Understanding GDPR can be intimidating. We've created an overview that might help. Not half as exciting as a hero in a half-shell… but extremely important. Here’s our lowdown on everything GDPR.
Back in May 2018 the data protection rules and regulations for the EU changed. Essentially the General Data Protection Regulation (GDPR) modernized the laws around the protection of personal data.
In a nutshell, it meant that any company marketing (email, post, SMS, phone calls etc.) without proven consent could be fined up to 20 million euro or four per cent of the offending businesses turnover. Prior to this, the ICO could only fine up to £500,000… so just a bit of a step up.
Wired summarizes the seven key principles laid out in article 5:
“Lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.”
Great question! A lot of smaller businesses still haven’t taken the steps to ensure they are acting compliantly with this regulation. Probably a combination of thinking they won’t be pulled up on it and a lack of understanding of what needs to be done. But with fines like these, do you really want to risk it?
Yes. GDPR laws apply to anyone who is collecting information about European Union citizens, regardless of where the company is located. As explained by GDPR.eu:
(See the article explaining what is considered personal data under the GDPR.)The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.
What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website.
The first step in proving consent is by making sure all sign up forms are crystal clear on what you’ll be doing with that individual's data. For example, if it’s an email database, you’d need to state frequency, content and if you share your database with any third partners.
Once you’ve done that, you’ll need to do the following:
First and foremost, you must ensure all data is kept securely and only those who need to access the data can. As a company, it is also your responsibility to ensure your staff understand GDPR to minimize any violations.
Set up your sign up forms to have a double opt-in mechanism behind them. Most email service providers will now have this as a standard practice, but some don’t. What this means is once someone submits their data on your form, they’ll receive an email asking them to confirm they intended to sign up to your database.
Once your subscribers have confirmed their intent, your CRM or database should store the date and time stamp when they sign up.
Have a clear unsubscribe link in every communication channel. This also means an inbox that is monitored so if for any reason the link doesn’t work, you can be contacted directly. This doesn’t need to be a personal inbox but one that is monitored regularly.
Certain database and email marketing systems have tools specifically designed to make GDPR compliance easy to manage. For example, HubSpot has GDPR-specific form collection fields that are integrated with the CRM and email system, which ensures you only send email to people who specifically opt-in, and if you specify, who have a double-opt in on record. The HubSpot system also keeps electronic records of opt-in times and dates, the legal basis for contacting each person, and audit trails that support compliance. The data is stored in the cloud (in EU servers for EU clients as of July 2021) with log-in access standards that meet GDPR requirements.
Basically only collect what you need, and be prepared to explain why you’re using it. For example, if you’re collecting date of birth in sign up forms be clear as to what you’re doing with it. It might be to track a child’s development, send age appropriate nutrition recommendations for a pet or simply to send birthday discount codes.
If you can’t explain why, then you shouldn’t be collecting it. End of story.
Avoid asking for personal information that isn't essential to the service you're providing. If you are collecting sensitive information like ID numbers or bank account information, be sure your electronic records meet all security compliance standards.
So, we’ve summarized what you need to do with data collection, but what about the legal statements you need on your website? Keep in mind these essential elements.
Over the last few years, you’ll have gotten used to seeing banners across the top of bottom of all compliant websites. They’ll ask for you to consent for cookies to be collected on your session and sometimes beyond.
The banner will link to your cookie policy, which will outline all the cookies you’re using on your website. This includes:
You’ll need to outline exactly what you’re doing with data you’re collecting, how you’re handling it if you’re sharing it with any third parties, why and who they are.
Basically, you need to be absolutely transparent about what you’re doing with any data and why. A link to your privacy policy is required on any forms where you collect personal information.
Stop. Storing. Data. In. Excel. There. Ok, actually there’s more to it than that. But it’s a start! And yes, we know for a fact this still happens and it shakes us to the core.
You can do it in four simple steps:
A system specifically designed with GDPR-compliant features is essential.
For example, finance teams will need to see customer data, but not marketing information. Sales and marketing teams will need analytical data and opt-in, but won’t need access to financial records. Simple.
Don’t leave yourself logged in to databases when you’re not using them!
Don't send marketing material to anyone who has not opted-in to receive it. You might keep separate lists for people who have opted in to your blog, your news, your educational content, etc. In general, unless someone is already a current customer, or has given you permission to email them, you shouldn't be emailing them. (There are exceptions for transactional emails for customers and one-to-one follow-ups with anyone who requests information).
Probably. It’s not for us to say, but it’s often a good idea to have someone with a recent legal background or a data protection officer review what you’ve done and make recommendations if you’re not quite there. If you don’t have one, have a look for a legal team with GDPR compliance experience.
Any website designer/developer or marketing agency worth their salt should know how to make sure your website is compliant. If you’re working on a website redesign or refresh, they should make sure that your new data collection forms, privacy and cookie policies all meet the regulations set. And if you have further questions on what you need to do, just ask us! Feel free to leave a question in the comments below.
Looking for a GDPR compliant CRM and email marketing solution? Consider HubSpot.