GDPR is fast approaching and it will affect EVERY business in the UK and Europe, regardless of whether you’re a large corporation or a small tradesman. GDPR will impact how you deal with your customer’s data from the 25th of May 2018.
Now I’m not a lawyer and won’t try to offer any legal advice, just some tips for your business that you might like to think about.
When you visit a website just look at the top left, next to the website URL/address. If you see a padlock it means that website is encrypted and protected from hackers intercepting the data that you receive from your customers.
The padlock in technical terms is HTTPS (Hyper Text Transfer Protocol Secure). It gives you protection and is one of the elements that are essential for GDPR as if a hacker got your customers data, it would be a breach and you’d be liable for a fine.
It’s also worth pointing out that Google likes websites that are using HTTPS and favours those ones over those that use HTTP when ranking in search results. So, it’s another benefit to having HTTPS added on your website, especially after July 2018 when Google will start marking websites with just HTTP as insecure. They will highlight to visitors that it is insecure, particularly when they input their data into a form, such as a shopping cart on e-commerce websites. This can lose trust in your website and drive business away.
Forms are a crucial area for GDPR because this is where the majority of your customers’ data comes from. Whether it be from an enquiry on the contact page or shopping purchase, your customer provides you with their personal data.
Previously when users give their details or purchase from a website they’d notice – before pressing the buy button – a tick box that was already ticked saying ‘I want to get your newsletter, untick this box to opt out’.
With GDPR coming into legislation, this would be unlawful as the user hasn’t given you their consent to freely opt-in and has to actively opt-out.
To be GDPR-compliant, the sign-up box must be unticked and the visitor must choose to opt-in to receive your emails and it can’t also be “cluttered” with other tick boxes such as one for a newsletter and one for text messages.
If the information relates to, anything that can identify the person (such as their first and last name, address, email address, phone numbers etc) you must be clear to the visitor what they are signing up for and must identify the party that will get access to this data, including any third parties within your organisation. An excellent example for this is, John Lewis, asking for permission on their website for itself, but also for its sister companies such as Waitrose and John Lewis Financial Services to contact you.
It also has to be easy for your customers to unsubscribe or “withdraw” their details so make sure your unsubscribe and preferences buttons are easy to locate.
The Cookie Law came into force in 2012, when it was declared that you needed to inform visitors to your website that parts of their data were being captured (if they updated their shopping cart for example) and you needed to get their consent for this.
As you can see, GDPR is all about consent and getting that from your visitors and informing them what you will do with their information.
What personal information you collect
Privacy policies vary from business to business, but the ICO has kindly created a checklist on their website that helps you become compliant before May 25th. You can access the ICO checklist here.
If you have subscribers to your newsletter, then you have an email marketing list. These have been governed previously in the UK by a separate legislation that was set up in 2003. GDPR doesn’t change much but requires you to make sure the data you have was freely given and actually needed (so not asking for person’s waist size when you’re a PC store).
So, if you’ve got users who have signed up via the single opt-in (the tick box was already ticked), then you need to get their permission again even if they are existing customers.
The only exception is if you genuinely believe it is in their interest to receive your email, then you can send under “Legitimate interest”.
To make sure that your list is correct and depending on the size of it, it might be a good first to perform an audit to sort through the database and see who was a single opt-in, then contact them to see if they still want to receive your emails.
For areas like newsletter signup, it’s a good idea to go in via the double opt-in method and store the date of their consent in your email marketing software. It’s not required but is a useful way to prove you got the data legally.
If you’re an online shop, for example, it’s more complex especially when there are multiple outcomes, for example when they are creating an account AND subscribing to a newsletter. You will need to get separate consent for sending customers marketing messages.
If you store your customer’s details on a CRM (sensible idea to do), then you have to also consider this for GDPR.
A good question to ask yourself is “Why are you keeping them in your CRM”. This will help you better understand how lawful it could be.
An example would be an old client who might return, but how long can you keep that hope and more importantly their data on your CRM?
If you haven’t got a very good reason, you delete them. You must have an identified lawful basis (e.g. Legitimate Interest), and you must understand how long that lawful basis lasts.
If at any time there is a data breach and your CRM is hacked, you must alert the ICO who will then investigate and test your company for compliance. At the very least, there are six GDPR data protection principles which you should adhere to, which the ICO has laid out here.
Last but possibly an important area to remember if making changes inside your business is training your staff so they understand and follow GDPR rules from 25th May 2018.
The ICO in the UK has again kindly provided a PDF which starts as a good place to get your business and staff compliant.
You can read the PDF here and you should make your staff aware of some key changes to data processing and storage that are coming, such as;
You might have read this and thought, it doesn’t affect me. But just have a look through your website. Does it have a cookies policy appearing when you arrive for the first time, or do you have an email sign up form that was created when you got your website but you’ve never cared for or marketed. By just ignoring it you are liable for a fine and the line “I didn’t know” or “my web developer/agency took care of that”, will not be acceptable.
It’s your business and your responsibility to deal with these areas. If you need any help or advice, please get in touch before 25th May or comment below.
We are currently offering free GDPR website audit, where we will go through your website and recommend areas you might want to consider updating before the deadline, get in touch here.
If you’re unsure of anything to do with GDPR, cookies, or data protection, get in touch with ICO who will be able to help you and give a definitive answer.