Although new GDPR laws were brought into effect in May 2018, we still find companies sending us emails asking us whether we’d like to opt-in to their mailing lists, or worse, completely missing the mark in terms of compliance.
A lot of businesses still seem threatened by GDPR and, on the one hand, they should be – taking people’s privacy and data seriously is long overdue. On the other hand, GDPR is actually quite simple, and businesses often over complicate the matter by sending countless emails about compliance and getting us to tick more opt-in boxes than is necessary. This, ultimately causes frustration and perpetuates confusion around the matter, especially for consumers.
In this article, we’re going to break things down so that you can understand the three key fundamentals of GDPR. These three components are all interlinked, and will ensure that you’re compliant and transparent at every step.
From this guide you should understand:
- Opt-in forms
- Data collection
- Privacy policies
- Data security
- Storage limitations
- Right to be Forgotten/ Right to Erasure
Undoubtedly this is probably the part that is understood most clearly by businesses and consumers, and yet we still see it overused or used incorrectly in a lot of sign-up and GDPR compliance emails. In terms of compliance, you should only ask someone to opt-in if you plan to send them communications about something other than the topic they’ve enquired about.
A customer sends an email to an appliances company about a toaster through the company’s website using an embedded enquiry form. The form will send the name, email address, subject line, and message to the company’s help desk and a customer service agent will reply to the customer by email.
There’s a tick box asking the customer if they are happy to receive a response from the customer service agent.
Does there need to be an opt-in tick box?
No – there doesn’t. Opt-in tick boxes are only needed if you plan to send the customer additional information, for example, marketing information about other toasters, or unrelated products. So long as communication between the customer and customer service agent relates to the initial enquiry, no tick box is needed.
Pro-tip: If you want to maintain compliance without storing customers’ data on a secure server, offer customer service through email. After the customer has agreed that you have sufficiently answered their enquiry you can delete the thread (the emails sent to and from the business) from your servers knowing that the customer has a copy in their personal inbox. This way, you don’t have to worry about keeping any messages or personal data on record. Should there be another issue, the customer can always reopen the enquiry by replying to the email or starting a new enquiry and copying the previous thread in.
For every additional reason you’d want to store your customer’s data, you must include a clear, reasoned opt-in tick box:
- Promotions and offers
- Products and information
- Third-party communications
Data collection might seem really simple, but it can be difficult to understand what information is and isn’t necessary. As marketers, it can be easy to go overboard with collecting customer data as that information can fuel vital business decisions by building a clear picture of what your customer base looks like. But you must resist. Don’t give in to the temptation of thinking you need all the data. You don’t, and consumers are smart, they know you don’t need to know everything about them. When it comes to data collection you need to think about one question: Why do you need that data?
If you can’t justify why that data is relevant, then you don’t have any right to ask for it.
A customer wants to find out whether you’ll have any stock of the Toaster 2000 XL when it launches in your stores across the UK.
Is the location of the customer relevant? Yes.
Should you take their postcode? No.
In this instance, you could ask the customer to choose from a drop-down list of your stores to clarify which location they’re referring to. You don’t need to take their personal location data or postcode, as their home address is not relative to the enquiry.
However, there will be times where you need to take personal information from customers. For example, you might need very precise data for research or quality assurance. In the case of questionnaires and surveys sometimes – yes, sometimes – it’s okay to ask for personal information. Things like age, location, occupation, and salary, are only appropriate if you’re going to building up a clear picture of what your audience looks like, but it has to be appropriate.
Pro Tip: As a general rule, when it comes to surveys you can only collect data that you will use in the results. It will also save you a hassle in terms of storing the data if you’re smart about what you collect.
This is probably the most technical aspect of GDPR. Once you’ve collected someone’s data you need to keep it secure. There’s no excuse for a lack of security – no matter what size your business is, you have a legal duty to keep personal data somewhere safe.
At a minimum every business needs:
- A private server/network
- A password protected email
- A secure database or customer relationship management (CRM) software
Your database needs to be robust enough to allow you to track when a customer’s data was collected. This is really important because you should only hold on to someone’s personal details for as long as you need them.
A candidate sends their CV, name, and contact information to a recruiter in response to a job they have seen advertised online on a recruiter’s website. The recruiter sends an email back and offers a call to discuss the role. The candidate and recruiter talk on the phone but it’s established that the role isn’t right for them. The recruiter then offers to keep the candidate’s details and CV on record should another opportunity come up.
How long should the recruiter keep the candidate’s details on record?
Typically 18 months is a fair amount of time to keep someone’s details on record, after which time a courtesy email with an unsubscribe or ‘right to be forgotten’ link should be provided. Even if you’ve had some contact during this time you should always check after 18 months as a courtesy.
Pro Tip: If you haven’t come across the term ‘Right to be Forgotten’ – sometimes known as Right to Erasure or ‘Freedom of Information’ – read on; at any point, a customer can request all the data/information you have on them under the Freedom of Information Act, and they may also exercise their Right to be Forgotten at which point you must delete all the information you have on that customer