{"id":18206,"date":"2018-04-05T11:30:06","date_gmt":"2018-04-05T11:30:06","guid":{"rendered":"https:\/\/www.heartinternet.uk\/blog\/?p=18206"},"modified":"2018-04-05T11:30:06","modified_gmt":"2018-04-05T11:30:06","slug":"a-guide-to-gdpr-and-what-to-do-to-prepare","status":"publish","type":"post","link":"https:\/\/www.heartinternet.uk\/blog\/a-guide-to-gdpr-and-what-to-do-to-prepare\/","title":{"rendered":"A guide to GDPR and what to do to prepare"},"content":{"rendered":"

In May 2017, The Economist called personal data \u201cthe world\u2019s most valuable resource<\/a>\u201d ahead of oil. That\u2019s not surprising. Personal information is an object of desire for any business that\u2019s looking to improve communication and boost customer experience.<\/p>\n

However, what\u2019s surprising and a big cause for concern is that most businesses don’t have an ethical approach to securing and protecting customer data. In fact, according to Symantec\u2019s State of European Privacy Report, 90% of businesses believe it\u2019s too difficult to remove customer data<\/a> and\u00a060% do not have the processes in place\u00a0to do so.<\/p>\n

The stats get even more worrying. The study also revealed that businesses that use customer data don\u2019t fully understand how<\/em> they should use it. 41% of marketers admit to not fully understanding both best practices, or the law, around the use of consumer\u2019s personal data.<\/p>\n

That is why the European Union is introducing the General Data Protection Regulation (GDPR) – a new set of laws designed to regulate the way businesses collect, store and use consumer data.<\/p>\n

This level of regulatory overview of personal data is unprecedented and will require businesses to ensure the highest level of user data privacy and security, or suffer dire financial consequences.<\/p>\n

With GDPR going into effect May 25, 2018, we\u2019ve put together this guide to help clarify not just what GDPR is, but also how it is being implemented and enforced, whether or not you or your clients will be impacted and how to prepare.<\/p>\n

What is GDPR?<\/h2>\n

The General Data Protection Regulation (GDPR) consists of a set of regulations designed to put the highest levels of protection around personal data. Put simply, it’s meant to protect user data, giving the consumer ultimate control over what happens to it.<\/p>\n

GDPR defines personal data as any information related to an individual (data subject) that can be used to directly or indirectly identify that individual. It can be anything from a name, a photo, an email address, bank details, posts on social media channels, or even a computer IP address.<\/p>\n

So, to be GDPR-compliant, a business needs to handle consumer data carefully as well as provide users with myriad ways to control, monitor, check and delete any information pertaining to them.<\/p>\n

Businesses must also implement processes to ensure that data is always protected and kept safe and secure. They\u2019ll need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data, document the ways in which they use personal data and improve the way they communicate data breaches. The idea is that businesses need to be as transparent as possible with all the actions connected with users\u2019 personal information.<\/p>\n

Failing to comply with GDPR could lead to fines of up \u20ac20 million or 4% of the company\u2019s total global revenue. Although fines of this size will not be commonplace, it’s a strong indication of how seriously you should take GDPR.<\/p>\n

What businesses will it affect?<\/h2>\n

If you\u2019re collecting, storing or using personal data of EU citizens, you will be affected by GDPR, irrespective of where you are based.<\/p>\n

So if you\u2019re a freelance web designer or run a web design agency and you collect personal data from users within the EU via your website or blog, then you’re subject to the provisions of GDPR.<\/p>\n

And the coming of Brexit won’t impact GDPR either – the UK is introducing a new data protection law based on the regulation, and that means that UK businesses will still be bound by its rules in the future.<\/p>\n

Here are the areas that are most affected by GDPR:<\/p>\n

Email marketing<\/h3>\n

You’re probably using your website to collect user data and generate leads. If you’re asking users for their names, email addresses or other information to sign up for your newsletter or to download a free template or an ebook, that’s known as “opt in”.<\/p>\n

Well, from now on, when users submit their email address in exchange for access to an ebook, you will be required to explicitly ask for their consent to be contacted, instead of automatically adding them to your mailing list and then waiting for them to opt out.<\/p>\n

In addition, if required, you’ll need to be able to provide evidence that a user has elected to opt in receive emails from you.<\/p>\n

Remarketing\u00a0<\/h3>\n

As GDPR classifies cookies used for remarketing as personal data, the same rules as email marketing apply. If you want to engage in remarketing, then you’ll need people to opt in.<\/p>\n

Marketing automation<\/h3>\n

Marketing automation is a powerful, time-saving tool that many businesses rely on to communicate with customers. But if you don’t triple check to ensure it’s set up correctly, come May it may land you in trouble.<\/p>\n

For example, if an email is sent automatically to a user who has opted out that would count as misusing their data. That’s why it’s critical that you take the time to ensure that every name and email address in your database has given you permission to contact or to market to them.<\/p>\n

In addition, if someone opts out of an automated email, you need to make sure that that person is removed from all your mailing lists so they don’t receive further emails.<\/p>\n

Third-party compliance<\/h3>\n

You’ll also need to pay attention if you’re using third-party tools and technology such as marketing automation platforms and CRMs. Check to make sure that any third party that you’re working with and holds data on behalf of your business is also GDPR-compliant.<\/p>\n

If you pass on personal data to a third party that doesn’t comply with GDPR, then that counts as a breach of the rules.<\/p>\n

What do I need to do to prepare?<\/h2>\n

If you’re already complying with existing data protection laws, then you’re in a good position to adapt to GDPR. You will, however, still have to make some changes.<\/p>\n

The steps needed for GDPR compliance will vary from business to business, so it’s important to seek out expert advice that focuses on your particular needs. With that in mind, here is some general advice on what you’ll need to focus as you head towards GDPR compliance:<\/p>\n

Get permission and \u2018repermission\u201d<\/h3>\n

When processing personal data, explicit consent from individuals is a requirement under GDPR. This means that after May 25 you can only email users who have actively, freely and willingly opted in to receive messages from you.<\/p>\n

This also applies retroactively to any subscriber in your current mailing list. Even if you\u2019ve followed best practices for mailing list signup, you may find that you don\u2019t have the level of consent required under GDPR to continue sending marketing emails to your list.<\/p>\n

Don\u2019t ignore this aspect as you may be asked at any time to provide this information. So it\u2019s best to act now to \u2018repermission\u2019 your list and collect affirmative consent so you can send confidently after May 25.<\/p>\n

Here are a few things you could cover in your \u2018repermission\u2019 email:<\/p>\n