If you are a Sales Executive then life is going to change after 25th May 2018 as soon as GDPR comes into force. Failure to comply, could result in fines of up to €20 million or 4% of global annual turnover, whichever is greater. The figure is indeed intended to scare you.
In a recent government survey, it was discovered that only 13% of the marketers in the UK understand that GDPR is a significant concern. 31% admitted they did not know whether their business had taken steps to ensure compliance. The scope of the GDPR is far-reaching, it extends beyond technology; it’s about people, processes, culture and law which means business knowledge and relationships which has only created confusion in the industry.
Many people believe that Brexit is going to save them from GDPR. GDPR and Brexit are not happening at the same time. In fact GDPR comes into effect before the UK officially leaves the European Union on 29th March 2019, and even after the Brexit, an equivalent set of Data Protection Regulations need to be in place to continue trading with the EU. If Britain intends to be looked at by the EU as a safe place to keep personal data pertaining to EU citizens, the British businesses will have no choice but to implement the core principles of GDPR. In fact. the British government is apparently considering something similar to GDPR for UK based businesses who only deal with UK based citizens.
If you are using forms for visitors on your website where you are asking them to fill in their information, if before they can download information you request the capture of the email address in return for informative information such as white papers, this is permissible as long as you have stated clearly and unambiguously exactly what the data will be used for.
Without specific consent for a defined purpose, you do not have permission to send them marketing emails. Even if they clearly and unambiguously agree to consent for one purpose, you can’t then use the same email address for a different purpose a year later.
So, the question is, “How am I supposed to find leads then?” Well, the answer to the question lies in ensuring that you are capturing the right information from the word go. Don’t just collect data with a one liner concerning future marketing correspondence, instead consider segmenting all of your request with clear opt-in options for each.
So far so good, but just as important is you need to be able to prove that consent was given. Let’s just imagine a scenario, you attended a seminar or a conference where you met potential customers so you ended up collecting business cards that you want to follow up as leads. After GDPR comes into the picture you cannot communicate with these leads unless you have an express permission.
A case from 2016 highlights this Catch 22 situation. Honda Motor Europe Ltd sent 289,790 emails asking individuals, “would you like to hear from Honda?”. The emails were sent in good faith to addresses for which they had no opt-in/opt-out information. The ICO fined them £13,000.
Steve Eckersley, ICO Head of Enforcement, said at the time “Honda Motor Europe Ltd sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without prior consent, it is still considered unlawful marketing."
To ensure that you have a proper trail of consent, you cannot use paper as you require details of when the consent happened. You would now need to consider digital options such as an IPad or a tablet with which your prospect opts-in electronically, they can then be sent a consent confirmation email that they must respond to acknowledge their agreement.
It is important to review the right of an individual to erase their information. The right builds on the ‘right to be forgotten’, which was recognised by the European Court of Justice in its 2014 ruling on Google Spain v. AEPD and Mario Costeja González.
The Court ruled that Google had to remove links to webpages that appeared when searching the claimant’s name.
You must give individuals the ability to request that their data be deleted. You must be able to respond with this request:
• When the individual withdraws consent
• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed
The withdrawal of consent is going to be the most common occurrence which means as a business you must have tools and records to ensure that individuals are completely removed from your systems.
Focus on data housekeeping, you must note that throughout the 200+ pages of GDPR legislation is that the burden of proof lies with the company processing the data. You must be able to prove compliance to both the individuals in question and the ICO, if they carry out an enquiry. Maintaining good housekeeping from the beginning is essentially to provide as evidence.
GDPR can be achieved with simple steps although it appears complex, as it tackles all aspects of data within your business. It is intended to create change in the current behaviours of businesses processing and controlling personal identifiable information. GDPR wants you to focus and concentrate on the way you capture data. You just cannot harvest as much personal data as possible, and then broadcast to people without expecting that somebody would object to being contacted and make a complaint. You need to adopt an approach that embraces the GDPR framework, your customers and employees will have a better experience which will in turn fuel your business’s growth.
0282 003 2280
Submit us an Enquiry.