General Data Protection Rules has got everyone in a bit of a tizz.  Don’t ignore it, 25th May 2018 is the date on which the new GDPR law come into force and every business needs to be ready for it.  Regardless of your size of business, large and small this applies to you irrespective of looming Brexit.

The aim of the GDPR is to protect all individuals from privacy and data breaches in an increasingly data-driven world. Therefore, the new laws take into account how we collect, store and manage individuals data.  Also, how the data is processed either for marketing purposes and managing employee data.  Companies will have greater accountability on how they process data and any breaches could see fines of up to 4% of annual worldwide turnover or 20 million euros (whichever is greater).

I am no legal eagle and this is quite a complex topic for someone like me to try and cover here.  Never fear, there is so much help out there at the moment to get your business up to speed and on the right track for the new changes in May.  I have listed a selection of resources for attending useful workshops and legal resource who can assist you further on this.

What I am going to do is provide is some suggestions around managing your customer mailing lists.  For any customer orientated business, mailing lists are the life blood of growing your sales and reaching new customers.

Collecting business cards, mailing list sign-up sheets at events, using your social networks connections and people you have emailed can no longer JUST be added to your mailing list. Take note of some of the tips to put in place to ensure you get your house in order.


What is Personal and Sensitive Data?

Data which relate to a living individual who can be identified from their data.  This also includes sensitive data which include the  racial or ethnic origin, through to political opinions, sexual orientation etc.

It is assumed that  information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data.


Get Consent

The conditions for consent have been strengthened, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give.​

Therefore, individuals MUST GIVE EXPLICIT consent to be added to your mailing list. You must then store the permission for every contact (ie date of sign up and their IP address when they signed up).


Use an Automated Mailing System to Build Your Customer Database

There are many email automation systems out there that can help you to manage your email database and ensure that you comply with relevant regulations.  Keeping contacts listed on spreadsheets will not cut it any more.  A safe a secure system is a must.  They can also help you to manage those who leave your database to ensure you are not bombarding individuals with unsolicited information.

These types of systems enable you to capture details and store in a data compliant manner that can adhere to the GDPR

Check out the selection of email automation systems some of which will be free and others require payment.

If your are storing sensitive customer information on spreadsheets, always make sure it is password protected.  Only give the password to those who need to know.


Sign Up Sheets

Make it clear on the sign up sheet what their information will be used for and if it is to added to a customer mailing list.

Like with any sign up email, you should state where the customer submitted their details to be added to your mailing list.  Always make this clear in your email.  For purposes of audit trail keep scanned and dated copies of the sign up sheets that customers added their details to.


Double Opt-in

If you are using email automation system, make sure that your settings are set to double opt in on all new subscribers to your list. Whether you have actively input the details yourself or the customer have registered, double opt in ensures that the customer has consented to being mailed to.


Building Your Mailing List Through Special Offers

If you are building your mailing list through offering premium content or freebies in exchange for an email, you must specify that they will get on to your mailing list. A customer signing up for the special offer does not mean that they have signed up for your mailing list if you have not clearly stated. Make it clear what you are capturing individuals details for.


Do Not Re-Purpose Contacts For New Lists.

You have lots of customer lists and want to make it easy when sending out, because they all signed up for the same thing right? No, it is prohibited to take contacts from one list and add them to another.  If you want customers to be part of a new list, then you will need to contact them and ask them for consent if they would like to be added.


Collaborations with Third Parties

Sending emails on behalf of 3rd parties to your database or you sharing your database with the third without having asked for explicit consent from your subscribers is a big no, no. Customers did not sign up to your mailing list to be sold products from a 3rd party.

If you do want to run a collaboration with a 3rd party partner, you will need to obtain consent from customers and provide full details of the 3rd party to obtain their consent.

Further on from this, if you are thinking of or have bought a database to boost your mailing list, these contacts have potentially not provided explicit consent for you to mail them.  Under the new GDPR law, it will be prohibited to purchase or buy databases on the grounds of lack of consent.


Privacy Policy

Ensure that you have a up to date privacy policy on your website, offers and subscriptions making it clear to individual how their data and information will be used and stored.

The Information Commissioner’s Office provides detailed information on content required in a privacy policy.

Make sure your policy contains details of all the cookies that your website uses to collect database and how this data is processed.


Data Protection Laws Are Different in Every Country – Check!

It is a legal requirement for you to comply with email regulation of the country of the subscriber rather than the country of where the email is being sent from.

For more information on different countries data protection laws, check out the link.


Existing Databases

With the lead up to the new rules coming into play, it is important that all your existing databases with customer details comply with the new laws.  If your existing databases/mailing lists do not comply, then a little activity of re-engagement needs to be carried out.

Yes, this may be scary as that mailing list of 4000 customers may disappear overnight.  On the brighter side you’ll have a more GDPR compliant list and an actual list of individuals who want to be on your list and willing to engage.

Think of it as a spring clean! Many automation systems will thank you for this rather than penalise you for poor data and too many people unsubscribing.

So there you have it, a quick list f things to run through on your processes in preparation for 25th May.  This is a rough guide focused on mailing lists.  As always, ensure you get some legal advice on your current risk and how to reduce it.


Additional Resources

Report

Information Commissioners Office – Guide to Data Protection

Legal 

Bird and Bird GDPR

Fox Williams GDPR

Hubspot GDPR Playbook – A range of tools to help enable easier compliance.


Keep up to date with the latest news.  Follow us on:

twitterinstagramFacebook