GDPR advice for florists - British Florist Association
GDPR advice for florists - British Florist Association

GDPR advice for florists

The advice in this article is only our interpretation of GDPR and PECR and is not legal advice. We strongly recommend you consider how best to manage data protection within your business and seekyour own legal advice in deciding how to comply with the new regulations

From the 25th May 2018 the Data Protection Act (DPA) will be replaced with the EU’s General Data Protection Regulation (GDPR). The changes will impact how businesses have to collect, store and use personal information – this includes customers, employees and suppliers.

What do I need to do for my business?

If you haven’t already considered the impact of GDPR on your organisation the best place to start is with the Information Commissioner’s Office (ICO) who have a range of guides and checklists which will help you with your preparations. The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you seek your own legal advice in deciding how to comply with GDPR. 

What do I need to do for my business?

If you haven’t already considered the impact of GDPR on your organisation the best place to start is with the Information Commissioner’s Office (ICO) who have a range of guides and checklists which will help you with your preparations. The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you take your own legal advice in deciding how to comply with GDPR. www.ico.org.uk

Who does that change affect?

It will apply to any business and persons working within a business who handle personal data on a regular occurrence.

The new data protection regulations set very high standards for marketing consent, giving individuals real choice and control over precisely what marketing communications they receive. No longer will vague, confusing, blanket terms suffice. The new regulation requires marketing consent to be clear, specific and granular.

Customer Consent

Being open and honest with your customers regarding how you will use their personal data is one of the main elements of the GDPR. The most common way to provide this information is in a privacy notice/policy at the time you obtain personal data from them. 

All marketing consent options are now presented to the individual specifically on an opt-in basis. If an option is not selected then marketing consent will not be sought and you will not be able to market to that individual via that method of communication.

The regulation also requires companies to ensure they make individuals aware of how their information will be processed and used, such as on a Privacy Policy. See BFA Privacy Policy as an example.

What do I do with my data collected from the business?

GDPR is about managing the risk. If you collect names and addresses and put them on a clip board within your business, is there a risk that someone else could see that name address and use it? Could you split the name and address, or just use the postcode and if you use an excel spreadsheet for names and addresses then make it password protected. Share the protected password with your team and change it regularly. The ICO suggest you treat data as you would a £50.00 note. Don’t allow anyone else to get hold of it. Manage the risk. Responsibility comes down to you.

Third Parties

Any third parties who intend to contact your customers are now required to be clearly named when requesting marketing consent.

How long should you keep personal information?

Under the new regulations, people should only hold on to personal data for as long as there is a legitimate reason to do so. If there is no longer any legitimate reason that you should have an individual’s data, you will be required to erase it from your database.

This retention period is calculated from the date of a customer’s last booking. Following the retention period, customers’ historic booking details can remain but their personal details should be purged and anonymised. If this information is relevant to your business you can keep the data as long it is encrypted and secure. Manage the risk.

My mailing lists, what now?

If you already have consent to hold the data, and it was collected in line with the new GDPR guidelines, meaning the consent tick box was not automatically checked, then you don’t need to re-ask for consent in May. However, if your checkbox is automatically selected then you will need to ensure this data is stored in line with the new regulation.

Should you wish to use your mailing list contacts from your website after May you could consider getting in contact with the customers on this mail list and confirm they are happy to continue receiving marketing emails from you. You can do this via a simple MailChimp email.

You may also want to consider clearing the mailing list data on your website as of the 25th May so there is no risk of mailing the old list as you will need to use a list of only those who have reconsented, if they hadn’t done before.

Our recommended checks for website data

In an online focused world with millions of websites collecting sensitive personal data, the new General Data Protection Regulation (GDPR) will have a monumental effect on company websites.

You have a duty to ensure that websites are secure and safe for your customers to use.

If you have any queries regarding your website please go to your website provider for help.

Website pages with prefilled consent tick boxes.

Any pre-filled in tick boxes on your website must be removed.

Email customer base

Ask your existing email list customers for consent to continue marketing to them using MailChimp or a similar mail service. From recommendations we have received this could be done by sending them an email suggesting they may not want to miss out on further  news, however, if they wish to unsubscribe you must ensure that the unsubscribe link is at the bottom of the page.

Remove old emails from database

Delete your old marketing email list from your website to ensure you do not use the old data. Ask your website provider to help with this.

Your HR documentation

It is your responsibility to remove any old data from previous employees. Ensure that any details of employees are safe and secure. Do you allow employees to have access to your data? If so take responsibility of who, when and how they are using this personal information.

Proof of Consent

Keep your new consented email list for future use.

Privacy Policy

Check you are happy that your Privacy Policy online is compliant with GDPR

Unsubscribe options

When sending future email campaigns, you need to provide an easy opt out option. Mailing providers such as MailChimp have this option built in to make it easier. If a customer opts out, ensure this is updated on your system.

………………………………………………………………

Remember this is advice only and you as individuals are responsible for your own data and how you handle it.

Thanks to all the following companies for helping with this advice.
Floristpro, Ticketsource, HR4UK, Cyber Essentials.  

No results found in this location. Please try again.

Get the latest updates delivered directly to your Inbox!