Please note that this post is for informational purposes only, and should not be considered legal advice or be relied upon for your GDPR compliance*.
It doesn’t apply to me!
Oh yes it does. Every single business. It is your responsibility as a business owner (no matter how small) to conduct your own GDPR data audit and take actions to comply with GDPR by the deadline of 25 May 2018.
You should also note that the ICO has categorically stated there will be no ‘grace’ period so you need to take action now, to ensure you are compliant by the date this becomes law in the UK alongside the rest of Europe, on 25th May 2018.
But we’re leaving the EU so it doesn’t apply!
Brexit does not affect this and your business must still comply regardless of the UK’s decision to leave the EU.
So what is GDPR?
If you have been hiding under a rock for the last few months and you haven’t heard of GDPR or you need a refresher – before reading the marketing checklist below. Please familiarise yourself with the new regulations by reading this ICO guide:
An important GDPR principal to understand when reviewing all of your marketing activity
There are six bases for processing an individual data subject’s data including Consent.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The ICO has stated that Direct Marketing is a legitimate interest. It appears that most small businesses processing will fall under Consent, Contract and/or Legitimate Interests.
The first steps to GDPR compliance
I would highly recommend that the first step you should take is to audit all of your data usage, processing and storage across your entire business paying particular attention to marketing/website, IT and HR.
You then need to identify your lawful grounds for processing such data; how long such data should reasonably be kept for; and the process by which an individual can request that their data is removed.
I feel that common sense should prevail – some business data and records you will need to retain because there is a legitimate (business) interest (e.g. quotes, proposals, invoicing or accounting records that are required to be kept for a number of years and need to be relied upon in the case of client query or repeat business).
A GDPR Marketing Checklist
1 Marketing Email Lists, Direct Marketing & Customer Databases
In most cases, email marketing lists must show clear consent with proof of how an individual data subject provided their consent for you to send them marketing emails.
The new law provides five other ways of processing data (as stated above) that may be more appropriate than consent. For example, if you have a client email list you may feel that Legitimate Interests is your grounds for processing and sending marketing emails. The ICO has stated that Direct Marketing is a Legitimate Interest.
In my opinion, best email marketing practice is always permission based and that relies upon Consent.
Using Email Marketing Software (EMS)
If you use Mail Chimp for example, the date, time and IP address is captured to show when consent was given.
If you use another EMS please check with your vendor and get written confirmation of GDPR compliance.
Using Bought in Data Lists
If you upload bought in lists you must have proof of consent of the individuals on that list from the third party supplier. I suggest you should get this in writing. This applies to business and consumer data. No difference is recognised in the eyes of GDPR.
Email Marketing Opt in Tick Boxes
Broad consent opt-in boxes that covers different data processing that you will be doing – i.e. fulfilling an order, sending a quote, registering for an event; and direct marketing emails will NOT be good enough for the GDPR standards. You must collect opt-ins for each type of processing.
What the ICO states:
Good practice would be to list the different purposes with separate unticked opt-in boxes for each or Yes/No buttons of equal size and prominence. Opt-in boxes can be prominently placed in your privacy notice. Alternatively, with online products and services you may wish to use ‘just-in-time’ notices so that relevant information appears at an appropriate time – see the ICO section on just-in-time notices for more detail.
You should also consider how you can obtain consent following any changes to your privacy notice, and how individuals can revoke this consent if they do not agree with these changes.
If you are asking people to consent to receive direct marketing, then, in addition to the DPA requirements, specific rules apply to this under the Privacy and Electronic Communications Regulations (PECR).
If you want individuals to consent to direct marketing, you should have a separate unticked opt-in box for this, prominently displayed. Consent may not be needed to undertake direct marketing by post or phone call (unless the individual is registered with the Telephone Preference Service) if another processing condition can be relied on, but the ICO considers gaining consent to do this to be good practice and the most advisable approach.
This is what the GDPR has to say about the information companies provide about personal data processing – it must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The ICO states:
“being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”
What’s more, the information you should provide is changing, too. The lawful basis for your data processing, how long you’ll keep the data for, the user’s right to complain – these are all pointed to in the GDPR.
The following questions should be considered when writing a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
It is good practice to use the same medium you use to collect personal information to deliver privacy notices. So, if you are collecting information through an online form you should provide a just-in-time notice as the individual fills out the form. It would not be good practice to collect information through the form and then email the individual with a separate link to a privacy notice.
You must also consider how people will view privacy notices on portable devices (smart phones, tablets). You must ensure that privacy notices are as clear and readable on these devices as the information you would see on a computer screen. The text should be large enough to read and people should not have to zoom in to see it. Information should fit on the screen as normal.
Notices – Website Contact Forms
Notices – Email Data Capture Tools i.e. Whitepapers, Ebooks or Email sign up forms
3 Networking & Business Cards
Meeting individuals at a networking event and then adding them into your contacts or an email marketing list will not be permitted. You will need consent regardless of them being a business. If you are processing their name, tel number and email address – this is personal data.
Please note even business card data you have added into your Outlook (or other email client) contacts is then a database and must be GDPR compliant.
I hope you have found this top-level marketing and website checklist helpful in preparing for GDPR.
Useful Resources & Further Reading:
I have conducted extensive research into GDPR and have an active working knowledge intended to help my clients to become better prepared ahead of GDPR coming into force. However, I do not provide legal advice on the GDPR and cannot be held responsible for GDPR compliance of any organisation other than my own, it is the responsibility of each business to ensure their own compliance with GDPR. If you have any need for legal advice, please contact a solicitor or visit the ICO website for further informationwww.ico.org.uk