GDPR – General Data Protection Regulation

GDPR (2016/679) – General Data Protection Regulation was agreed by the European commission in January 2012 after 4 years of deliberations and this is the Data Privacy law which comes in to effect on May 25th 2018 or 9th January for Financial firms. It replaces the 1995 Data Protection Directive. Failure to comply will carry very large fines to be imposed by the Data Protection Commissioner. This is all about personal rights, security and protecting any identifiable persons data, such as email address, name, address, postcode etc, to avoid spamming or abuse or much worse, such as illegal accessing of bank accounts. This ‘personal data’ is also referred to as ‘data subject’.

GDPR governing websites and mailing lists

EU GDPR TipsOur focus is obviously on how GDPR affects us and our own SME clients, with regards the data we already hold and any data we may intend to hold in the future. Yes this legislation is aimed at large corporations and unscrupulous marketers, but it also affects small businesses too. We will curate this article to keep it up to date with any useful advice and tips, to help you become and stay compliant. Meantime, someone needs to take responsibility for this, to ensure your compliance. Check what data you hold, apply new measures to be compliant and also update your terms and conditions and Privacy policy on your website. You may be asked to produce a copy of any data held by you. And any breach of your data, should be notified to the relevant data protections authorities and possibly the persons affected. Failure to comply can lead to fines of 4% of turnover or up to €20 million whichever is greater.

GDPR – our 10 simple recommendations to keep you compliant

GDPR – 10 Simple ways to keep you compliant and avoid big fines
1. email opt-ins – include a double opt-in so that after signing up, the person gets an email asking them to confirm that they did indeed opt-in to receive your communications. It is a useful protection for you, to show that you were asked to sign this person up. Mailchimp will do it for you, if you have the settings correct. This will cover you going forward.
2. If you have a current list, then offer people the chance to opt out, which will be evidence that you did give people the opportunity to opt-out.
3. Always include the option to ‘unsubscribe’, in your emails.
4. Include your terms and conditions on your website and ensure you refer to how you handle personal data. Are people signing up to a mailing list or just to get a FREE guide or something similar. Provide informed consent.
5. Only ask for the minimum amount of data. What do you really need? Name and email might do, so why ask for address or postcode? Keep it at a minimum. If you need postal addresses or date of birth in order to ship goods, then ensure that you only have this for real customers.
6. Never buy or sell ‘lists’ – it is just wrong.
7. Beware of third party applications such as your CRM to ensure that they are GDPR compliant. They may by default ask for more information than they need for you. Your email programme needs to protect against misuse.
8. Do not make it confusing when asking for information in opt-ins or asking people to opt-in to something, be clear about what is being offered or asked. Be honest.
9. Protect your list data, use some form of security, as you will be held responsible, if your data is hacked. You need to show that you did apply some security. Ask your insurers if you can get some form of cover, if you are worried that your data might be breached.
10. Consider how long you might hold data. If someone buys off you once, are they likely to buy again/ Or if someone buys in 2017, but does not buy again with a set time, say five years, can you decide to cleanse their information from your records. decide on a best before date for this sort of data.

GDPR – Next steps for you

How to ensure GDPR compliance and manage your existing data, without this becoming available to the wrong people.Truth be told, we should not hold any data on people just for the sake of spamming them. We should only market to people who are likely to want to hear from us or people in our industry, who may have a legitimate interest in what we have to say. Now is a good time to delete any personal data held on people who are not current clients or very likely potential clients. Why chase after people who do not want what you have to offer, when you could be focusing on those who do.

If you have a ‘list‘, many people in it may have forgotten that they ever signed up t it, so get in touch with them and offer an opt-out to them. This is a re-engagement process that is recommended. It gives you an opportunity to connect with your clients or potential clients and offer them a chance to engage with you. It might even start a new conversation. It certainly shows good  intent on your part, to avoid being an unwanted intrusion going forward. You may lose people from the list, but if they do not want to hear from you, then let them go free. Remember amend your Ts & Cs and Privacy Policy to include a data protection agreement.

Useful GDPR links:

A & L Goodbody website obligations guideline for online traders websites HERE
EUGDPR
EUGDPR FAQs