GDPR – What You Need To Know
Email is one of the greatest mediums with which to connect with your prospects and customers… until now! You’ve probably heard of GDPR – The General Data Protection Regulation which will come into force on May 25th 2018…
And if you do ANY kind of email marketing and lead generation activities in your business, you NEED to read every word of this post, because this is going to affect YOU.
Specifically, this will affect how you contact your audience and how you store and handle their data.
Get this wrong, and it means you won’t be able to email anyone in the UK or the EU… Furthermore, you could be subject to a fine of 20 million Euros or 4% of your global revenue.
Scary I know.
So in this post, I’m going to try and break down what GDPR is, how it will affect you and what you need to do to put things right in your business (and avoid getting hit with a huge penalty).
I’ve spoken with several of my clients and no one seems to know enough about GDPR and how it’s going to affect their business. And this is a worrying sign indeed.
People know they need to be GDPR compliant, but what does this actually mean? In a nutshell, GDPR is a new set of laws which directly impact the way you handle, store and deal with data from your audience and also in how you communicate with them.
Now you may or may not be familiar with the CANSPAM laws in the US, and many other Countries have their own variation on data protection laws. These laws are inherently designed to protect consumers and with good reason.
The average person is said to receive around 121 emails per day – which is a LOT – and many of these are unsolicited emails. This means that you didn’t ask to receive them. And this is a HUGE problem. Spamming happens all the time and as someone who writes emails for a living and whose bread and butter depends on crafting stellar emails for my clients, I can certainly attest to the fact that I’m overwhelmed by the number of emails I get a day.
I certainly wouldn’t be exaggerating if I said I literally do receive hundreds of emails (I have 3 email accounts!). For me personally, it’s infuriating to say the least when I get emails I don’t want or didn’t ask for.
Many of the things I opted in for I don’t get the time to read. I literally have a small handful of emails I open and read all the time – and these are from well-known marketers whose stuff I’ve bought and who I know will add value to my life.
Everyone else gets either ignored, deleted, sent to junk or another folder or I simply unsubscribe. Because in the end, it can get all get a bit too much for me.
So as someone who writes and sends emails for a living and also receives emails, I see both sides of the coin.
So while the whole GDPR thing seems daunting, the flipside is email inboxes will become less cluttered in the long run and only the information you REALLY want and need will be in there.
As a business owner, your primary concern should be two main things:
- Making sure you’re GDPR compliant
- Keeping your prospects and customers happy
So let’s talk about both of these.
GDPR Compliance And You
GDPR is a major regulation that’s been a couple of years in the making and will ultimately give consumers greater control over how their data is handled.
GDPR is being introduced to replace the current EU E-Privacy Directive which currently allows each Country in the EU to interpret the directive (basically a set of guidelines) a bit differently.
As you can imagine, having different rules for each Country can be a pain to manage – and it also means that business owners just like you struggle to know what’s acceptable and what’s not.
That’s why GDPR will replace all of the current directives in the EU… and while this is ultimately a good thing, the downside is that this is an actual law rather than a set of guidelines and also means the penalties for getting this wrong are REALLY severe.
As a business, you could be fined up to 20 million Euros (yes, you read that right) or 4% of your global revenue – whichever is bigger.
The long and short of it is this: your customers and prospects have a greater level of control over their data than ever before. They have a right to have their personal data protected at the highest levels. GDPR also gives people the right to complain and have things set right if their data is misused in any way.
Now you understand what GDPR is and why it’s coming into force, what does this mean for you? What can you do as a business to protect yourself and your audience?
Glad you asked.
This really comes down to how personal data is defined and in the case of GDPR, this is virtually any data that could be used to identify an individual – whether the data is used on its own or in conjunction with other data to reveal the identity of someone.
This can therefore apply to:
- Email addresses
- Social media ID
- Social media updates
- Phone numbers
- Addresses
- Computer IP addresses
- Names
- Photos
- Bank details
- Location
- Medical details
Even if these things by themselves might not identify someone, if there is any capacity for this information to be used in conjunction with any other identifiers, this could be a problem for you.
As a business, how you capture, store, process and use this information is CRUCIAL – and more importantly, what you tell people about how their data is handled is absolutely critical to the survival of your business.
And the bottom line is you need to be 100% transparent in how data is used and processed. Your audience should explicitly know your intent and what you will actually do with their data. They also need to know details of how their data is handled. They also have the right to demand complete deletion of their personal details.
According to SuperOffice, under the GDPR, individuals have:
- The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
- The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
- The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
- The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
- The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
(source: https://www.superoffice.com)
Here’s How This Applies To YOUR Business:
- 100% transparency in how you collect, store, use, process, disseminate and delete data
- You MUST tell your audience what you will do with their data – period!
Information on what you do with the data must be clear and never vague.
You MUST tell your audience when you:
- Store cookies on their computer to collect user behaviour
- Tag users when they open emails or take a certain action
- Make offers to them based on their actions and behaviour
- Track how they behave in a campaign (link tracking, tagging, meet email behavioural goals)
- Pixel users from ad platforms such as Facebook
- Re-target users based on pages they’ve visited or products they’ve clicked on
- Also, depending on your business model, you need to manage people’s consent, subscription data, access to products and services and also potential incidents
GDPR applies to every business and organization (regardless of whether the business is B2C or B2B) established in the EU. It’s also important to note that even if data is NOT processed in the EU, GDPR rules still apply as long as the business was established in the EU.
Essentially, this covers anything and everything you could potentially do with their data!
While this seems a lot to tell users, there are several measures you can take to implement this in your business.
You have three major weapons in your arsenal to ensure you’re protecting yourself and your users:
Terms and Conditions
Your terms and conditions is very different to your privacy policy. This is basically your terms, conditions, requirements, and clauses relating to the use of your website or mobile or desktop app. It also includes copyright protection, account termination in cases of abuse, and so on.
The number one consideration for your terms and conditions is that users must agree to your terms and conditions. More importantly, you need to PROVE they did so.
You should have this information recorded against a user’s name (you need to tell them of course!) so that if any situation arises where a user challenges you, you have proof they agreed to your terms and conditions.
Privacy Policy
A privacy policy is required by law if you collect or use any kind of personal information from your users. The purpose of this agreement is to inform users about your collection and use of personal data from users.
Your privacy policy MUST be visible at ALL times in your marketing – so landing pages where you collect leads should have a link to the privacy policy that users can read. It should also be available at all times on your website/apps.
You can generate your own privacy policy from https://www.rocketlawyer.co.uk/documents-and-forms/website-privacy-policy.rl# and also from https://www.freeprivacypolicy.com/
Both your privacy policy and your terms and conditions are going to become your new best friends!
While your privacy policy is simply a statement of intent that users can read so they know HOW their data is going to used, handled, stored and processed, your terms and conditions require people to give their consent. Best practise is having both for your business, and it’s worth contacting a lawyer to ensure you have one that’s adequate and legally binding.
Prompts In Your Communication
Use your website to inform users when you use cookies like this example here:
Add checkboxes on your website for any actions users might take that necessitate you getting permission from them to market to them. This means CLEARLY and EXPLICITLY asking people for their consent to send them communication. Do NOT use pre-checked boxes as these are not enough to be GDPR compliant.
Include a statement of intent so that when a user signs up, they know what they are agreeing to. Use a simple sentence along the lines of:
Yes! I’d like to sign up for personalised emails from (insert your COMPANY name). By signing up, I agree to (your company’s) Privacy & Cookie Policy, as well as their Terms and Conditions.
I also suggest using double-opt in for all of your users for their personal data. By the way, as a confusing side note, if your terms and conditions state how a person’s data will be used and a user agrees to it, then you don’t HAVE to use double opt-in.
You DO however need to use this if you are processing sensitive data such as photos, IP addresses, bank information and medical information etc. If you’re in any kind of doubt at all, use double opt-in as a safeguard for your business.
It also means never spamming users (that’s a given right?) and always ensure the emails are in service to the audience. In other words, focus on giving value and creating engagement which is helpful and never annoying or irritating.
It’s worth mentioning that when a new user enters your world, you should also SET THEIR EXPECTATIONS at the start of your relationship with them. By doing this from the get-go, you’re reducing any likelihood of creating problems for yourself down the road.
You MUST allow users the right to withdraw consent to using their information at any time. Therefore, ensure ALL emails sent to users allow them to opt-out of the campaign they are in and also give them the option of unsubscribing from ALL communications from you.
If someone objects to receiving communication from you, GDPR states you MUST have an audit trail which is time-stamped of when and how the contact opted in. This includes the opt-in form that was used by the said user when they initially opted in to hear from you.
Almost all email autoresponders have this information, so you should be safe. However, if you have your own system emails going out, then you need to have a word with your webmaster to ensure this is the case.
When people cancel their accounts for your product or service, you should make it CLEAR how their data is being stored and handled. Is it being deleted or held?
Whatever is the case, users have the right to have this data removed. Your best bet is to include a checkbox and statement people can simply check to remove themselves permanently from all future correspondences.
Here’s something else to be aware of – GDPR doesn’t just relate to how data is handled for NEW users. It also applies to your existing database. This is perhaps the most scary thing of all.
Once GDPR comes into full force on the 25th of May 2018, you can’t legally email your list if you can’t prove how you got them on your list in the first place. You also won’t be able to email them if you don’t have proper permission/consent to do so.
If a user ever challenges you, then legally, you MUST be able to prove you had their consent to contact them and store, handle and process their information.
Therefore, you should record and store all consent forms so in the event of an incident, you are legally protected.
In terms of your existing users and how to bring them up to scratch with GDPR, then I would strongly suggest you do a few things:
- Include a specific reminder in your next email about opt-out. I do this by using a PS at the end of an email and saying: No longer want to hear from me? No problem! Simply click here to OPT OUT – and then remove them from the campaign if this is what they select
- Get your list to re-opt-in (using double opt-in of course!) by asking them to sign up for a lead magnet or other awesome piece of content
- You can also simply tell them what’s going on and ask them to opt-in again for this purpose. This approach works well when you have a super-engaged list already. It doesn’t tend to work well with a dead list or one that’s not really engaged
- Purge users on a regular basis – so with one of my clients, I’ve recommended he purge all contacts that are no longer active after 6 months and delete them completely – this should be part of your regular list hygiene process anyway
- If you have two systems in place (one for delivering the product/service and another for marketing such as an email autoresponder) you need to ensure that when someone signs up, they are agreeing to BOTH marketing and updates from your system
- By the same token, when someone cancels their account, you should hit them with a screen that asks them explicitly what they want to do – and yes, this also means they check a box to confirm they want to/don’t want to hear from you again
There’s an awesome checklist available for your business direct from the Direct Marketing Association here: https://dma.org.uk/article/dma-advice-gdpr-checklist
What About Cyber Attacks And Security Breaches?
We’re living in a world where cyber attacks and security breaches are becoming almost normal. From the NHS to Facebook and even giants like Google, the potential to have your data compromised is very real.
If you’re online, you’re not immune.
Having personally worked with a business whose data was at one point hacked and compromised, I can tell you that had the business not had the correct consent procedures in place, they could have been financially ruined.
It’s YOUR responsibility as a business to ensure that your users are safe wherever possible. This means taking measures to upgrade the security on your website and also on the servers that host your website.
It also means alerting users to potential breaches of data if that should be the case, as well as informing the ICO – (The Information Commissioner’s Office). Here’s a link to everything you should know: https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-breaches/
As a final point (we’re almost there, promise!) you need to also ensure all data is kept safe and secure and that you’re using the highest level of security for all your data.
This also relates to where your data is held or stored. For the client I mentioned who had the security breach, thankfully all credit card information was stored with third party payment providers and their user’s personal data was held in different data tables.
This is the reason why the breach was contained and dealt with very quickly and risk to users was extremely minimal. But that’s not always the case with every business.
There’s a really good checklist on the Cyber Counsel’s website on the storing of data and how it’s handled here: https://www.cybercounsel.co.uk/gdpr-where-do-we-start/
Conclusion
While GDPR is definitely a scary thought, I truly believe that it’s going to mean a safer working environment for everyone. Ultimately, you want your audience to be receptive to your messaging.
GDPR will in the long run mean your email communications are more effective and this will keep your engagement high. By weeding out those who wouldn’t ever want to do business with you anyway, it leaves you to focus on those who DO want to hear from you and are happy to spend with your business too.
And if you feel overwhelmed by any of this and need additional help, I strongly suggest you contact a lawyer who specialises in data protection to ensure you’re fully compliant.
If you found this post useful, please do leave me a comment below!
Arfa