GDPR

There’s a fair bit of confusion about GDPR, and rightly so – anything so wrapped up in legalese is bound to be difficult to grasp. Well, fear not, intrepid business owner – here’s Arch Creative’s breakdown of what you need to know about the four letters you’re probably sick of hearing by now.

Here are some of the main points about GDPR

• GDPR stands for General Data Protection Regulation
• It’s a set of rules stating how you can and cannot use the data you collect from your customers, and the protocol you’ll need to follow to collect that data in the first place.
• It comes into effect on 25th May
• It applies to any organisation inside or outside of the EU who is marketing goods or services to people inside the EU. That means: if you do any business with Europeans that involves their data, the legislation applies to you.
• Companies can be fined for non-compliance – and it can be a fair bit of money.

The 6 key principles of GDPR

These six key principles of GDPR which you can refer to if you’re unsure about how it works.

1. Transparency on how data is used and what for – tell your customer in full what you’ll be using their data for. This can come in the form of a T&Cs document, or a Privacy Policy. Link your customers to it whenever they need to sign up for something.

2. Ensuring the data collected is only used for the purpose detailed at the time of collection – so if you say you’ll be using the info purely for email marketing, you can’t send them direct mail.

3. Limiting the data collection to what is necessary – i.e. if you don’t need a home address, don’t ask for one.

4. Ensuring the data is accurate – speaks for itself. 

5. Storing data only as long as necessary – this is tricky to navigate. One method of avoiding any penalties for this is an annual check-in in the form of an email which goes out to your database and reaffirms their consent.

6. Prevention against unauthorised use or accidental loss of data through security measures – have some measures in place to ensure you don’t misuse data. Internal policy, written into contracts is good practice for this.

Two factors to look out for:

Consent

Does the individual affirmatively consent to data collection? For example – did they fill in a contact form with clear indications as to what the data would be used for?

A key thing to remember here is that your customers or users need to actively consent – no pre-ticked boxes.

Accountability

Can you demonstrate how you’re implementing GDPR?

As long as you’ve got records of doing something to ensure you’re compliant (an e-shot campaign list, for example), you’ve got evidence of how you’re implementing GDPR. Good for you!

A Simple Way

Most methods of data collection will already be compliant with GDPR. However, it’s best practice to use the following “3-Strike” method to make sure you’re up to scratch.

1. Send an email to EVERYONE you have collected data from. Tell them this email is to implement GDPR. You need them to click a button which lets them actively agree to receive mail from you. It might be wise to include a tick box as well – another way that they’ve actively said “yes” to receiving your correspondence. Anyone who comes back with a positive response stays on the list.
2. Anyone who didn’t respond gets a follow-up email. This email states the importance of having their active consent – if they don’t respond they’ll be removed from the database and won’t receive any correspondence.
3. This final email goes to anyone who still hasn’t responded positively. It states that they’ll be removed from the database. If they still want to receive news, they’ll need to get in touch and confirm their involvement.

If anyone still hasn’t responded, or they’ve responded saying they don’t want to be involved – then you’ll need to remove them from your database. Simple.

GDPR is easy to get your head around and understand. It’s just wrapped up in legalise, so seems daunting. If you’re struggling to get started on GDPR, give us a call for some advice, or for us to create and implement your GDPR E-Shot.