2018… The year that could break businesses and marketers. Yup, I’m talking about GDPR. But, I’m here to tell you that it’s not all doom and gloom.
As long as you know what you’re getting into and be prepared, all will be fine!
For those that don’t already know, General Data Protection Regulation (GDPR) is an enforceable law coming directly from the European parliament that comes into play on the 25th May 2018. It’s put in place to improve everyone’s experience on the internet accurately and to protect a users privacy.
In a nutshell, GDPR will forever change how you can generate, share, and store a user’s data. You need to be prepared and make sure you comply with these set of rules before the 25th of May. What happens if you don’t? Well, on your head be it! You can be fined up to 20 million Euros or 4% of your annual turnover (whichever is highest).
These new set of rules are replacing existing Data Protection Act of 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR).
Although this is leaving some of the industry in fear & panic, a lot of marketers welcome the overdue change.
I asked Clive Smith, Business Development Coordinator from Monetise what fears he has, he commented:
“I have no fears. This will do the industry good long term. Less data to send out to but better quality and more accountability.”
If you are processing personal information from your users, readers or customers, then yes, this includes taking; names, email addresses, date of births, where they live and IP address.
If you are doing any of these things, you need to register with the Information Commissioners Office (ICO). This will cost £35 per year and by law make your personal information visible to the public.
There has been a lot of controversy around this law as GDPR is being brought in to protect someone’s privacy. But if you run a small business from home, or like me, you’re a blogger, anyone in the world will have access to your address. Slightly off-putting right!?
There’s a hell of a lot GDPR covers, but I’m going to go over some of the critical points.
You can still obtain a users information to send emails, but you MUST be clear why you are taking this data. You also need to have the user physically agree to it.
Why do you need their email? Selling it? Sending newsletters? Sending third-party promotions? Tell them EXACTLY what they are signing up or opting in to. Plus, you’ll have to make it easy to opt out at any time.
The same applies to any form of communication, phone numbers, Facebook messenger, Whatsapp sends etc.
If it’s not clear, and the data isn’t useful to you, you can’t do it. You need to have a good reason to take someone’s personal information.
We have all been there. You sign up to a website for one reason or another. Before you know it, you’re famous for all the wrong reasons with more calls, texts and emails than you’ve ever had.
This is now a big no-no!
Again, if you’re selling data on to third party companies, you must make it clear and obvious what you are doing. Which is going to damage the conversion rates, but that’s better than a 20 million Euro fine, right?
I know I keep banging on about it being clear, but that’s precisely what you have to be with everything you do. It’s all about being transparent.
For WordPress users, it’s important to remember you are the one responsible for anything that’s not complied with. It’s worth double checking all the plugins you use, sign up boxes, email captures are up to date with GDPR.
A popular method to new sign-ups or subscribers is to give away a freebie, run a competition or some other incentive. I’ve read a lot on this subject, some have said you can’t offer this anymore. However, I’ve also heard from a GDPR lawyer say it’s okay to do as long as the incentive isn’t substantial.
Much like a lot of GDPR, this is going to be a bit of a grey area. I wouldn’t risk anything unless you are 100% sure or it’s been ICO approved.
If you sell anyone’s data to a client, and they are not GDPR compliant, it can also land you in hot water and a lot of trouble.
It’s worth reaching out and contacting everyone you work with to ensure they are compliant.
Tick boxes just aren’t good enough anymore. The pre-checking tick boxes of ‘I agree to the terms and conditions’ days will be no more.
All data must be encrypted, secure and processed safely. All companies must hold responsibility for staff having no access to personal data unless necessary.
Data can’t be kept for any longer the needed either. It is required for any data subjects to be archived after 180 days.
It’s your responsibility to demonstrate how you obtained and process any data. Therefore you will need to keep a record of it all.
One common mistake I’ve heard a lot of is “The UK will no longer be in the EU due to Brexit, so GDPR doesn’t matter.” WRONG, WRONG, WRONG! It does matter, Brexit or not, these are the new laws for anyone taking personal information in Europe.
Even large corporations and law firms don’t even know how GDPR is going to affect digital marketing.
Will the ICO be as hard and strict as we all predict?
How ‘clear’ do you have to be when obtaining data?
Is the data ‘useful’ enough for you to be able to take it?
There are still a few grey areas. One thing is for sure, if the ICO comes knocking on your door, make sure you’re ready.
Remember, this all applies if you operate in EU and comes into place on the 25th of May.
For full information on GDPR, visit the EU website.
So… Are your GDPR ready? Comment below!
Disclaimer; this is not legal advice. If you are unsure on your next moves for GDPR, you can contact the ICO; they can help to ensure you are compliant or even seek legal advice.