A guide to GDPR and what to do to prepare

In May 2017, The Economist called personal data “the world’s most valuable resource” ahead of oil. That’s not surprising. Personal information is an object of desire for any business that’s looking to improve communication and boost customer experience.

However, what’s surprising and a big cause for concern is that most businesses don’t have an ethical approach to securing and protecting customer data. In fact, according to Symantec’s State of European Privacy Report, 90% of businesses believe it’s too difficult to remove customer data and 60% do not have the processes in place to do so.

The stats get even more worrying. The study also revealed that businesses that use customer data don’t fully understand how they should use it. 41% of marketers admit to not fully understanding both best practices, or the law, around the use of consumer’s personal data.

That is why the European Union is introducing the General Data Protection Regulation (GDPR) – a new set of laws designed to regulate the way businesses collect, store and use consumer data.

This level of regulatory overview of personal data is unprecedented and will require businesses to ensure the highest level of user data privacy and security, or suffer dire financial consequences.

With GDPR going into effect May 25, 2018, we’ve put together this guide to help clarify not just what GDPR is, but also how it is being implemented and enforced, whether or not you or your clients will be impacted and how to prepare.

What is GDPR?

The General Data Protection Regulation (GDPR) consists of a set of regulations designed to put the highest levels of protection around personal data. Put simply, it’s meant to protect user data, giving the consumer ultimate control over what happens to it.

GDPR defines personal data as any information related to an individual (data subject) that can be used to directly or indirectly identify that individual. It can be anything from a name, a photo, an email address, bank details, posts on social media channels, or even a computer IP address.

So, to be GDPR-compliant, a business needs to handle consumer data carefully as well as provide users with myriad ways to control, monitor, check and delete any information pertaining to them.

Businesses must also implement processes to ensure that data is always protected and kept safe and secure. They’ll need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the ways in which they use personal data and improve the way they communicate data breaches. The idea is that businesses need to be as transparent as possible with all the actions connected with users’ personal information.

Failing to comply with GDPR could lead to fines of up €20 million or 4% of the company’s total global revenue. Although fines of this size will not be commonplace, it’s a strong indication of how seriously you should take GDPR.

What businesses will it affect?

If you’re collecting, storing or using personal data of EU citizens, you will be affected by GDPR, irrespective of where you are based.

So if you’re a freelance web designer or run a web design agency and you collect personal data from users within the EU via your website or blog, then you’re subject to the provisions of GDPR.

And the coming of Brexit won’t impact GDPR either – the UK is introducing a new data protection law based on the regulation, and that means that UK businesses will still be bound by its rules in the future.

Here are the areas that are most affected by GDPR:

Email marketing

You’re probably using your website to collect user data and generate leads. If you’re asking users for their names, email addresses or other information to sign up for your newsletter or to download a free template or an ebook, that’s known as “opt in”.

Well, from now on, when users submit their email address in exchange for access to an ebook, you will be required to explicitly ask for their consent to be contacted, instead of automatically adding them to your mailing list and then waiting for them to opt out.

In addition, if required, you’ll need to be able to provide evidence that a user has elected to opt in receive emails from you.

Remarketing

As GDPR classifies cookies used for remarketing as personal data, the same rules as email marketing apply. If you want to engage in remarketing, then you’ll need people to opt in.

Marketing automation

Marketing automation is a powerful, time-saving tool that many businesses rely on to communicate with customers. But if you don’t triple check to ensure it’s set up correctly, come May it may land you in trouble.

For example, if an email is sent automatically to a user who has opted out that would count as misusing their data. That’s why it’s critical that you take the time to ensure that every name and email address in your database has given you permission to contact or to market to them.

In addition, if someone opts out of an automated email, you need to make sure that that person is removed from all your mailing lists so they don’t receive further emails.

Third-party compliance

You’ll also need to pay attention if you’re using third-party tools and technology such as marketing automation platforms and CRMs. Check to make sure that any third party that you’re working with and holds data on behalf of your business is also GDPR-compliant.

If you pass on personal data to a third party that doesn’t comply with GDPR, then that counts as a breach of the rules.

What do I need to do to prepare?

If you’re already complying with existing data protection laws, then you’re in a good position to adapt to GDPR. You will, however, still have to make some changes.

The steps needed for GDPR compliance will vary from business to business, so it’s important to seek out expert advice that focuses on your particular needs. With that in mind, here is some general advice on what you’ll need to focus as you head towards GDPR compliance:

Get permission and ‘repermission”

When processing personal data, explicit consent from individuals is a requirement under GDPR. This means that after May 25 you can only email users who have actively, freely and willingly opted in to receive messages from you.

This also applies retroactively to any subscriber in your current mailing list. Even if you’ve followed best practices for mailing list signup, you may find that you don’t have the level of consent required under GDPR to continue sending marketing emails to your list.

Don’t ignore this aspect as you may be asked at any time to provide this information. So it’s best to act now to ‘repermission’ your list and collect affirmative consent so you can send confidently after May 25.

Here are a few things you could cover in your ‘repermission’ email:

How you got their personal details
Why you are contacting them
What sort of content you will send them in the future if they opt-in
How they can update their communication preferences and opt-out

Of course, if you’ve previously collected sufficient proof of permission, you do not need to gain permission from subscribers again.

Make the task of “giving permission” as easy, transparent and painless as possible

This means that you should clearly state why you want a user’s information and how to intend to use it.

For example, if you’re collecting an email address within a webinar registration form, you should provide details on why you need that email address and how you’re planning to use it. In this case, you need the email address to send the registration confirmation, the link to the webinar and a copy of the webinar once it ends.

Here are a few design principles that might help you to better understand how to ask for permission:

Active opt-in – When asking for permission it’s imperative that you use an opt-in form and avoid any pre-ticked boxes as these are considered implied consent and not freely given. Explicit consent means that the user will need to tick a box to give you permission to send them further information.
Informed – Consent should be clear, concise and specific. So avoid jargon or ambiguous language.
Named – Permission should provide clear information about the processing organisation and information about any third-party involved in data processing.
Easy to withdraw – Make it simple for users to withdraw consent and opt out of your email lists, if they wish to do so. Also tell them how to do it.
Separate – Keep consent requests separate from other terms and conditions or privacy notices. For example, when someone downloads an ebook from your website, you’ll need to have a separate box that users need to tick to subscribe to your emails. Signing up for emails is optional – they can always download the ebook without subscribing to your emails.

Don’t forget – all of this will apply to all forms of marketing, including cookie-based remarketing. So make sure you apply these principles to all forms of data gathered for marketing purposes.

Update your Privacy Policy

GDPR says that your privacy information must be “concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.”

The Information Commissioner’s Office (ICO) provides more useful information on what should be included in a privacy policy so make sure you read it carefully. Then revisit and edit your policy accordingly. The idea is to use language that is simple and easy to understand, as jargon will not be acceptable under GDPR rules.

Centralise your personal data collection into a CRM system

Make sure users can access their data, review its proposed usage, and make any changes they wish to.

Keep evidence of consent

GDPR not only sets the rules for how to collect consent but also requires businesses to keep a record of these consents. So make sure you can always provide evidence of who consented, when and how.

Store data securely

To protect personal data, GDPR states that you’ll need to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

This starts with encrypting any data that is submitted to your website, which is what GDPR recommends in Article 32. This will stop people from hijacking the data. An SSL certificate should be fitted to your site to encrypt the data.

In addition, make sure you have strict rules in place for data access and to track security access.

It’s also important to remember that this includes any physical storage devices that hold customer data – a list of unencrypted customer data on a USB stick is a data breach waiting to happen. Don’t let all your hard work on GDPR compliance be undone by a simple slip up like this.

Speak to a GDPR expert

GDPR is a complex topic. If you want specialised advice on GDPR compliance so you can also avoid any potential damage to your company’s bottom line, it might be worth speaking to a GDPR expert. An expert can check to see whether your procedures are compliant and take you through the steps to follow to become GDPR-compliant.

Where can I find more information about GDPR and its impact?

Use the following resources for guidance and start your preparations as soon as possible.

Perhaps the most immediately useful resource is the ICO’s 12 steps to take now to prepare for GDPR. The ICO also has a helpline you can contact.

Here are some other useful GDPR resources.

In conclusion

Here’s the thing: GDPR isn’t designed to stop businesses from communicating with customers. Not at all.

The idea is simple:

Don’t assume people want to hear from you just because they downloaded an ebook from your website.
Don’t email users about your business unless they opted in and gave you permission to do so.
Don’t send them irrelevant information that they didn’t ask for.
Make sure all data-driven marketing you do complies with GDPR

In fact, GDPR is an opportunity to grow your marketing list with quality leads.

Think about it this way: when users land on your website and they like what they see, then they’ll gladly opt-in to receive further information from you. And then you’ll have a marketing list of qualified leads – people who are genuinely interested in your business, your products and services, and your content. Isn’t that what makes a marketing list valuable?

Heart Internet is in the process of implementing GDPR across our platforms. You’ll start seeing changes in the coming months. For more information, GDPR and Heart Internet: Frequently Asked Questions.