Companies will now be required to build privacy settings into their digital products and websites – and have them switched on by default. Companies also need to regularly conduct privacy impact assessments, strengthen the way they seek permission to use the data and improve the way they communicate data breaches. As this is a regulation, this is legally binding meaning it could lead to fines of up to 20 million euros!
Regarding your marketing, you will now need to make sure that your contact lists have been actively sought and not assumed permission.
If your customers have opted out of marketing emails, don’t email them – it is as simple as that; you are breaking the law if you do and could face a heavy fine!
Your website needs to be compliant too! You must give users complete control over their data, offer clear, optional and understandable opt-in / opt-out directives! Site owners must have active privacy features, which enable data to be handled compliantly and safely. One of the biggest changes is to how websites and business owners gain permission to use a person’s information. You MUST make sure that your website doesn’t fail to comply with the new rules…
- Prefilled checkboxes. You might be used to opting visitors in by leaving your opt-in checkbox checked by default and hoping they don’t notice, but now any checkboxes must be explicitly checked by the user giving consent to use.
- You can no longer bundle consent into one opt-in. So, you can no longer add people to your marketing list bundled into terms and conditions, or generalise contact preferences, each contact method must be chosen individually.
- It must be as easy to opt-out as it was to opt-in. There must a clear way to opt-out, so it’s important to make your opt-out settings very easy to find.
- Each party must have explicit content. Opt-in into ‘third party’ offers is no longer an option; each party must be explicitly named.
- If you run an Ecommerce website, you will inevitably be storing personal information, so you will be subject to your own rules. It is important that you delete users’ data after a reasonable amount of time. ‘Reasonable’ is not explicitly defined but this must be considered.
- And finally, check data you’ve already collected. How is it being stored? Is it documented? What’s it being used for? and do you REALLY need it?
It is now time to start ensuring that every name in your CRM database and every email in your automated system has given you permission to market to them. If someone opts out of an automated email sequence, the systems need to be immediately updated. Having the next email already scheduled will not be a valid excuse when it comes to facing the consequences.
Make sure your data is being held securely, keeping in mind both technology and the human factors in data security!
If you need any more information regarding GDPR, we will be happy to talk you through it or visit https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views