GDPR is going to be a serious and pressing concern for any company that does any marketing or data-driven business in Europe, potentially opening up those that fall foul to a world of lawsuits and heavy fines. Fortunately, improving data protection and collection policies to fall in line should actually improve productivity and efficiency, so it’s in your interest to fall in line with the new rules.
What is the GDPR?
The General Data Protection Regulation is an upcoming EU law that was adopted on the 27th of April 2016 and comes into effect on the 25th of May 2018. It is intended to improve and simplify data protection for all EU citizens, and address the export of personal data. If implemented properly, the GDPR will give UK citizens and EU residents control of their personal data, simplifying the regulatory environment and making it both easier and safer to use online.
In particular for UK businesses, it should be noted that the GDPR will apply no matter what happens with Brexit, as it also applies to businesses harvesting data about EU citizens. Failure to comply with the GDPR will still mean massive fines in EU jurisdictions and potentially result in users or people whose data you hold being able to sue your company.
For online marketers and businesses, the GDPR has a number of direct effects. It mandates that ‘consent must be freely given, specific, informed and unambiguous’, and articulated by ‘clear affirmative action.’
In other words, you can’t just assume people consent to being added to mailing lists by doing nothing, and pre-ticked agreement boxes and unclear and confusing language are also forbidden. Customers must also agree that you can use their data and contact them, and be given the information they need to make an informed choice.
Meanwhile, the GDPR is also another attempt at granting EU citizens the Right to Be Forgotten. The plan is to confer more control to individuals over how their data is collected and used. This means that individuals will have to be able to access and remove their data from your databases when there’s no legitimate use for it, when they withdraw consent for it to be used or when it’s been unlawfully used.
Preparing for GDPR
First up, do what you should have been doing anyway – collect quality contact data, not quantity. Many companies gather vast quantities of contact details, personal user data and information that tells them very little. In particular, you’re much more likely to get a response from a customer who has consented to being emailed with offers and information than from one who you’ve been spamming because their name was on the list. Similarly, the GDPR also gives users power to remove data considered ‘frivolous’ or ‘unlawfully collected.’ Instead, focus on important and useful data from your users and you’ll be set – both in terms of the law and in terms of having information you can actually use for customers who might be interested in what you have to offer.
If your business is of a sufficient scale, it may be helpful to train or appoint a data protection officer. Smaller businesses will still need to ensure a working knowledge of the law, and check regularly. If nothing else, consider this an investment to avoid the potentially massive costs of a lawsuit or EU fines down the line if you get it wrong.
Finally, you should prepare and build the infrastructure for customers to request access to view, amend or destroy their data. This doesn’t need to be online yet, but you need to facilitate some kind of access for customers to the data you hold on them, and it’s good practice to make it easy for tem to do.
Setting up a page on your site where customers can request their details and delete them as necessary or appropriate may set you in good standing with both them and the law, and could even help make a positive impression.
It’s unlikely that when GDPR is implemented that there will be a barrage of ‘right to be forgotten’ requests, although there may be some. If you do get a deluge, perhaps it’s a sign that your company has been irritating its customers. Regardless of legal requirements, this is never a good strategy.