Hi! I’m Julianne. Following 27 years in the Banking industry, I set up my consultancy business in 2018, helping businesses with their compliance. My specialist subject is Data Protection (GDPR). To date, I have helped over 40 businesses of varying sizes, from across a range of sectors become GDPR compliant.
I’m delighted to return with another guest blog for Bramley Business Solutions. Earlier this year I shared a checklist of the actions a business needs to take to be GDPR compliant. This time I explore in more depth about GDPR compliance and marketing for small businesses, and why it is so important.
What does being GDPR compliant mean to a small business owner?
GDPR compliance is a requirement of all businesses, whatever size or sector you might be in. Even Sole Traders need to make sure they comply.
I often liken it to an Insurance policy, it’s one of those things that’s a pain to sort out but if you haven’t got it in place and something goes wrong, it could be a very costly mistake!
GDPR is all about accountability, evidence, and processes, there is a lot of thinking ‘what If’ much like the insurance scenario.
What about GDPR compliance and marketing for small businesses?
GDPR was never designed to be a barrier for business and shouldn’t stop you from carrying on with your previous marketing activities. What has changed is the thought process behind the consent you have to actually contact someone. Have you got their express permission to call/email them, can you evidence that they have given consent or that you have a legitimate interest in making contact?
For example, if you are a company that sells children’s clothes online. You’d probably have a database of customers that have bought from you. On the back of a purchase, you might add them to a monthly mailing list for a catalogue. This is fine as there is a legitimate interest here as they have purchased from you. However, GDPR requires that customers can now unsubscribe or opt out of receiving these types of emails without consequence. So, they might still want to buy from you but not get regular emails.
You should also have a way of capturing their consent to ‘stay in touch’ this could be an opt-in box on an order form or you could ask them outright, just make sure you have a way of evidencing their consent.
You also need to think about what actual information you are holding on individuals – is it all relevant, and how long have you had it? I would suggest databases are reviewed on a yearly basis and to be honest, if someone hasn’t bought something from you for 18 months, you should probably delete them from your database – don’t keep things you don’t need! Having a retention policy in place will also help with this and let your staff know when they should get rid of things.
Can you still email prospects or send them letters in the post?
Yes, but think about how you got their information in the first place. Buying in databases is a big NO under GDPR as there is rarely evidence of consent for the information being passed on. You just need to think – do I have permission or a legitimate reason for contacting this person?
If they have given you a business card or you met them at a networking event or trade fair then yes, that’s both legitimate and consent.
If you’ve seen an advert for a business you think might be useful to work with, again this is legitimate, and their advert is giving you consent.
However, cold calling and mass email marketing is a much broader topic. Under the Privacy and Electronic Communications Regulation (PECR) and the Telephone Preference Service (TPS) individuals have specific rights and control regarding electronic and mailing contact and you should always check the rules on this first before starting any marketing campaign. The ICO, which is the UK’s independent authority and governing body for Data Protection has had a big crackdown on nuisance calls, especially in the claims management services sector. Here is the link to the ICO section on electronic and telephone marketing.
And existing customers?
As previously mentioned, existing customers will either have given their consent or you will have a legitimate interest in contacting them because they have bought a product or service from you. Just make sure you give your customer’s the option to opt-out or unsubscribe if they want to. Also make sure you have a way of monitoring this, so they don’t accidentally get sent something! Keep your databases refreshed on a regular basis and get rid of redundant customer info.
How does it impact a company website/what measures do you need in place?
You should have a Privacy Notice on your website, especially if you collect contact details from people. If you are selling anything over your site and taking payment, you should also make sure your site is secure (with the padlock symbol). A cookies policy is also useful, but this is dependent on the type of functionality of your website. I would recommend asking an IT expert to look at this for you.
Are the rules likely to change in the future?
Data Protection law itself was long overdue for an upgrade. The last one was 1998, how many of us actually owned a personal computer back then, let alone something as sophisticated as the smartphones we all use today. When the new Data Protection Law was passed in 2018 incorporating the GDPR it carried with it the essence of the previous DPA but enhanced the changes and volume of personal data the digital age has bought us.
In my opinion, there will probably be ‘amendments’ to the DPA2018 over time, particularly as we see the advancement of Artificial Intelligence (AI) creeping into everyday life and I would like to think it will be reviewed a bit earlier than 20 years this time!
Does it still apply after Brexit?
Yes, very much so. GDPR originally sat as EU law within the UK and so has now been adopted as UK law (UK GDPR). Nothing has changed in the general principles of GDPR, however, if you send and receive or store information in any of the remaining EU countries you will need to make sure you have a proper standard contractual clause and sharing agreement in place for any data transfers between EU and non-EU countries. If you have carried out proper 3rd party due diligence within your GDPR compliance, you should already know if you are going to need this.
If businesses are not sure, what should they do?
Check the ICO website ico.org.uk it has loads of information for businesses of every size and sector.
At the end of the day, whatever it might cost to get your business compliant, it’s going to be a lot cheaper than a fine from the ICO.
Read other BBS recent articles: