GDPR - a year on
Just like the Y2K millennium bug, the world didn’t end a year ago on 25th May 2018 when GDPR became law. While there have been no big fines, there have been GDPR application mistakes, many minor data breaches, and still some people are unsure what it all means.
The most shocking thing to me (self-appointed GDPR Queen) is how bad some of the big companies are at doing GDPR. They are still asking customers to 'enter their email for 10% off’ while also adding them to their mailing list without stating this at the time of data collection. And if I had a £1 for every time I have seen a pre-ticked box, I would be writing this blog in Ibiza!
Since the 25th of May, there hasn’t been much talk about GDPR. It was everywhere for months before suddenly vanishing. People moved on once the money to be made from scaremongering by solicitors was over. However, I am still here to answer any queries you have. It is still a legal requirement and fines can still be issued so please if it is on your list to tackle, use this blog as a prompt to get going on GDPR. Ensure that you have a plan of action and that everyone in your organisation is aware of what it is and how it works.
Ask yourselves do you have:
- A GDPR privacy policy (an explanation to your customers/audiences about how you use their data, usually hosted on your website)
- An internal GDPR policy so all staff members know how to process, store, and delete personal data?
- A retention period - how long each piece of personal data can be kept and who needs to delete it. When you receive personal data from someone, you must inform them of the retention period.
- A system to collect consent for photos and videos of your audience members. This is retrospective too, so you'll have to collect consent if you want to use images taken pre-GDPR.
If you don’t have any or all of these, don’t panic but please get it in place. It isn’t hard, I have templates for all of them and can explain it all to you.
I am often asked what my top tips are (well I was asked once or twice but go with it...):
Consent isn’t the Only Way
GDPR allows 6 legal bases, which are all as equal as each other. You can process data if you have 1) legal requirement, 2) public interest, 3) legitimate interest (for phone and direct mail marketing), 4) vital interest, 5) consent, or 6) contractual requirements.
Consent doesn’t always Mean Consent
Remember that you can use legitimate interest. If you believe a customer has a legitimate interest in your product you can market to them via phone or direct mail as long as you always give them an option to opt out and no longer message them if they ask you to stop. Email and text marketing are governed by PECR (privacy electronic communication regulation) and it offers soft-opt in under consent. This means that is the customer has bought or negotiated to buy a similar product or good you can market to them as long as you always give them the option to opt-out and do so as soon as they ask to stop. The service you're marketing must be similar to those they bought previously. So, if they bought a theatre ticket you can send them info on other theatre shows but can’t ask them to join a loyalty programme.
Brexit means Brexit (but not for GDPR)
it has been agreed that GDPR will be kept if/when we leave the EU. So sorry, Brexit is not a reason not to get complaint.
Don’t be a sheep
As I have said, the big companies are not always doing GDPR right so don’t just copy them (unless they are the ICO). Always make sure you are doing it based on the law, not Simon says.
GDPR is forever, the data is not
You can’t keep personal data indefinitely, you must tell the person when you collect the data, how long you are keeping the data for and ensure it is deleted when you said it was. You can’t keep it just in case it may be of use in the future!
GDPR Support and Advice
If you have read anything in this blog and thought 'what is she on about'?, please get in contact with me for free on 07923 964060 or drop me an email.
Alternatively, if you'd like to be guided through creating your own GDPR policies and action plan I offer bespoke half-day sessions for £250+VAT. The workshop will de-mystify GDPR and leave you with a personalised action-plan for compliance. Again, just drop me an email or call 07923 964060 if you'd like some support.