The General Data Protection Regulation (GDPR) replaces the current Data Protection Act 1998 from 25 May 2018 (in the UK and across the EU). If your business uses email marketing, sends direct mail or makes sales calls, the law will affect what you can and can’t do. It’s tempting to think “I’ll deal with it in May”. But there’s some easy things you should do right now, which mean you won’t run into trouble later.

Start by auditing what data you are currently collecting. Any data that you collect, which relates back to an individual, will be covered under the new regulations. It even extends to such things as your website recording the IP address of visitors (eg with Google Analytics). People have the right to know what personal information you’re storing about them. And they have the right to request that the information is deleted.

Did they opt-in? If you want to use someone’s personal data (eg their email address), they must give you ‘explicit consent’ to do so. This means no pre-ticked opt-in boxes by default. The individual must have always chosen to tick the box. You need to record when they gave you permission. And you need to log exactly what they were shown when they opted in.

What about existing customers? The good news, for now, is that a different legislation, PECR, applies to existing customers and prospects. Which allows for a ‘soft opt-in’. PECR says, if you get someone’s email address when they bought something, or negotiated to buy from you, then it’s ok to send marketing about the same kind of thing they were interested in. The bad news is, PECR is being replaced. But we are yet to see what legislation changes this will bring.

What do you need to do now?

  1. Ensure you get a positive opt in for email or direct mail marketing. Add a tick-box to website subscription forms and ensure they are not pre-ticked.
  2. Whilst speaking to clients and prospects, ask their permission to add them to your mailing list. Record their response and send them a double opt-in email with a link for them to confirm they want to join your mailing list.
  3. Ensure any emails you send includes an easy way for them to opt-out
  4. Do you make out-bound sales calls? Make sure you check the numbers against the Telephone Preference Service list. There is a free / low cost way to check numbers on the register here
  5. Check that your website has a privacy policy, which sets out the process for providing GDPR rights.
  6. Make sure your website is secure. Add an SSL certificate to your website which will display a padlock in the browser bar. This is essential if you collect any personal date (even contact forms) and will ensure you get an SEO benefit, as Google prioritise sites with SSL certificates in their search results.
  7. Be aware of your duty to notify the relevant supervisory authority of any data breach.

Want to know more? The following guides will help…

The long-awaited ‘Guide to the GDPR’ has now been issued by the ICO (Information Commissioner’s Office).

Also a helpful ‘EU GDPR guidance note’ has been issued by ICSA The Governance Institute. It can be accessed on the ICSA website – you need to sign up as a user of the site to download the guidance (sign up and download are both free).

Material relating to charities and fundraising and GDPR (from various 2017 conferences) can be accessed on links from the ICO website here. To find out more about this article please contact us.