GDPR and managing your dataPrivacy shouldn't be a headache
The following points are our attempt at setting out what you should be doing regarding your website in plain English. What it isn’t is a legal guide to your obligations and the letter of the law, see a solicitor for that.
Also, we are talking about all of this in relevance to small businesses, if you have a company with over 250 employees you have to employ a data controller and jump through an awful lot of hoops. But then you’ll already handling that data really well, won’t you? The following discussion is all about websites that only collect information via contact forms and booking forms for specific courses or events – in each of these cases there is a legal basis for that data being ‘processed’ in accordance with the regulations.
What is the aim of GDPR?
The key thing to remember with it is that it is all about consent – if you collect data from people, even a simple contact form on your website, you must get the visitors consent to store and use it to contact them. If you intend to send them third party emails (i.e. sending emails from other companies) you must have their consent to this as well.
The big sticking point, and the reason everyone and their dog is asking you to re-subscribe to their mailing, is that it is retrospective. If you can’t prove someone consented to receive your emails you don’t have the right to send them anything. So if you have a lovely big mailing list to send your marketing emails to, plus the odd ones from other businesses (that maybe pay you to do it), you’d better stop. If you can’t prove that Joe Bloggs specifically opted in to receive that really interesting email about hair loss treatment back in 2006 then you have run foul of the law.
Is it the end of direct email marketing?
You must be prepared for people emailing you to ask what info you hold on them and that it be deleted. For the bulk of websites this is usually just an email address and name, and most people will just use the unsubscribe link at the bottom of your emails to do this.
We’ve missed the deadline, are we going to prison?
Hang on isn’t this just an EU thing, with Brexit surely we don’t have to bother?
This whole thing is a headache, what do I have to do?
- If you collect data via online forms on your website ensure that there are prominent tick boxes for people to consent to their data being used by you, and a separate one if you want to send third party emails.
- Check what your current mailing list is made up of, which leads onto the next question…
Do I have to ditch my mailing list?
Only ever email anyone who has consented to receive that email. There has been a cheeky practice by some large companies of emailing people who have unsubscribed with a ‘are your details correct ‘ or ‘would you like to hear from us’ in the hope that they would rejoin the list. This practice has been expressly forbidden way before GDPR came along. So never, ever email anyone who has unsubscribed.
What should I do going forward?
Build your mailing lists with software such as Mailchimp or YMLP
All of the major players in email marketing software have sorted their houses out in relation to GDPR, using them is the simplest way to streamline the process going forward. You can create sign up forms with the right consent and manage your lists really easily. Keeping a list of email addresses that you copy and paste into the BCC field of an email really isn’t a good way to do direct mail.
Rationalise your email marketing
Only send people info that they signed up for. If you start a new website you can’t just copy the addresses over to a new mailing list, they need to sign up of their own free will. Maybe also take a look at your engagement stats across social media and your emails, if the email is a really low figure then maybe concentrate on the social media side of it.