General Data Protection Rules has got everyone in a bit of a tizz. Don’t ignore it, 25th May 2018 is the date on which the new GDPR law comes into force and every business needs to be ready for it. Regardless of your size of the business, large and small, this applies to you irrespective of looming Brexit.
The aim of the GDPR is to protect all individuals from privacy and data breaches in an increasingly data-driven world. Therefore, the new laws take into account how we collect, store and manage individuals data. Also, how the data is processed either for marketing purposes and managing employee data. Companies will have greater accountability on how they process data and any breaches could see fines of up to 4% of annual worldwide turnover or 20 million euros (whichever is greater).
I am no legal eagle and this is quite a complex topic for someone like me to try and cover here. Never fear, there is so much help out there at the moment to get your business up to speed and on the right track for the new changes in May. Onwards and Up have listed a selection of resources for attending useful workshops and legal resource who can assist you further on this.
What I am going to do is provide us with some suggestions around managing your customer mailing lists. For any customer orientated business, mailing lists are the lifeblood of growing your sales and reaching new customers.
Collecting business cards, mailing list sign-up sheets at events, using your social networks connections and people you have emailed can no longer JUST be added to your mailing list. Take note of some of the tips to put in place to ensure you get your house in order.
What is Personal and Sensitive Data?
Data which relate to a living individual who can be identified from their data. This also includes sensitive data which include the racial or ethnic origin, through to political opinions, sexual orientation etc.
It is assumed that information about these matters could be used in a discriminatory way and is likely to be of a private nature, it needs to be treated with greater care than other personal data.
The conditions for consent have been strengthened, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give.
Therefore, individuals MUST GIVE EXPLICIT consent to be added to your mailing list. You must then store the permission for every contact (ie date of sign up and their IP address when they signed up).
Use an Automated Mailing System to Build Your Customer Database
There are many email automation systems out there that can help you to manage your email database and ensure that you comply with relevant regulations. Keeping contacts listed on spreadsheets will not cut it any more. A safe secure system is a must. They can also help you to manage those who leave your database to ensure you are not bombarding individuals with unsolicited information.
These types of systems enable you to capture details and store in a data compliant manner that can adhere to the GDPR
Check out the selection of email automation systems some of which will be free and others require payment.
If you are storing sensitive customer information on spreadsheets, always make sure it is password protected. Only give the password to those who need to know.
Sign Up Sheets
Make it clear on the signup sheet what their information will be used for and if it is to added to a customer mailing list.
Like with any signup email, you should state where the customer submitted their details to be added to your mailing list. Always make this clear in your email. For purposes of audit trail keep scanned and dated copies of the signup sheets that customers added their details to.
If you are using email automation system, make sure that your settings are set to double opt-in on all new subscribers to your list. Whether you have actively input the details yourself or the customer have registered, double opt-in ensures that the customer has consented to be mailed to.
Building Your Mailing List Through Special Offers
If you are building your mailing list by offering premium content or freebies in exchange for an email, you must specify that they will get on to your mailing list. A customer signing up for the special offer does not mean that they have signed up for your mailing list if you have not clearly stated. Make it clear what you are capturing individuals details for.
Do Not Re-Purpose Contacts For New Lists
You have lots of customer lists and want to make it easy when sending out because they all signed up for the same thing right? No, it is prohibited to take contacts from one list and add them to another. If you want customers to be part of a new list, then you will need to contact them and ask them for consent if they would like to be added.
Collaborations with Third Parties
Sending emails on behalf of 3rd parties to your database or you sharing your database with the third without having asked for explicit consent from your subscribers is a big no, no. Customers did not sign up to your mailing list to be sold products from a 3rd party.
If you do want to run a collaboration with a 3rd party partner, you will need to obtain consent from customers and provide full details of the 3rd party to obtain their consent.
Further on from this, if you are thinking of or have bought a database to boost your mailing list, these contacts have potentially not provided explicit consent for you to mail them. Under the new GDPR law, it will be prohibited to purchase or buy databases on the grounds of lack of consent.
Make sure your policy contains details of all the cookies that your website uses to collect database and how this data is processed.
Data Protection Laws Are Different in Every Country – Check!
It is a legal requirement for you to comply with email regulation of the country of the subscriber rather than the country where the email is being sent from.
For more information on different countries data protection laws, check out the link.
With the lead up to the new rules coming into play, it is important that all your existing databases with customer details comply with the new laws. If your existing databases/mailing lists do not comply, then a little activity of re-engagement needs to be carried out.
Yes, this may be scary as that mailing list of 4000 customers may disappear overnight. On the brighter side, you’ll have a more GDPR compliant list and an actual list of individuals who want to be on your list and willing to engage.
Think of it as a spring clean! Many automation systems will thank you for this rather than penalise you for poor data and too many people unsubscribing.
So there you have it, a quick list f things to run through on your processes in preparation for 25th May. This is a rough guide focused on mailing lists. As always, ensure you get some legal advice on your current risk and how to reduce it.
Information Commissioners Office – Guide to Data Protection
Bird and Bird GDPR
Fox Williams GDPR
Hubspot GDPR Playbook – A range of tools to help enable easier compliance.