Although new GDPR laws were brought into effect in May 2018, we still find companies sending us emails asking us whether we’d like to opt-in to their mailing lists, or worse, completely missing the mark in terms of compliance.

A lot of businesses still seem threatened by GDPR and, on the one hand, they should be – taking people’s privacy and data seriously is long overdue. On the other hand, GDPR is actually quite simple, and businesses often over complicate the matter by sending countless emails about compliance and getting us to tick more opt-in boxes than is necessary. This, ultimately causes frustration and perpetuates confusion around the matter, especially for consumers.

In this article, we’re going to break things down so that you can understand the three key fundamentals of GDPR. These three components are all interlinked, and will ensure that you’re compliant and transparent at every step.

From this guide you should understand:

  1. Opt-in forms
  2. Data collection
  3. Privacy policies
  4. Data security
  5. Storage limitations
  6. Right to be Forgotten/ Right to Erasure

Opt-in

Undoubtedly this is probably the part that is understood most clearly by businesses and consumers, and yet we still see it overused or used incorrectly in a lot of sign-up and GDPR compliance emails. In terms of compliance, you should only ask someone to opt-in if you plan to send them communications about something other than the topic they’ve enquired about.

For example:

A customer sends an email to an appliances company about a toaster through the company’s website using an embedded enquiry form. The form will send the name, email address, subject line, and message to the company’s help desk and a customer service agent will reply to the customer by email.

There’s a tick box asking the customer if they are happy to receive a response from the customer service agent.

Does there need to be an opt-in tick box?

No – there doesn’t. Opt-in tick boxes are only needed if you plan to send the customer additional information, for example, marketing information about other toasters, or unrelated products. So long as communication between the customer and customer service agent relates to the initial enquiry, no tick box is needed.

What is needed is a Privacy Policy, which you should leave in plain sight – even if that’s just a link to your Privacy Policy page. Something along the lines of: ‘By sending this form you allow us to contact you for the purpose of replying to your enquiry. If you’d like to know more about how your data is stored please read our privacy policy.’ You will be expected to keep some data on record – otherwise, how will you track your conversations with customers?

Pro-tip: If you want to maintain compliance without storing customers’ data on a secure server, offer customer service through email. After the customer has agreed that you have sufficiently answered their enquiry you can delete the thread (the emails sent to and from the business) from your servers knowing that the customer has a copy in their personal inbox. This way, you don’t have to worry about keeping any messages or personal data on record. Should there be another issue, the customer can always reopen the enquiry by replying to the email or starting a new enquiry and copying the previous thread in.

So we’ve discussed how you go about communicating with customers whose details you don’t want to keep, but what if you want to keep that customer’s data: their name, emails, perhaps even their product preferences? This is where you need an opt-in tick box, and to update your privacy policy accordingly.

Should you want to send marketing materials to that customer, even if it’s related to the toaster they first enquired about, you MUST include an unchecked opt-in tick box with a statement along the lines of: ‘By ticking this box you agree to allow us to send you offers and updates about our products. If you’d like to know more about how your data will be used and stored please read our Privacy Policy.’

For every additional reason you’d want to store your customer’s data, you must include a clear, reasoned opt-in tick box:

  • Promotions and offers
  • Products and information
  • Newsletters
  • Third-party communications

GDPR is supposed to increase transparency around how data is used and stored. Follow the rules but don’t overcomplicate things. If you want to keep someone’s data on record you need to specify why and how it will be maintained in your Privacy Policy as well as having a clear opt-in. You need to do this for every additional reason. What you don’t need to do is get permission for contacting a customer in response to an inbound enquiry, so long as that conversation doesn’t deviate from the enquiry.

Data Collection

Data collection might seem really simple, but it can be difficult to understand what information is and isn’t necessary. As marketers, it can be easy to go overboard with collecting customer data as that information can fuel vital business decisions by building a clear picture of what your customer base looks like. But you must resist. Don’t give in to the temptation of thinking you need all the data. You don’t, and consumers are smart, they know you don’t need to know everything about them. When it comes to data collection you need to think about one question: Why do you need that data?

If you can’t justify why that data is relevant, then you don’t have any right to ask for it.

For example:

A customer wants to find out whether you’ll have any stock of the Toaster 2000 XL when it launches in your stores across the UK.

Is the location of the customer relevant? Yes.

Should you take their postcode? No.

In this instance, you could ask the customer to choose from a drop-down list of your stores to clarify which location they’re referring to. You don’t need to take their personal location data or postcode, as their home address is not relative to the enquiry.

However, there will be times where you need to take personal information from customers. For example, you might need very precise data for research or quality assurance. In the case of questionnaires and surveys sometimes – yes, sometimes – it’s okay to ask for personal information. Things like age, location, occupation, and salary, are only appropriate if you’re going to building up a clear picture of what your audience looks like, but it has to be appropriate.

Pro Tip: As a general rule, when it comes to surveys you can only collect data that you will use in the results. It will also save you a hassle in terms of storing the data if you’re smart about what you collect.

Whatever data you do collect, and whatever happens to the data once it’s given to you, must be included and justified in the Privacy Policy. This is your holy grail, and a legal requirement. Although you might want to have a legal team write this, it’s not necessary. What is necessary is that you take the time to state exactly what you’re collecting, why you’re collecting it, how it’s going to be stored, and how you’ll use it internally and for future communications.

Data Storage

This is probably the most technical aspect of GDPR. Once you’ve collected someone’s data you need to keep it secure. There’s no excuse for a lack of security – no matter what size your business is, you have a legal duty to keep personal data somewhere safe.

At a minimum every business needs:

  • A private server/network
  • A password protected email
  • A secure database or customer relationship management (CRM) software

Your database needs to be robust enough to allow you to track when a customer’s data was collected. This is really important because you should only hold on to someone’s personal details for as long as you need them.

For example:

A candidate sends their CV, name, and contact information to a recruiter in response to a job they have seen advertised online on a recruiter’s website. The recruiter sends an email back and offers a call to discuss the role. The candidate and recruiter talk on the phone but it’s established that the role isn’t right for them. The recruiter then offers to keep the candidate’s details and CV on record should another opportunity come up.

How long should the recruiter keep the candidate’s details on record?

Typically 18 months is a fair amount of time to keep someone’s details on record, after which time a courtesy email with an unsubscribe or ‘right to be forgotten’ link should be provided. Even if you’ve had some contact during this time you should always check after 18 months as a courtesy.

Pro Tip: If you haven’t come across the term ‘Right to be Forgotten’ – sometimes known as Right to Erasure  or ‘Freedom of Information’ – read on; at any point, a customer can request all the data/information you have on them under the Freedom of Information Act, and they may also exercise their Right to be Forgotten at which point you must delete all the information you have on that customer

Conclusion

Once you understand the core concepts that make up GDPR, you should be comfortable in understanding how you can collect, store, and use your customer’s data. The first step will be to fully understand what data you need and what processes and tools should be in place to ensure that data is stored securely. Budgets, volume of data, and company size will all factor into how you shape your Privacy Policy in relation to GDPR. You should be open to making changes to your business’ hardware and software, as well as your processes, in order to ensure compliance at every level.