes, once you’ve got it. If you ever had a ‘Data Protection issue’ your Privacy Notice would effectively be ‘tested’, if you’ve not done the background work and can’t provide evidence – you could get fined.
Do you really need one? – if you hold any data about anyone (staff, customers, suppliers) then yes you do.
What are the chances of being audited?
At the moment, I would say fairly unlikely due to high volumes of Individual Rights complaints the ICO are currently dealing with. However, this should not be an excuse to not do anything! If you have a client complain about you to the ICO, they could turn up on your doorstep unannounced – this happened to a company in Chichester back in October!
Are the rules likely to change in the future?
That’s a hard one, with the current political situation. Data Protection law was long overdue an upgrade. The last one was in 1998 before the birth of multiple device ownership and smart phones. When the new Data Protection Law was passed in 2018 incorporating the GDPR it carried with it the essence of the previous DPA but enhanced the changes and volume of personal data the digital age has bought us.
In my opinion, there will probably be ‘amendments’ to the DPA2018 over time, particularly as we see the advancement of Artificial Intelligence (AI) creeping into everyday life and I would like to think it will be reviewed a bit earlier than 20 years this time.
Does it still apply after Brexit?
Yes, very much so. GDPR currently sits as an EU law within the UK and so will be adopted as UK law. Nothing will change in the general principals of GDPR. However if you send and receive or store information in any of the remaining EU countries you will need to make sure you have a standard contractual clause and sharing agreement in place for any data transfers between EU and non-EU countries. If you have carried out third party due diligence within your GDPR compliance, you should already know if you are going to need this.
What top tips would you give a small business?
Simple, get yourself compliant! If you were already compliant under the previous law (DPA1998) then you won’t be far wrong. The best thing to do is have a quick review, this is basically a test of your privacy notice (if you have one), this is quick and inexpensive and will give you a view of what you need to do, if anything, to get yourself fully compliant.
If businesses are not sure, what should they do?
Check the ICO website ico.org.uk it has loads of information for businesses of every size and sector.
However, it can be a bit overwhelming and confusing. If you feel you would like some help, then please don’t hesitate to contact jxgmanagementsolutions.co.uk or send an email to firstname.lastname@example.org
None of this needs to be expensive and if you don’t actually want to bring someone in to do the work I offer a package were I can send you a toolkit with everything you need to do it yourself, this also includes 2 hours of consultancy time, if you have any questions.
At the end of the day, whatever it might cost to get your business compliant, it’s going to be a lot cheaper than a fine from the ICO.