I expect you’ve seen a lot about GDPR in your news feeds recently. With fewer than 60 days to go small businesses. are starting to get more and more interested in what this means for their business.
The General Data Protection Regulation (GDPR) will affect anyone who processes personal information. Personal information is classed as data that can identify an individual and relates to both consumer and business data. For example, emma@marketinghat.co.uk would be covered under these regulations. But hello@marketinghat.co.uk wouldn’t be; unless a name is associated with the email address.
What are the benefits for me?
Even though there will be a bit of work to do to ensure you are compliant, GDPR does provide some benefits to your business. It’s a lot more productive to look at the positives right? It’s also good to look at it from your perspective. After all, you’re one of the individuals whose personal data the regulations are there to protect.
Empowerment – you and (your subscribers) will have more control over what you sign up to receive. Businesses will need to be very specific about what data will be used for. Plus it must be easy to withdraw consent, delete your data or request to see what data a business holds on you.
Trust – being open about data and what it will be used for will enhance trust with an organisation.
Deliverability – your lists may decrease in size, but those who remain will be more engaged and interested in your business. This means you should see better open rates and improved deliverability.
Will you be able to keep marketing to your list after 25/05/18?
There are a lot of resources out there that will help you prepare for the changing requirements GDPR will bring. I’ve listed a couple which I have found very informative at the bottom of this post. I’ll say upfront now: I’m no expert. You’ll need to review information from experts in detail.
GDPR is a big topic. Certainly not one to cover off in a single blog post.
Here I’m going to share how I’m preparing to be compliant using consent as my lawful ground for processing data. You can also choose to use legitimate interest, but that’s a subject for another day.
It’s well worth putting some thought into the requirements now. It’s likely you’ll need to make some adjustments to what your business currently does.
Consent is king
In the world of GDPR consent is incredibly important. Marketers have been using consent as a means to send marketing for a long time. However, the new regulations are a lot more specific about what is classed as consent. Check out the list on the ICO’s website here.
This means we need to be 100% certain our sign up forms comply with the requirements.
After a bit of research I concluded the process I currently use needed some tweaking. Specifically my opt in process needed updating to;
– provide granular check boxes where explicit consent is given to receiving different types of communication,
– by presented with a clear link to my GDPR compliant privacy policy at the time of consenting.
My first task: ensure there is a compliant GDPR privacy policy on my website. Check.
My second task: ensure sign up forms are clear and granular by enabling Mailchimp’s new GDPR fields. Check. I decided to go with a basic Mailchimp form to keep things simple.
For those who have researched GDPR a bit, you’ll be aware there’s also another option for being able market to someone. Legitimate interest. You can read up on it in detail on the ICO’s website here.
Clear records
So what’s next?
Once explicit consent is sorted, via an appropriate statement and tick box (not pre-completed obviously), it’s essential to ensure consent is appropriately recorded. You need to be able to show when and how someone consented, and what statement of consent they signed up to.
Keeping a record of the consent is just as important as getting the consent itself. At the moment I use Mailchimp, but if you also use a CRM system you may consider recording consent there.
My third task: update my Mailchimp sign up process to include a two-stage opt in and a welcome email. This will send the subscriber an email outlining what personal information they have provided me. Check. Time and date of subscription, along with granular opt in details, are displayed against the subscriber profile in Mailchimp.
Re-consent your current list
“Oh no! Do I really have to?” I hear you cry. Well, if you’re like me (someone who only likes grey on skirting boards and website copy), then yes you do.
That is unless you’ve managed to ensure your marketing opt ins have been meeting GDPR compliance requirements since you set them up.
It’s a choice. If you think your current customers would reasonably expect to receive marketing communications from you, then you can look into using legitimate interest. If you are sending them valuable, engaging content then why would they object?
My fourth task: send an email re-consent campaign. Even though I get good open rates (45% +) I am viewing this as an opportunity to ensure my list comprises fully interested people. As we know it’s not about size…
Data transfer outside the EU
I’m not going to go into detail about data transfers outside the EU. But, you will need to review any software supplier you use, based outside the EU, where you process personal data. You will need to check whether they are GDPR compliant. If they aren’t you will need to state clearly in your Privacy Policy that they aren’t when people sign up to your list.
My final task for now is to review my suppliers and check their compliance. So far I know Dropbox, Gmail and Mailchimp are included on the US Privacy Shield list. I’m waiting to hear back from my Canadian based accounting software provider.
Suzanne Dibble (see resources below) has a very good Facebook video on this subject.
Do you still have consent?
Once you’ve got explicit consent it’s also important to ensure you continue to have it in the future.
I’m sure scheduling regular re-consent campaigns will become a regular feature of the small business marketing campaign schedule.
It’s also important to outline how an individual can withdraw their consent. I cover this off in my Privacy Policy.
Want to learn more?
As I said, I’m no GDPR expert. This is just a whistle-stop tour of using consent as a lawful basis for processing data. Do get in touch if you’ve read through this and are thinking that I’ve missed something. I’ve found that community support is playing, and will continue, to play a valuable role for small businesses negotiating the ins and outs of GDPR.
Here are two informative Facebook groups I’ve been following.
Mailchimp and GDPR – In Robin Adam’s own words “The purpose of this group is to help you understand what you need to do specifically in MailChimp to get GDPR compliant.”
GDPR for Online Entrepreneurs – Legal Expert Suzanne Dibble’s “one stop information group for GDPR”.
Don’t forget PECR
The last thing I want to mention is not to forget your obligations under PECR. These are still in force and outline the level of consent required when sending digital marketing communications (automated calls, emails, texts and faxes). They are due to be reviewed in 2019 to become more in line with GDPR.