Is your Email list GDPR compliant?
The General Data Protection Regulations (GDPR) will come into force on 25 May 2018, replacing the current Data Protection Directive. It will bring significant changes to the way you handle data in your business. The legislation is very wide ranging and I can’t hope to cover all the areas that you might need to know about in one blog post. The area I am most often asked about is the impact of GDPR on information retention and on Email Marketing.
At its most basic level, the new legislation aims to ensure personal data is properly safeguarded, people’s privacy is protected, and we aren’t bombarded by unsolicited information. If you hold and manage personal data relating to EU citizens within your business, you will need to understand your responsibilities under the regulations. Even if your company is based outside the EU and UK, if you have contacts or clients there and you want to use their email address for marketing purposes, you must comply with the Regulations.
A key change will be the introduction of the Accountability Principle. This requires you to show HOW you comply with the principles by keeping a clear record of decisions taken about how each processing activity will be carried out.
Article Five of GDPR requires personal data to be:
• Processed lawfully, fairly and in a transparent manner.
• Collected for a specific purpose, that purpose to be made clear and explicit to all whose data you hold.
• No data to be further processed or used for other reasons for which you do not have, or have not sought, permission.
• You should hold only as much data as you need to complete the tasks for which you are holding the information.
• All data must be accurate and kept up to date at all times. Any inaccurate data found must be erased or rectified as soon as the inaccuracy is discovered. Also, if you have shared that data with someone else, you must inform them of the inaccuracy so they can alter their records also.
• Data should be kept only as long as is necessary for the processing purpose and must be held securely and protected against unauthorised or unlawful processing as well as against loss, destruction or damage.
GDPR also requires that the Data Controller, which in a small business is usually the owner, takes responsibility for, and is able to demonstrate, compliance with the principles of the Regulations.
It is good practice to demonstrate compliance via a policy for Data Protection. If you already have such a policy which complies with the current Data Protection Act then updating it to comply with GDPR should be reasonably straightforward.
Without the ability to demonstrate that you comply with the legislation you could leave yourself open to criticism and potential enforcement action if you breach the rules. The costs of a breach under GDPR are much higher than under the Data Protection Act so it makes business sense to get this right.
With respect to Email Marketing, the most important change is that silence, pre-ticked boxes and inactivity are not considered as consent to be marketed to. People must actively take steps to opt into your marketing. So no pre-ticked boxes on your Email Sign Up forms please.
As mentioned above, you must state very clearly the exact purpose for collecting the data and how you propose to use it. So, if you wish to add people to your Email list, you must tell them this and explain what they will receive in return, for example, a monthly or weekly newsletter.
Because you need explicit and verifiable permission to add someone to a marketing list, you can’t just add the details from all those business cards you got at that networking event to your Email list. You must ask the person for permission to add them. You can send one individual Email inviting them to join your list. This must be a single email, personally addressed, and cannot be sent via a mail marketing programme such as MailChimp.
Similarly, if you put out a bowl on your trade stand asking people to drop in their business cards, the bowl should have a notice clearly stating that people will be added to your mailing list if they provide their card. This allows them to choose whether to opt into your mailings. There is a problem here though, the new legislation will require you to provide traceable evidence of sign up to mailing lists. So you might find sign-up sheets or asking people to sign up via your website on a tablet, a better choice for growing your email list at trade shows.
Although we are mainly discussing Email marketing, if you want to collect phone numbers to call or send text messages or collect addresses for traditional mailings, you need to seek permission to use each type of data (eg: phone, SMS, mail) and provide the option for people to opt in or out of each separate method so they can choose the methods of contact they are most comfortable with. Provide an empty tick box for each option.
Since every bit of personal data you collect about a person is another bit of data you are responsible for (and must secure) it makes sense to only collect what you need and will use. Particularly as the penalty for breaching the regulations is a very hefty fine.
Consent and Email Marketing
It really is all about getting verifiable consent. One way to get this verifiable consent is to use a system such as MailChimp to build your list as it has a double opt in. People will not be added to your list until they have responded to a second email which asks them to confirm that they really did mean to sign up to your list. This double opt in information can be used to prove permission to use the data.
The new rules specify very clearly that there must be an unsubscribe button or method by which the person can arrange to be removed from the mailing list and that this MUST be very prominently displayed and easy to find. Hiding it, or making it difficult to locate, is not an option.
Individuals will also have the “right to be forgotten”, that is, they can request to have their data erased with no trace of the information left behind. If someone requests this then it must be done as soon as possible and no further marketing materials sent to them.
GDPR will also prohibit the sale or exchange of personal data and it will not be possible to use data collected for one purpose (such as Email newsletters) for another purpose.
Even if you have previously obtained permission to use people’s email address, you will need to seek renewed permission to use that address ahead of the new legislation.
So what action do you need to take?
• Review any areas of your business where you request email addresses, whether that is pop up windows on your website or sign up forms. Check that all the pop ups and sign up forms are clear and specific and include all the ways in which you might be going to use the Email address so visitors are very clear about how you will use their data.
• Keep a record of the permissions you are sent so that you can be quite certain, and can prove, that you have permission to market to each individual.
• If you have an old list you must gain permission to use each address on it. To do that, you would need to individually email each person on the list and ask them whether they would like to join your mailing list. Do not use the Carbon Copy (CC) function in your Email system to send messages to several people at once. Doing so will allow data to be seen by everyone you are emailing and thus breach the regulations.
It is possible to send to multiple email addresses using the Blind Carbon Copy (BCC) Function because each individual will see only themselves as an addressee. However, don’t send to large numbers of addresses all at once in this way. You will get blacklisted as a spammer if you do.
If you want to find out more about how to comply with the new legislation and get your business ready for the change, the ICO provides some excellent checklists specifically aimed at small business owners. These are straightforward and clearly written, covering the various areas which will change when GDPR is brought into force and the ways in which you can prepare your business for the new legislation. These can be found at WWW.ICO.org.uk/for-organisations/business
Another great source of information is www.dpnetwork.org.uk which, together with the ICO website, keeps you up to date on the latest interpretations of the upcoming legislation.
You can also find videos about the impact of GDPR on the new JJB Office Services YouTube Channel.
Does all this make your brain hurt? Are you wondering how you will find the time to make your business compliant? Perhaps you need existing policies and procedures reviewed and updated but don’t have the time? Well never fear, Jenni is here. If you need a hand, please get in touch with me here.