Small businesses are urged to find out about the new regulations, and what they’re going to mean to you, before they come into force.
This post is a quick guide to the main dos and don’ts in order to get you thinking. For a more comprehensive guide, which includes also examples of how to follow the guidelines, click here.
Do: Take a look at your data
The first thing to do is to look through the customer databases that you have to see what information you currently hold on your customers, orders, subscribers etc.
Then, there are four questions to ask yourself about the data you’re holding:
• Why do you need the information?
• How are you using it?
• How long have you held the data?
• When and how did the customers sign up to your email database?
The new rules state that you should only hold on to personal data for a “reasonable” length of time. But defining “reasonable” can depend on a number of factors. For example, if you obtained the person’s information because of a single sale then there’s no good reason to still hold on to it for more than a few months.
But if it’s a customer who orders frequently then there’s good justification for holding on to it. You need to determine what’s reasonable depending upon your answers to the above four questions, your industry and your internal processes.
When you know what you need (and have permission) to keep, you should then delete all irrelevant records. It could be that you do still want to keep hold of some older customer data because it helps to analyse historic sales patterns – this is fine as long as you remove all references to the individual customers’ identities and just use the anonymous information itself.
You can collate multiple records to anonymise a data set, keeping you within the guidelines.
Do: Create the right privacy statements
The new regulations also see tighter rules around privacy statements. You’ll need to be clear on:
• Who you are
• What you’re asking for
• How you’ll use the data you collect
• Any other organisations you might share the data with
Because it’s a more complicated procedure than before, the suggestion is that you adopt a layered approach – start with a simple privacy statement but also make more detailed information clearly and easily available for anyone who wants it.
Read more on data:
- Barclays encourages UK SMEs to use big data for growth with new online service
- Companies that safeguard data privacy will reap rewards
- Security of personal data – are you complying with your obligations?
Don’t: Confuse the consent
All businesses will be required to consistently ask for and store “recent” consent for the data they store. This includes regaining consent every so often, perhaps every 18 months depending upon your industry, even for your active subscribers.
You could be asked to present this information at any given time, which you’ll have to do quickly and clearly.
A clear problem area will be for people who have passively opted in in the past, maybe by not un-checking a pre-filled boxes. All of these people need to be actively “re-opted in” or “re-permissioned” if you want to carry on holding their data.
You can do this in advance of the regulations coming into place to get you one step ahead – use an email reengagement plan to explain the new regulations and ask your subscribers to consent to the use of their data.
You should also use this opportunity to ask for preference updates, allowing you to ensure you’re sending the most relevant emails. The data records are, the more vital it is that you can prove that you still have up-to-date permission to use them. So keeping on top of every piece of data you hold about your customer must become a real priority for your business.
It might seem like a complicated and time-consuming task to make sure that your business is in line with the new GDPR rules but by following them and being open and honest with your customers you’ll reap the rewards. Your customers will regard your business as being more trustworthy and you’ll know that you’re staying on the right side of the regulations.
There’s no time like the present for starting your preparations for when the GDPR comes into effect – we’re expecting the final text to be completed any time this month, and from then the two-year countdown will begin.
For more information around the next steps you should consider and for a breakdown of the most important considerations take a read of communicator’s series of six EU Data Regulation Guides, all available here.
On the subject of dat protection and trust, how can you build trust in today’s digital world?
Ashleigh Wood is information governance officer at email software firm Communicator
Share this story