GDPR: A reminder of what it is
The 25th May 2018 came and went, and you and your business kept on doing your thing. Nothing blew up or fell down.
You’ve not yet been fined 4% of annual turnover or up to €20million in fines. Woo, scary.
The General Data Protection Regulation (GDPR) came into force on that date, and maybe you managed to get compliant before, around or slightly after that.
The executive summary version of the rights in the GDPR (and thank you Intersoft Consulting for the great site, also look here for the UK link) means that as an individual I have:-
* the right to be informed
* the right of access
* the right to correct errors
* the right to erase data
* the right to restrict processing
* the right to take it elsewhere (data portability)
* and the right to object
What does GDPR mean in reality?
ANSWER: How you market to customers, emailing personal data, cookies that track personal data (e.g. IP address) on your website – all are impacted by GDPR.
In a small non-scientific study (a.k.a. asking some other small business owners we know) we found many: have either not updated much except their privacy notice on the website; think they’re ok because they’ve got less than 250 employees; or, have stuck their head in the sand hoping it will go away.
Or even better, like us, you’ve probably come across those whose business is outside Europe – with customers in Europe, small in number though they may be – that think the GDPR is nothing to do with them.
NEWSFLASH: GDPR affects us all. One way or another.
For those that did take some action, what was your solution?
- Did you change your procedures for opt-in, opt out?
- Did you spam everyone asking for fresh consent to email them?
- If you’re outside Europe, did you block anyone in Europe from your website?
- Insist on your privacy policy being accepted or we can’t take a peek at your stuff?
Myth busting
The Data Protection Officer
If you’re a small business, even with less than 250 employees, GDPR matters.
If you’re processing personal data, which you are doing if you have employees and customers, then you need to operate within the regulation.
It’s not the size of your company that matters, it’s all about what data you might be processing and storing (if your company is in the UK here’s the info).
You don’t need a Data Protection Officer (DPO) unless you meet certain conditions (remember, regardless of how many employees your company has). For instance, if you’re processing sensitive personal data on a large scale, or your data processing activities have far-reaching consequence for the rights of the data subjects, then the company has to appoint a DPO.
The good news is that you can outsource the service and even share the DPO role with other companies. And yes, even if your business is outside the European Union, you might need to appoint a DPO. Yes, even if you’re in the US.
Consent
And how many emails did you send, asking for consent to keep emailing your past customers?
How many emails did you receive asking for your consent?
If you were already (with a lawful basis) using customer data for the purpose it was intended, you were and are storing it securely, and not passing to others, you didn’t need to ask for consent.
You do need evidence of consent where you don’t have any other valid reason for processing that person’s data (e.g. because of a contract, or you’re a public body of some kind). And you need a record of it.
Opt-in not Opt-out
Don’t make me untick a box: invite me in.
Ask my permission. Invite me to TICK the box, and to freely choose to join, or buy and sign up.
And no, GDPR doesn’t require a double opt-in i.e. asking me to opt-in, collecting my email address and then validating my email by getting me to click another link.
You can make the case about that being good practice to help customers ensure their email address is not being misused. But it’s nothing to do with GDPR. Remember, you should be woo-ing your customers, not hacking them off with tortuous processes.
So far, so boring all this compliance stuff, right? You haven’t got the will to drown in the zillions of pages of gobbledegook that you don’t have time to read.
Compliance vs Conscience
Here’s a thought: follow a Culture of Conscience, not a Culture of compliance.
Think about the Customer Experience you’re creating.
I’m based in the UK, and I browse content worldwide, whether it’s on LinkedIn, websites, Facebook, wherever online.
How’s this for customer experience – we’ve all seen it: countless websites where you’re following a link to an interesting article to say, a US-based website, and I can’t darn well get there. Just get a ‘Blehhhhhhhh, you appear to be in Europe, go away’ type message.
Yes, yes, I could do techie stuff to block my IP address and get around them knowing I’m in Europe (in these pre-Brexit days). But seriously, that’s a Customer Experience we want?????
What??? In this day and age of global business?
What really sets my hair on fire are the sites where they offer you the chance to manage cookies, review the privacy policy, and then you get sent to a list of literally hundreds of third-party providers, whose cookies you want to turn off – but can’t get past launching into their website and their cookie policy – and there we are, off scrabbling down the rabbit hole…Unbelievable.
Completely against the spirit of the regulation, if not actually breaking it.
Allegedly many of these companies are ‘working on solutions’.
(You had since 2016 to get this right, people. Duh?)
What’s more, there are some great solutions out there, including Cookiebot and OneTrust, to suggest but a few.
In the meantime, as readers, prospects, customers and subscribers – we’re shopping elsewhere. Bye. Bye. See ya.
Culture of Conscience
Do these basic things to engage your customers within the spirit and the letter of the GDPR: –
1 Websites:
a. Offer an option to easily switch on/off Cookies (apart from the essential functional cookies) instead of making a visitor so exhausted with the options to switch the darn things off. Some people want to switch all of them off – deal with it and provide that option. Otherwise, you’re offering a tortuous opt-out instead of opt-in which is breaking the regulation.
i. Why? Because you may knowingly or unknowingly be using a plug-in/widget/extension with a Cookie that identifies your users by their IP address. That’s personal data in the GDPR, and you must have explicit consent to collect that.
b. Make sure your Privacy Notice on your website has detail about what you do with personal data as well as Cookies and how to reject them.
We’ve seen plenty that say something like: “We don’t use cookies but the software providers use some cookies to make your travels around the website easier. And oh yeh, there’s some security cookies that do some stuff.” That communicates that it’s nothing to do with you when it is. It’s your responsibility. Show me what you’re doing with my personal data including cookies, then let me decide.
2 Email and marketing:
a. Build trust and transparency by making it easy and obvious to opt-in.
And make it clear what you are asking people to opt-in to.
Don’t trick people into joining your newsletter/subscription list/weekly promos etc. You mustn’t coerce people to opt-in – they have to freely consent. You can make offers of goodies to encourage opt-in, but you mustn’t punish those who don’t.
And no opt-outs. Period.
b. And of course, make it easy to Unsubscribe. Without having to navigate your Cookie policy first.
a. Make sure your providers, data locations, hardware and software ensure that you take care of your customer and employee data like it is the crown jewels.
Protect it like it’s your own bank account password.
Treat your customers and their data with respect (and be compliant with the GDPR) and you’ll be on a solid foundation to be both compliant and respectful via a Culture of Conscience to your customers.