The advice in this article is only our interpretation of GDPR and PECR and is not legal advice. We strongly recommend you consider how best to manage data protection within your business and seekyour own legal advice in deciding how to comply with the new regulations.
From the 25th May 2018 the Data Protection Act (DPA) will be replaced with the EU’s General Data Protection Regulation (GDPR). The changes will impact how businesses have to collect, store and use personal information – this includes customers, employees and suppliers.
What do I need to do for my business?
If you haven’t already considered the impact of GDPR on your organisation the best place to start is with the Information Commissioner’s Office (ICO) who have a range of guides and checklists which will help you with your preparations. The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you seek your own legal advice in deciding how to comply with GDPR.
What do I need to do for my business?
If you haven’t already considered the impact of GDPR on your organisation the best place to start is with the Information Commissioner’s Office (ICO) who have a range of guides and checklists which will help you with your preparations. The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you take your own legal advice in deciding how to comply with GDPR. www.ico.org.uk
Who does that change affect?
It will apply to any business and persons working within a business who handle personal data on a regular occurrence.
The new data protection regulations set very high standards for marketing consent, giving individuals real choice and control over precisely what marketing communications they receive. No longer will vague, confusing, blanket terms suffice. The new regulation requires marketing consent to be clear, specific and granular.
Being open and honest with your customers regarding how you will use their personal data is one of the main elements of the GDPR. The most common way to provide this information is in a privacy notice/policy at the time you obtain personal data from them.
All marketing consent options are now presented to the individual specifically on an opt-in basis. If an option is not selected then marketing consent will not be sought and you will not be able to market to that individual via that method of communication.
What do I do with my data collected from the business?
GDPR is about managing the risk. If you collect names and addresses and put them on a clip board within your business, is there a risk that someone else could see that name address and use it? Could you split the name and address, or just use the postcode and if you use an excel spreadsheet for names and addresses then make it password protected. Share the protected password with your team and change it regularly. The ICO suggest you treat data as you would a £50.00 note. Don’t allow anyone else to get hold of it. Manage the risk. Responsibility comes down to you.
Any third parties who intend to contact your customers are now required to be clearly named when requesting marketing consent.
How long should you keep personal information?
Under the new regulations, people should only hold on to personal data for as long as there is a legitimate reason to do so. If there is no longer any legitimate reason that you should have an individual’s data, you will be required to erase it from your database.
This retention period is calculated from the date of a customer’s last booking. Following the retention period, customers’ historic booking details can remain but their personal details should be purged and anonymised. If this information is relevant to your business you can keep the data as long it is encrypted and secure. Manage the risk.
My mailing lists, what now?
If you already have consent to hold the data, and it was collected in line with the new GDPR guidelines, meaning the consent tick box was not automatically checked, then you don’t need to re-ask for consent in May. However, if your checkbox is automatically selected then you will need to ensure this data is stored in line with the new regulation.
Should you wish to use your mailing list contacts from your website after May you could consider getting in contact with the customers on this mail list and confirm they are happy to continue receiving marketing emails from you. You can do this via a simple MailChimp email.
You may also want to consider clearing the mailing list data on your website as of the 25th May so there is no risk of mailing the old list as you will need to use a list of only those who have reconsented, if they hadn’t done before.
Our recommended checks for website data
In an online focused world with millions of websites collecting sensitive personal data, the new General Data Protection Regulation (GDPR) will have a monumental effect on company websites.
You have a duty to ensure that websites are secure and safe for your customers to use.
If you have any queries regarding your website please go to your website provider for help.
Website pages with prefilled consent tick boxes.
Any pre-filled in tick boxes on your website must be removed.
Email customer base
Ask your existing email list customers for consent to continue marketing to them using MailChimp or a similar mail service. From recommendations we have received this could be done by sending them an email suggesting they may not want to miss out on further news, however, if they wish to unsubscribe you must ensure that the unsubscribe link is at the bottom of the page.
Remove old emails from database
Delete your old marketing email list from your website to ensure you do not use the old data. Ask your website provider to help with this.
Your HR documentation
It is your responsibility to remove any old data from previous employees. Ensure that any details of employees are safe and secure. Do you allow employees to have access to your data? If so take responsibility of who, when and how they are using this personal information.
Proof of Consent
Keep your new consented email list for future use.
When sending future email campaigns, you need to provide an easy opt out option. Mailing providers such as MailChimp have this option built in to make it easier. If a customer opts out, ensure this is updated on your system.
Remember this is advice only and you as individuals are responsible for your own data and how you handle it.
Thanks to all the following companies for helping with this advice.
Floristpro, Ticketsource, HR4UK, Cyber Essentials.