GDPR…. What the **** is it all about?

These four little letters have been flooding the internet of late. Although nowhere near as good as KFC or LOL in the acronym stakes, if you run a small business, you should definitely know about them. GDPR stands for General Data Protection Regulation … and will be soon replacing the current Data Protection Act. It affects all businesses who are either ‘controllers’ or ‘processors’ of personal data, either of their employees, customers, clients or suppliers.

We’re all sick to the back teeth of our precious time and email accounts becoming clogged up with spam and unsolicited communication from businesses we couldn’t give a toss about … so this should be a great move for consumers. Plus, with the number of high level data security breaches in the news, it should mean that our personal information is much safer.

After having a mild panic that this new ruling will be the end of marketing as we know it ... I took a more logical approach and got clued up. There’s a lot of info out there so I thought I’d give a brief overview of the core information you’ll need to understand the basics.

Small (and probably quite shocking) disclaimer before I begin, I am not a legal expert… please do not use this blog as your sole source of information on this very complex new regulation. As a general rule, our blogs never usually contain much concrete legal advice anyway.

 This is both my 'not a legal expert' face AND my 'what even is GDPR?' face, what are the chances?!

This is both my 'not a legal expert' face AND my 'what even is GDPR?' face, what are the chances?!

Let’s jump right into some very top level learnings that you need to know, on a strictly need-to-know basis:

1.    25th May 2018. Put it in your diaries people. The GDPR enforcement date is looming, and you should not be leaving it until then to get your data ducks in a row. From this date onwards the regulation can be enforced, so to avoid a VERY hefty fine you should be getting yourself all good and compliant, right now.

2.    How do I show compliance? A first step is to create a data register containing all the information you hold in your database, how it was obtained, how it is used and who it is shared with. Might sound like a giant job but worth doing now as if someone requests to be removed from your database after 25th May, you need to be able to do so pretty much immediately and free of charge.

3.    What if I’ve already got consent from everyone on my mailing list? Best practice is to ‘re-consent’ by sending out an opt-in form to your mailing list so you can guarantee that they have consented to hearing from you. If you know you obtained GDPR-compliant consent (auto-ticked boxes don’t count) when they originally signed up, you might be able to avoid double opt-in but it’s best to double check that in this (probably more helpful) guide.

4.    New folk – Any new data you add to your data register needs to meet the criteria of one of the 6 lawful bases for processing. The biggie is consent which we’ve addressed before, but you should check out the others as it could be that legitimate interest or performance of a contract is more applicable. You’ll also have to have a revised privacy notice to hand explaining to anyone you contact why and how you’re doing so.

5.    Hungry for more? I pinched this list of extra resources on GDPR from Wired Magazine’s piece on the subject so you’ve got plenty of places to look if you need additional info…

– The full regulation. It's 88 pages long and has 99 articles.

– The ICO's guide to GDPR is essential for both consumers and those working within businesses.

– EU GDPR is the Union's official website for the regulation. It details all you need to know and has a handy countdown clock for when GDPR will come into force.

– The EU's Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.

Finally … DON’T PANIC! You’ve still got time … And as long as you start taking the right steps now, you’ll be showing compliance with the new regulations before they come into effect. For example, appointing a Data Officer in your business; you don’t have to hire a dedicated person unless you have over 250 employees, but someone should be identified who will be responsible for knowing where all of your data is and how it’s used.

We’re really hoping that GDPR will actually be good news for marketers, allowing that 20% average open rate to start skyrocketing as people will be genuinely interested in your communications. This should allow businesses to become more targeted, more engaging with their content and have much better relationships with their customers…. And hopefully less ‘Have you been in an accident that wasn’t your fault?’.