“Four things you must do, four things to avoid, and six tips to make your life easier.”
Since I sent you my ‘GDPR in plain English; 10 steps to take now,’ I’ve spent a good deal of time on webinars, in chatrooms and at expert panels, where some very smart people have presented their own interpretations of what GDPR really means to us small business owners.
But the truth is, it’s still a greyish area. Maybe not an infamous 50 shades, but certainly enough hues to confuse an awful lot of people. The guidance is quite clear; how to put it into practice somewhat less so…
There are six lawful reasons for ‘processing personal data’ – in other words, storing information and emailing people. In reality, for most people reading this, only two reasons are likely to apply:
- Legitimate interest; and
- Consent
Let’s focus on consent, because what we believe to be consent isn’t necessarily recognised as consent under the new law. Here are four things you must do, four things to avoid, and six tips to make your life easier.
You must:
- Gain clear re-consent to email everyone on your mailing list. This means ‘affirmative action’ on their part. We can’t simply assume it’s okay to continue emailing them because they haven’t told us otherwise.
. - Gain consent to email new people. We can’t work on the presumption that a business card swap at a networking lunch implies agreement to join a mailing list.
. - Keep a clear record of when and why each person gave their consent. This includes recording how they “signed up,” what you told them you’d do with their data and what your privacy policy was on that date. I’ll be keeping a simple Excel spreadsheet from now on and hoping that’s sufficient.
. - Have an up-to-date privacy policy that is clearly accessible on your website, not hidden in the footer. (Mine’s still in the footer…)
You can’t:
- Keep anyone’s personal data after May 25th if they haven’t agreed to it (unless one of the other reasons applies – such as legitimate interest or contract). You have to delete it! Yes, I know… all those years of carefully cultivating an email list.
. - Collect people’s information without a good reason. And only ask for what you need – don’t try to find out ‘sensitive data’ like date of birth, dress size, skin colour or who they fancy – unless you can absolutely justify why you need this information.
. - Email people for any reason other than what you’ve agreed with them. So you might hope to raise extra money for charity by emailing your business list to let them know you’re doing a sponsored parachute jump – and chances are no one will report you for this – but it’s not allowed under the new rules. Likewise, you can’t take someone’s email to send them a free gift then add them to a mailing list for marketing. This applies to social media marketing too – so there should be no more signing up for anything via Facebook then receiving unrelated emails from the same company or an associated one.
. - Ignore the law. Lots of people are poo-pooing the extortionate fines being quoted – after all, would the ICO really bankrupt a small business owner for sending an email to someone who hadn’t agreed? Of course not, but the aggravation of a potential investigation is surely not worth it.
There are various things you can do to make the transition into GDPR-compliancy easier for yourself.
These six tips should make the process easier!
- Add a clearly worded Privacy Policy to your website. Make sure it’s written in plain English and addresses all the points necessary to make it GDPR compliant.
. - Audit your sign-up process. Check the way you add people to your mailing list – through a website sign-up form, via a Facebook promotion, from business cards, from a ‘pop your card in this jar to win a bottle of champagne’ scheme. Then ensure the way you add them moving forward complies with the law.
. - Watch a brilliant two-hour webinar with a specialist GDPR lawyer named Suzanne Dibble here. She worked for Richard Branson to set up Virgin’s data protection compliance and she runs a very useful Facebook group. (I’ve seen the video – she also has many short videos on various different GDPR-related topics.) There’s a link to a useful GDPR checklist too.
. - Buy Suzanne’s legal document pack. (I haven’t done this but I’ve seen many recommendations for it on Facebook.) This includes a standard privacy policy.
. - Remember that it’s about being reasonable. Could someone ‘reasonably’ expect to receive email from you? If in doubt, leave them out.
. - Reframe the whole ‘losing loads of subscribers’ issue in your mind. View it as an opportunity to clean up your mailing list. Having fewer people on your list can actually be helpful as you’ll have better open and engagement rates, which means more of your emails will land in people’s inboxes and fewer will go into their trash.
I’ve used the word interpretation in my heading as that’s what this is – my interpretation of it, based on hours of research and my ability to quickly sift through mounds of conflicting information to find the linguistic diamond in the sand.
So, just to get my own little beachball rolling, if you’d like to stay subscribed to my mailing list to receive social media tips – or you’d like to sign-up now, please leave your name and email in the sign up box below.
You can unsubscribe at any time, of course. On a final note, signing up confirms that you’ve read and understand our privacy and cookies policy. Thanks!
I hope these notes are helpful. Please tell me if you’d like to know more about the ‘Legitimate Interest’ basis for processing personal data and I’ll cover that next time.
Leave a Reply