So, what do you need to do for GDPR?
We’ve investigated this issue from the digital marketing perspective for months because we are digital marketers and we wish to help our clients comply with these regulations.
That said, however, we’re not lawyers so we cannot and do not give legal advice. Secondly, we limit the scope of the compliance services we provide to the digital marketing arena. There may be more you need to do offline, but the general principles still apply.
You can break down what you need to do by looking at the data you’ve collected in the past and the data you intend to collect in the future:
Regarding personal data you’ve obtained in the past
First, what’s meant by personal data? According to the ICO:
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
In non-legalese: Personal data refers to names, phone numbers, e-mails, comments, questions, and even IP addresses and other digital data that tools like Google Analytics collects in the background. This data remains personal data, regardless of what you did with it (even if you never sent anyone any e-mail or called anyone back). Just storing this data requires your compliance to the GDPR.
If the email address is info@, sales@, etc. it’s not personal data because you cannot identify people with such email addresses. Furthermore, if you do business with businesses, sole-traders and partnerships, these count as individuals and therefore are affected by GDPR.
First, you’ll need to:
- Audit and document any personal data you have collected and log where it came from and with whom you share it.
- Review and document the legal basis for the processing of data (there are six legal bases for data processing which you can learn more about on the ICO site).
- Prepare and e-mail a re-engagement campaign to existing list members and get them to give you fresh consent to the GDPR standard to market to them.
Regarding personal data that you intend to collect in the future
You’ll need to
- Add opt-in wording for explicit, affirmative and granular consent on all online forms. “The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.”
- Opt-in language must be transparent and easy to understand (a good test is to show it to an 8-year old, if they know what you’ve written, then you’re likely safe).
- You must keep a record of this consent.
- Update or add a privacy notice to your website (where you explicitly tell people they can withdraw their consent for their data to be processed, among other things).
- Ensure data processors are compliant with GDPR (ideally with a Data Processor Agreement).
In a nutshell, that’s your GDPR to-do list.
GDPR sounds like a lot of work, doesn’t it?
It does. And it’s new work that is unlikely to be part of a new website build because the web developer is likely not interested in how you’ve collected data in the past and what to do with it now. Furthermore, much of the detail regarding what you need to have in place has only come to light recently as legal experts translate the legalese into actionable steps businesspeople can take.
We estimate that in most cases doing all of this will take at least 12 hours of work, and that assumes you have templates you can readily adapt. We approached lawyers to help us quote this work, and we received estimates of as high as £5000.
So, what are your options regarding GDPR compliance?
Option 1 – Do nothing
The least attractive option. At the very least, you must show you are at least taking an interest in your user’s data and making an effort to protect it. Should you ever have a data breach or a slew of complaints, the ICO will not look favourably on negligence.
Option 2 – Stop marketing online!
That’s an undesirable option. There is no need to stop collecting and processing personal information; you merely have to do it correctly. And correctly doing so isn’t that difficult. Ceasing marketing activities because of GDPR is counter-productive to your aims as a business and its an over-reaction to regulations that will likely only become more strict over time.
Furthermore, stopping marketing activity does not save you from taking actions towards becoming GDPR compliant because “Processing” includes storing personal data, not solely collecting it in the future.
Option 3 – Prepare for GDPR yourself
That is a viable option! Provided you have the time and the ability to make all of the above updates. Furthermore, we can direct you to templates provided by a 20-year qualified lawyer from the UK. Suzanne Dibble, the author, is a data protection lawyer, who knows what GDPR is all about. She also understands digital marketing and has the most significant group on Facebook, at the moment, about GDPR.
Suzanne also provides a GDPR Pack, which is a collection of over 20 vital templates you can use to get compliant. The package is an astonishing bargain at £197 [affiliate link], and it comes with a two-hour long training video you can watch to get your head around the details. Mind you, you’ll need to do everything yourself, but should you get stuck the Facebook Group is helpful, and Suzanne can provide 1-to-1 legal advice for your specific circumstances at the rate of £300/hour.
Option 4 – Let us get your digital marketing GDPR compliant
The most straightforward choice by far. We’ll buy Suzanne’s GDPR kit on your behalf (this is necessary because we do not own the copyright) and then carry out all of the steps we mentioned above to deal with your past data and prepare you to collect data after May 25th (assuming you give us the go-ahead in time!)
Should you have any special requests or specific legal advice requirements that exceed the scope of these services, we’ll refer you to Suzanne for additional help.
Doctors can consider GDPR an opportunity to build trust
Privacy and data protection may feel like a time-consuming nuisance, but it is in everyone’s interest. Further, by asking your list to give you fresh consent you can:
- Better target your marketing to those who wish to remain engaged
- Improve deliverability and engagement in the future
- Gain a competitive advantage by being accountable for data protection. Many of your colleagues may not be remotely concerned about GDPR, and this is an opportunity for you to stand out as a service provider that is up to date with how one does business in the 21st century.
In the wise words of the legendary marketer Seth Godin:
“The noise will go down, and the trust will go up…
Talk to people who want to be talked to. Market to people who want to be marketed to. Because anticipated, personal and relevant messages will always outperform spam. And spam is in the eye of the recipient.
In two simple words: Ask First.”