GDPR and managing your data

Privacy shouldn't be a headache

We have been busy over the last few weeks updating privacy policies for all of our clients to comply with the new General Data Protection Regulation. It is probably the single biggest thing to hit website owners for a very long time – or is it? There is a general whiff of panic and desperation in an awful lot of emails you will have been receiving from companies over the last month. Whilst they ask you to appreciate just how seriously they take your privacy and want to keep you on their mailing list, what they really mean is ‘we haven’t actually got your permission to send you all of these emails’. Have you noticed emails from businesses in your inbox that you have never signed up to? That will be because at some point you didn’t check that box that said ‘would you like to receive emails from companies from whom we have sold your contact details to?’ Well, OK, so they didn’t actually say that, but that’s what it meant.

The following points are our attempt at setting out what you should be doing regarding your website in plain English. What it isn’t is a legal guide to your obligations and the letter of the law, see a solicitor for that.

Also, we are talking about all of this in relevance to small businesses, if you have a company with over 250 employees you have to employ a data controller and jump through an awful lot of hoops. But then you’ll already handling that data really well, won’t you? The following discussion is all about websites that only collect information via contact forms and booking forms for specific courses or events – in each of these cases there is a legal basis for that data being ‘processed’ in accordance with the regulations.

What is the aim of GDPR?

GDPR is a good thing as it is the first step in us (as in the general public) regaining ownership of our data, regardless of who we have shared it with.  In light of the recent Cambridge Analytica debacle this has to be a good thing, however, don’t expect Facebook to stop exploiting their data anytime soon. In it’s simplest terms GDPR gives the individual the right to know exactly what personal information a company has on file about them and to have it deleted if they want. It is a right to privacy and a requirement for businesses to handle people’s data with the security and privacy it deserves.

The key thing to remember with it is that it is all about consent – if you collect data from people, even a simple contact form on your website, you must get the visitors consent to store and use it to contact them. If you intend to send them third party emails (i.e. sending emails from other companies) you must have their consent to this as well.

The big sticking point, and the reason everyone and their dog is asking you to re-subscribe to their mailing, is that it is retrospective. If you can’t prove someone consented to receive your emails you don’t have the right to send them anything. So if you have a lovely big mailing list to send your marketing emails to, plus the odd ones from other businesses (that maybe pay you to do it), you’d better stop. If you can’t prove that Joe Bloggs specifically opted in to receive that really interesting email about hair loss treatment back in 2006 then you have run foul of the law.


Is it the end of direct email marketing?

No, but it is hopefully the end of businesses selling, sharing, combining and pinching contact details. Think of it in simple terms and be honest in what you will be doing, if you only intend to send an email every few months updating your clients on what you have been up to then say so. If you intend to send three a week and want to also send third party ones then say so and ask for consent to do each one (and be prepared for most people to tell you to shove it as that’s far too many emails).

You must be prepared for people emailing you to ask what info you hold on them and that it be deleted. For the bulk of websites this is usually just an email address and name, and most people will just use the unsubscribe link at the bottom of your emails to do this.


We’ve missed the deadline, are we going to prison?

Again, no. It’s all about getting it done, so show you are working towards it and involve your customers. Don’t ignore it though.

Hang on isn’t this just an EU thing, with Brexit surely we don’t have to bother?

Don’t start me on Brexit… Well yes you will because ‘the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU’. So unless you actively stop your website being viewed by any EU citizens you are subject to it – Even American companies are bound by it if they deal with the EU. You might have come across some sites asking you to agree to your data being moved to the US to carry on using their services (Tumblr is one example). The US has pretty lax data privacy rules and they are trying to avoid these new ones.

This whole thing is a headache, what do I have to do?

Initially probably just three things:

  1. If you collect data via online forms on your website ensure that there are prominent tick boxes for people to consent to their data being used by you, and a separate one if you want to send third party emails.
  2. Update your Privacy Policy, and while you are at it, your Cookie Policy as well. Don’t have them? Well this is your chance to do so. We can help with that.
  3. Check what your current mailing list is made up of, which leads onto the next question…

Do I have to ditch my mailing list?

Depends… If you have cobbled it together from other peoples, nicked your last employers and added everyone in your and your mum’s contacts to it then you are on a bit of a slippery slope. Quite frankly that’s not the way to run a mailing list and I’ll bet your ratio of opens to sent emails is pretty poor anyway.

Only ever email anyone who has consented to receive that email. There has been a cheeky practice by some large companies of emailing people who have unsubscribed with a ‘are your details correct ‘ or  ‘would you like to hear from us’ in the hope that they would rejoin the list. This practice has been expressly forbidden way before GDPR came along. So never, ever email anyone who has unsubscribed.

What should I do going forward?

The opportunity here is to have a good think about what data do you need from your website; do you really need their first and last name, address and job title? If you are sending everyone the same email newsletter then all you need is an email address.

Build your mailing lists with software such as Mailchimp or YMLP

All of the major players in email marketing software have sorted their houses out in relation to GDPR, using them is the simplest way to streamline the process going forward. You can create sign up forms with the right consent and manage your lists really easily. Keeping a list of email addresses that you copy and paste into the BCC field of an email really isn’t a good way to do direct mail.

Rationalise your email marketing

Only send people info that they signed up for. If you start a new website you can’t just copy the addresses over to a new mailing list, they need to sign up of their own free will. Maybe also take a look at your engagement stats across social media and your emails,  if the email is a really low figure then maybe concentrate on the social media side of it.

Further Reading

Your first port of call should be the Information Commissioner’s Office

Actually it should be your last port of call as well, everyone has an opinion on GDPR but the ICO has the facts.