If you didn’t already know what GDPR is, then you probably do by now!! There is a strong chance that you have recently been bombarded with emails and communications from companies trying to get you to re-sign up to their services.
This is because from 25 May 2018 GDPR is introduced in the UK. And it has important consequences for all businesses, both large and small.
So first a very quick introduction to GDPR. To summarise, the European General Data Protection Regulation (GDPR) means that businesses need to get consent from their clients to use and store the personal data they have now, and any they collect in the future.
There are a number of strict rules and very material fines for offenders who fail to adhere to them. And remember that GDPR is not just a one-off date. Businesses need to stay compliant from now on.
The new regulations are generally good for customers. Many businesses, however, face the very real prospect of their customer databases being decimated and having to implement costly changes to their processes, privacy procedures and record keeping to avoid large fines.
What do businesses need to do?
Firstly ask what personal data you currently hold or process. How was it gathered? Where is it stored? What do you do with it?
Next, check the data consents that you have in place. You may have given ‘opt out’ options when you collected specific data (for example from customers), but these are invalidated by GDPR, so using this data for any purpose where consent is required could lead to prosecution. You may have to re-obtain consent from individuals where you are unable to demonstrate that they have given affirmative consent.
Businesses also have an obligation to make individuals aware of their rights. As part of the data collection process, consider whether you need to update your privacy policies or T&Cs.
Have a clear plan for what should happen in the event that you experience a data breach. Understand what data you hold counts as personal, where it’s kept, who has access to it, your mechanisms for spotting a breach and who it should be reported to.And although SMEs with fewer than 250 staff might have a bit more leeway, the reality is companies which regularly use personal data and contact customers will be subject to the key GDPR rules. In practice is better to be safe than very sorry. Yes it’s a distraction. Yes reading and understanding the details of the rules can be turgid stuff but, yes it is very important.
Review your current data
Businesses need to undertake a comprehensive review of the current personal data they hold on customers and contacts. Understand what you hold and where you hold it. Most importantly you need to understand how you got it. The broad rule of thumb is if you didn’t get explicit permission from somebody to hold and use particular personal data, you need to ask for it.
Update your policies and procedures
Make sure you update your ongoing privacy policies to be GDPR compliant - spelling out how you collect and store data, what data you will collect and how you will use it. And you need to put new ongoing data procedures in place. Make sure that you renew permissions from ‘inactive’ customers every year. You need to make sure you can easily access all the personal data you have on any particular customer if they want to exercise their rights to be ‘forgotten’ and be deleted from your database.
What constitutes personal data?
Be warned - personal data is defined very widely. Personal data is more than just a name and email. It can include anything from an IP address to political leanings and ethnicity. Personal data can also include data stored on anything from a spreadsheet to a mobile phone - not just a marketing database.
Make it easy for customers to give permission
It is good practice to make it easy for customers to update and change their data and communication preferences. Staff training on what constitutes personal data and what you can and can’t do with personal data is also important.
Data from suppliers
Also remember that if you either bring in personal data from suppliers or they use your customers' personal data to provide services, you should review the contractual commitments of all the parties involved, and any practices and policies a supplier may have which could impact your own GDPR compliance and wider reputation.
Use GDPR to your advantage
It is not all bad news for businesses. Indeed, GDPR could represent an opportunity rather than a curse.
Once you have sorted out your existing data and found the right and compliant way to process new data, then you need to see if you can use GDPR to your advantage. In the short-term the likelihood is the size of the database (that you can legitimately contact) will shrink significantly - which is why a lot of companies are desperately emailing you to get your consent to send further communications.
But a bigger database does not necessarily mean better. Remember that after GDPR you will have a contact base of customers that really want to engage with you and hear from you.
If you target these customers in the right way they can be far more valuable to you than a huge database of people who can’t remember why or how they signed up to your services in the first place and continue to ignore (or get angry about) your communications. Your loyal customers can be crucial advocates and supporters for you if treat them correctly.
Promoting the fact that you are a GDPR compliant business, to your current and future customers, can be a great way to win business instead of losing it. If you can demonstrate you take personal data seriously and treat customers with respect then they will respect you more for it. Smart companies can use GDPR to win business by cherishing, nurturing and engaging with their valued customers - which after all is what good business should be all about!
How to get more information
It is tempting to think that new European rules don’t apply to your business. But they do, and they are likely to remain in force after Brexit. The Information Commissioner's Office has a wealth of information to help businesses - including a free guide about how to prepare for GDPR.