If you hold client data on your CRM system or email individuals as consumers or as officers of the company they work for, then your world is going to change next May. A new law comes into effect and you must comply with it or else face stiff penalties.
The bill covers everybody from gigantic multi-nationals to sole-traders and encompasses a wide range of data. However, this blog post is specifically aimed at the needs of SMEs.
Note that we cannot guarantee that the content written below absolutely applies to you. In order to guarantee compliance of the bill you should seek independent expert advice. This post is intended to enable you to understand the scope and possible effect of the bill on your business.
We have narrowed it down to 10 key questions. The answers have been provided by Andrew Stellakis a leading certified GDPR practitioner.
1 What is GDPR and when does it come into force?
GDPR (General Data Protection Regulation) comes into effect on May 25th 2018. At the same time, another related regulation the E-Privacy Regulation is also being attempted to be implemented.
GDPR will apply to any business or organisation dealing with the personal data of any EU citizen, irrespective of where that organisation is based e.g. whether they are based in the EU or outside.
Essentially if you hold data on any EU citizen this act covers you!
2 How will it affect our privacy notices?
A privacy notice is the statement you use to provide information about how:
- You process personal data.
- Where you process data and if there are any third-parties that you share data.
- Any automated decisions that are made in relation to that data, particularly if there is automated decision making taking place.
- The duration that you intend to store the data, explaining the need for the term.
- Detail who you are, where you are located and how they can get in contact with you.
- Informing them they have the right to object or limit the processing.
- Informing them they have the right to “be forgotten”.
- Anything else you think it “fair” for them to be aware of.
It is normally available on your website or may be issued when you engage with a new person.
It should state precisely what information you obtain and for what reason.
Interestingly, this also includes third party behavioural analytics systems such as Google Analytics or any other software you have “bought in” to monitor the behaviour of visitors to your web site.
3 Will it be swept away when Brexit happens?
Short answer is “no”.
Post-Brexit, if a company is dealing with EU citizen data, compliance is still required. That said, it is highly unlikely that the UK government would repeal GDPR after Brexit so it’s here to stay.
4 What happens if we break the rules?
First thing to say is “don’t panic”. For SMEs this is not going to be draconian.
Whilst there are scare stories of the fines available across the EU of up to €20M or 4% of global turnover, the truth is that most companies will never see fines anywhere near that large.
Infringements could attract an ICO fine (Information Commissioners Office – the guys who enforce the act) and the reputational damage of the company’s name appearing “in lights” on the ICO website as having infringed the law.
However, individuals who have been “hurt” by you can seek individual and direct compensation. These range from direct compensation to also including the right to a judicial review of their case.
It’s reasonably easy to avoid breaking the rules – so why would you?
5 Who does it affect?
Any business providing goods or services (whether charged or free) to any EU citizen – irrespective of where that business is geographically located.
So if anybody in the EU has their details on your mailing list or stored on your CRM system this act includes you!
6 How will GDPR affect how I use social media?
Let’s split this into two parts.
6.1 Your Mailing List
If you use an auto-mailer such as Mail Chimp or ConstantContact those companies will need to comply with the law as they are processing data on your behalf. So, you don’t need to worry about the mechanics of delivering your emails.
However, adding people to email lists and getting their permission to email them is your responsibility not theirs!
You also need to ensure the emailer you are using complies with the law. Shouldn’t be a problem if you use one of the market-leaders.
6.2 Posting on Social Media Platforms
Whilst the likes of LinkedIn and Twitter will need to comply with the act themselves, your posts on these platforms will not be affected by the act as people actively “subscribe” by choosing to follow or connect with you.
Communicating with people through these platforms, say through LinkedIn messages and InMails, will change. We’ve covered this in more detail below.
Uploading your email lists (contacts) will require explicit permission with the individuals as you are posting THEIR personal data, you cannot simply use their data just because you have it.
Whatever you do the painful truth is that your existing lists need to be compliant, or else you cannot use them legally after 25th May 2018.
7 How does it affect the client data I keep on my CRM system?
Companies use a CRM system to hold data on stakeholders such as clients and prospects. We then use this data in marketing, communications and relationship building activities.
We’re going to look at storage of data and its usage and we’ll also distinguish between holding data on consumers and businesses because the rules are different.
The GDPR requires you to store data in a secure manner on a ‘Privacy First’ basis and includes the geographical location of where the personal data is stored and/or processed. There are strict rules governing the countries that are permitted to store EU citizen data.
Any country being used that is not on the “safe” list requires further activities by YOU to ensure that appropriate controls and protections are in place. Currently, the “safe” countries outside of the EU are: –
Isle of Man
Now, supposing you use a US based cloud CRM system such as Salesforce.Com as your CRM system. Well, this is only permitted if the company you use complies with the Privacy Shield – which is an agreement between the EU and the US on how to secure EU citizen data.
You need to contact your CRM provider to ensure they have this Privacy Shield in place.
7.2 Usage B2C – Consumers, sole traders and “one man bands”
The rules around B2C are clear: you must obtain unambiguous permission from them to process their data. So, for example, you cannot harvest email addresses and start sending emails to people that they did not ask to receive without their permission.
This would contravene both GDPR and the E-Privacy laws. The safest solution for B2C is to operate a Double Opt-in process. This is a mechanism to provide an individual with the information allowing them to consent to being communicated with and having been told what that unsolicited communication may be. It also ensures that the person requesting an opt-in, is genuinely that person.
In practical terms, this means they indicate online that they want to receive emails from you and then you send them a confirmation email for them to confirm that’s what they want.
The caveat is that you can email an individual with marketing messages and promoting related services, so long as you have done business with them in the past and it is closely related to what you are marketing them now AND that they have not asked to be excluded from future emails.
However, you must not send ‘mixed signals’, so you cannot send an e-mail pretending to be ‘helpful’ e.g. an “Are you details Correct” email and also add in marketing messages.
Your company will need to apply some internal discipline to ensure that marketing departments and sales departments don’t attempt to tenuously link a sale of one thing with a marketing email relating to something entirely unrelated. Get this wrong and you will land you in some very hot water.
7.3 Usage B2B – organisations with more than one employee; Ltd, LLP, PLC or government
(This is based on the current DRAFT E-Privacy Regulation)
In B2B the assumption is you’re emailing the ‘Role’ in the company and not the individual. Having said that you’ll obviously be using an individual’s email address.
The spirit of the communication is in relation to what their ‘Role’ would find of interest, not them as an individual. It would be perfectly acceptable to cold-email the finance director of a company with an invitation to a seminar aimed at finance directors; unless they have expressly indicated they do not want to receive emails from you or your company.
Whilst the need for an explicit opt-in in this scenario is not required, consideration needs to be given to the content that is going to be sent to that person in that Role. Clear options must also be provided to allow them to opt-out of communications with you.
Furthermore, you must also ensure that the lists you are using are from reputable sources that have at least ensured that any opt-outs have been removed. The safest way is not to use purchased lists at all!
You should not view this as “open season” to send them what you like. It must be relevant to the role they are fulfilling and cannot be ‘personal’ e.g. offering them a holiday.
The safest mechanism to engage with people is through them giving you explicit permission, irrespective of whether they are B2B or B2C.
8 Will it affect normal business emails we send?
Provided a person has not explicitly told you to avoid contacting them by email normal business as usual (BAU) related emails with people you have a business relationship with will not be affected by GDPR. For example, confirming orders, setting up meetings, dealing with problems, answering questions, arranging conferences and so on are all acceptable.
The safe approach to take is whenever you add a new person to your CRM system you ask them what email communications they want to receive from you. Give them a menu to choose from: value-added content such as blogs; promotional/sales emails; notification of free seminars; BAU emails (if they become clients).
The best approach is to provide them with the option to “double-opt in” to be sure.
The onus is on YOU to demonstrate that you have taken reasonable steps to get consent. You cannot take it upon yourself to add people to your marketing lists.
You must also be very careful using Hello@…. and Info@….. type addresses unless you are certain they do not go to a specific person, especially in one-man-band companies. If these types of address are likely to go to a specific person then you are pseudo emailing an individual NOT a generic address.
Let’s look a typical scenario an SME might face. You go to a business event and meet someone and you exchange business cards.
Questions: “What would that person reasonably expect you to do with their personal information?” and “What mailing list do you believe would be appropriate to automatically add them to, given they may never have expressed such interest”
Answer: Send them an email telling them what a pleasure it was to meet them. Tell them you will be adding them to your CRM system and explaining how often you personally may contact them in the future and for what reason. Ask them for explicit permission to add them to a mailing list, ideally giving them the option, via an online page, to confirm that they do indeed wish to be added to that mailing list. Ensure that there is no financial or other ‘penalty’ for them not accepting this. Always ensure that all communications, particularly automated emails, give the recipient the option to opt-out.
9 Can I make a double opt-in a condition of receiving something from me?
For “Consent” to be given, the law requires that it
“…must be a freely given, specific, informed and unambiguous indication of the individual’s wishes”
It cannot be freely given if there is a tangible penalty for not giving it. So, expecting someone to give you their personal details in order to receive something in return is relative to that “returned thing”.
Anyone wanting to get “news and events” information via newsletter – clearly needs to give you their email address or they will not receive the newsletter. There is no need to tell them that NOT giving you their email address means they cannot get the newsletter. Although, it may be worth clearly pointing out to be on the safe side.
Mixing a financial benefit/penalty with “consent” is dangerous. If there is a financial transaction involved then GDPR does not require consent, so long as the processing is done in relation to that financial transaction. For example, you do not need consent to send a customer an order confirmation, despatch confirmation or invoice via email if they are ordering something from you.
I am trying to ensure that people don’t act on this information to “buy consent”. The other thing being that “Double Opt-In” cannot be used in any way to ‘market’ – it is simply a means to re-confirm a previous request.
10 What about sending Inmails and messages to our LinkedIn contacts?
If you are already connected with them, the inference is that they are happy to be contacted by you and of course they can un-link you or ask you to stop messaging them.
However, if you send an unsolicited Inmail via LinkedIn to an individual, you will technically be breaking the law given that they have not asked for it.
Given that LinkedIn provides the option for individuals to manage their own privacy settings, it is unlikely that there will be swathes of people making complaints. This will probably also cover sending messages to people you are connected to, given they also have the option to ‘disconnect’ from you.
Anyone already part of a LinkedIn Group is arguably ‘inviting themselves to be contacted’ – so long as the person emailing the group, again, ensures the email is appropriate to that group.
The basic rule of thumb is “What would be reasonable for that individual (or group) to be receiving from you”.
As things stand now you would still be free to invite people to connect with you who you do not know. That’s “fair game” and is the essence of the platform they have joined.
Essentially the GDPR act looks anti-business but in reality, it isn’t. If you provide a quality service and a range of value-added material that people genuinely find useful then you have nothing to fear.
The easiest way to stay the right side of GDPR is to do three things: –
- Ask for permission to add people to your CRM and tell people what details you’re going to add to your CRM system.
- Explain that they have the right to decide what electronic communications they can receive from you and send them to an online page where they can decide what they want.
- Whatever they decide to do get them to double opt-in.
Whilst statistically double-opt-in reduces subscribers, it also increases the open-rate and click-through rates as the people now on your list really want to be there.
I suppose the final question must be “what can we do right now to prepare?”
Well, the answer to this question is quite a lot. But, to answer this, and any other questions you might have properly we’re going to run a free webinar with Andrew as our guest presenter.
Watch out for more details on this webinar very soon.
One last thing, whilst GDPR is a bind for all of us it also opens up enormous opportunities to differentiate and steal a lead over your competitors, I’ll be talking about this in the webinar too. Every cloud……..