Five action points in preparation for GDPR

You would have had to be living under a rock to have not heard about GDPR by now. It is, however, still something that a lot of sales and marketing people still need to get their heads around. We produced a white paper a few months ago, and have now written a few quick action points below to help you out.

The GDPR stands for the General Data Protection Regulation, an EU law that sets the rules for anyone handling personal data about EU residents. It comes into force on the 25th May this year. The overriding point is to be as open and transparent as possible. Ensure your customers are well informed about what you are doing with their data and why you are doing it. Your customers have the right to have access to their data, so ensure you are able to offer this. Action Point #1: Make a list of data that you will actually need to deliver the service to your customer. Do you need their date of birth? No? Then don't ask for it. Make sure you only collect data you need and make sure you have lawful grounds to process this. The GDPR regulation asks that consent to hand over data must be "freely given, informed and unambiguous". This needs to come from affirmative action - pre-ticked boxes are not allowed. And if you want to use an individual’s personal data for more than one purpose, you must make this clear, and get consent each time. If consent is given, you must then make a record of when consent was given, and always make it easy for the person to unsubscribe or opt out at any time. You need to record the consent and be prepared to remove the data if the person changes their mind. Action Point #2: Check your security measures. Customer data needs to be kept safe at all times and deleted when you have finished with it. To protect customer's data being stolen, the GDPR requires you to make sure you have appropriate security for any personal data you process. This means strong passwords, access controls, and industry standard technical security measures are a must. You also need to set up a reminder system so that you get alerted when data needs to be deleted after a period of time. And then delete it. Action #3: Ensure you are asking users to opt in on your website and show them clearly how to opt out. Remarketing allows you to display adverts to people who have visited your website. It does this by placing a cookie into the visitor’s browser. Most companies now have a cookie policy on their websites but from now on this falls under the GDPR regulation.  The visitor has the option on arrival to the site to give consent or not. The same is true for Facebook remarketing. Action #4: Determine whether you need to ‘re-permission’ your email marketing lists. This means sending an email to them all giving them the option to confirm they want to remain opted in. If a contact opts in (by ticking a box), only then will you be able to send them email marketing. Note that it is not necessary for the data subject to give his or her consent again if the manner in which consent was initially given is in line with the conditions of GDPR Regulations.  Since most businesses didn’t obtain “unambiguous” and demonstrable (i.e. auditable) consent with their initial opt in's, it's likely that the majority of consents they obtained pre-GDPR will no longer be valid under GDPR and therefore they will need to go out and get new GDPR-standard consents. You should be specific and state what will happen with their personal data, and for purposes of accountability, you must make a record of when the customer opted in. Again, you must always make it easy for contacts to unsubscribe or opt out. It would be a good idea to do that in the next few weeks, there's no need to wait for the deadline. Most marketers see this as an opportunity to clean their lists of people who are not engaged with their business and to streamline their email marketing. Action #5: Set up a process for managing consent of cold phone calls. The GDPR does not prohibit you from making calls to potential customers but you should note down when you made the call and how long the call lasted. Set up a system where you can keep track of whether a prospect was open to being contacted again, and ensure anyone who has said they do not wish to be contacted by phone does not get contacted by phone. GDPR spells the end of the purchased email list, which can only be a good thing. If you can't make it clear why a particular person might want to hear from you, you will fail in the eyes of GDPR. Your business interests are always weighed against the data subject’s right to privacy. On the positive side, any opt-in lists that you maintain will likely contain higher quality leads, leading to smaller but more impactful databases. You are allowed to reach out to people whose email address you obtained in the course of a sale unless they have opted out (a fact you’ll need to record). However, even in this circumstance, you’ll need to prove the email you send is about products or features related to the initial sale. A tracked email gives sales and marketing people important information to help with the decision on how to proceed with any given lead. It is also done without the explicit consent or knowledge of the person receiving the email. GDPR has flagged this up as a particular concern. It is unclear currently how this particular piece of the legislation will be policed but it is wise to plan for gathering consent for email tracking by the 25th May.

In conclusion

There's a lot of uncertainty about what will happen after the 25th May this year, but one thing we can be sure of is attempting to clear up some of the murkier waters in sales and marketing, and that is a good thing. Be prepared and start with these steps, and good luck.