With the new GDPR regulations coming into force we understand there is lots of confusion with our customers with regards to what your responsibilities are as a business with handling the personal data of your customers and suppliers..
What does GDPR actually mean?
In a nutshell, the GDPR regulations are designed to standardise, improve, supersede and add more rules into an individual countries’ (within the EU) existing data protection rules. Within the UK this is known as the Data Protection Act, and itself is over 20 years old. This means in many cases, individual countries were handling personal data differently, and in some cases, the rules within that country were not fit to match the digital age in which we live.
Why does GDR exist?
There are some outdated marketing policies out there, which do not take into account the growth of the internet in recent years. The GDPR have been introduced as a measure to further protect the data of individuals residing in the European Union, and to reduce the amount of spam marketing activity that happens.
What are the overall themes I need to be aware of?
Essentially GDPR governs how you are able to contact your customers (and in some cases, dependent upon your business, – your suppliers). The rules within GDPR are largely centred around how you are able to market to these contacts and how you should handle the data of those contacts.
How does this impact on my business in general?
In short, you now MUST have the explicit permission of the contact to get in touch with them, in specific ways about certain topics.
For example, you may have a customer who is happy to receive your promotional information via email but not telephone. All businesses must now maintain a record of ONLY the data they have a permission to hold and use it in a way the customer has agreed to.
In the above example, if you maintained a record of that customers’ email address AND telephone and were using both for marketing AND you went against their request to only contact them via email – then you’re flouting the rules and could be given warnings and even worse – a potential fine!
What does the term “personal data” mean?
The definition of the term “personal data” can be boiled down to “The type of data which can identify an individual human being”. That can be a name, telephone number, email address, bank details etc. If you are holding that type of data about your customer or supplier – it would be regarded as “personal data” and therefore fall under the new GDPR rules.
How does this impact on contacting prospective new customers?
As you have probably guessed – if you haven’t had the express permission from the customer to get in-touch – then quite simply – you cannot get in touch with them! This means the days of cold-calling and cold-emailing individuals (without using carefully vetted bought-in lists for example) will become things of the past. Whilst this may have a negative effect on the ways you currently find new customers, it means you will potentially spend less on your marketing, which in turn means the leads you do acquire through other marketing means are more likely to be much more interested in your products and services!
How does this impact on contacting existing customers and suppliers?
This is a slightly grey area as the term “customer” can mean different things to different businesses. Essentially, if you are contacting the customer on an on-going basis regarding things such as the progression of an order, or chasing up a debt – then in most cases this would be regarded as using the customers’ data in the pursurance of a contract and therefore ok to use.
However if you are sending a newsletter out to your customers and they have not indicated they want to receive that newsletter – then that is something best to stay away from.
As a matter of good business practice, it’s a worthwhile exercise to purge your existing databases of old contacts with whom you no longer do business, as holding that data when it’s not being used in a meaningful (non-marketing) way is also not allowed under GDPR.
Storing of Data
If you are holding any data about an individual which allows you personally identify that person, then under GDPR you have to show that you are taking the required steps to secure that data. In terms of digital documentation, that means keeping your online security up to date, maintaining internal security of your documents and generally most of the things you should have in place in your IT infrastructure which is protecting your other data as well.
In addition you should ensure that you have procedures in place which your staff are aware of for how that data in handled, how the data should be stored and what you should do in the event that the data is stolen or misplaced.
What does the “right to be forgotten” mean?
One of the specific new parts of GDPR is that the person identified in your data can request that you remove all of the information you hold about them and you have a short window of time (1 month) to comply with that request.
Essentially, unless you have an overriding reason to keep the data (an invoice which you need for tax reasons for example), you should aim to comply fully with this request as quickly as possible. If you are unable to fully remove their data, you should write and explain this to the customer. If you are unsure if your reason for keeping the data is valid, each EU member state has government backed GDPR websites outlined your options.
How should I use Receta to make sure my data management remains within GDPR?
In your role as “Data Controllers” (a title within the GDPR which identifies the type of person managing data), you have the ultimate responsibility in terms of the data you add into the system. However, Receta can help by offering you both the chance to store the customer marketing preferences against an individual customer record, plus the chance to delete any/all of an individual customers’ information within the system.
What considerations might I have outside of Receta?
Consider the following step-by-step plan to ensure you are well on the way to complying with your GDPR obligations:
- Conduct an audit of the existing customer and supplier data you holdM
- Make a list of the current processes you have for handling that data.
- Identify the lawful bases for processing, storing and documenting that personal data (pursuance of a contract for example)
- Create a document which outlines how you request and record consent.
- Write/Update your data protection policy which includes the “personal data” identifiers you will hold. Send this to all staff member and make it available to all customers on request.
- Consider appointing a specific Data Protection Officer who is responsible for uploading your new policy and training new staff.
- Implement any improvements to any technical processes you perform on your data such as encryption or levelled access.
- Create a policy and protocol in the event of a breach and make staff aware of this.
- Update your marketing material to allow the customer to give clear consent on their preferences for being contacted.
Where can I go for more information?
In the UK you may wish to look at:
Why not contact us today to discuss how Receta can help your business?
*This blog has been written by Receta as a condensed summary of GDPR and not as a full comprehensive review. We advise all readers to undertake their own further reading and research into GDPR, including a review of the GDPR guidance set out on the Information Commissioner’s Office’s website (or equivalent in your country).