Data protection: Understanding changes in the law

The General Data Protection Regulation (GDPR) is something that is on people’s mind more and more. There’s a lot of hearsay doing the rounds of what the new laws will mean for your company, stories of legal requirements and fines, and large-scale projects to make sure you comply.

Technical Director Jason Millis and Studio Manager Tom Batchelder attended a seminar run by Hanson Lawrie HR & Recruitment Solutions and Emms Gilmore Liberson Solicitors to understand the steps Formation will need to undertake for our clients and services.

What is GDPR?

GDPR is an EU regulation, approved on the 14^th April 2016, that aims to provide a framework of regulation for companies handling and usage of personal data throughout all aspects of their business.

This includes HR - the handling of employee information, and marketing – storing customer information and sending marketing campaigns. It’s important to note that this does not only apply to digital assets, but also any paper records you may keep.

The equivalent of this regulation, the UK Data Protection Act 2018, is currently making its way through parliament. However, with the deadline for this to become law the 25^th of May 2018 it is important that businesses begin to see what this might mean for them.

Whilst we can’t be sure exactly what our version of the bill will state until officially passed, we can be sure it will at least abide by the rules laid out in the GPDR, and so we can begin to take some steps in the right direction.

How do I make sure my business complies?

The new laws are not as daunting as they might seem; small to medium-sized businesses do not have to abide by the same strict measures as large corporations, but that doesn’t mean you can be complacent.

If a breach were to occur, the Information Commissioner’s Office (ICO), responsible for investigations, wants to see you have taken the new regulations into your processes, that you’ve made some practical changes and can identify the cause of the mistake.

Data Protection Officers

First and foremost, your company will want to assign a ‘Data Protection Officer’. This member of staff will be responsible for ensuring the company is aware of issues and making progress on practical aspects, but this is not a sole effort.

Compliance will require the attention of all employees and it is important that training is offered to avoid slip-ups. For small to medium sized businesses this new role needn’t warrant a new full-time position, but it may be a substantial project that needs to be properly managed.

Data Audits and Incident Reports

Before any assessments or action can be taken you must first acknowledge where your data is kept. Is there a central database of information, or do members of staff keep their own spreadsheets of contacts? Do you have a back room filled with paper copies of client data from 20 years ago?

Once collated and grouped you can assess what information you truly need to keep. A good way of managing this is through a competent CRM service.

Most services will be aware of these laws and, if not already, make sure you are as compliant as possible while using their service. The marketing team here at Formation and can offer some guidance on which CRM services to use.

Mailing Lists and Explicit Consent

One of the biggest changes is the way in which marketing emails are sent. Under the current laws you can ‘infer consent’; anyone using your website contact form can be added to your mailing list to receive any future correspondence, including marketing, event invitations and more. Under GDPR, this is no longer the case.

You must receive explicit consent under GDPR to send marketing emails, add people to your mailing lists, and if asked, you must be able to provide details of when and how consent was given.

Keeping a spreadsheet is likely the best option for this, and enables you to record consent, even if it is given in person or over the phone as opposed to in writing. Once this consent is received it is implied to last “forever”.

However, it must be easy for a subscribed user to remove themselves from the list; most mailing list services such as Mailchimp provide facilities for this and enforce it on your emails.

Unfortunately, for the majority of businesses this means that spreadsheets of client data that have been collected from previous contact will no longer be usable unless you can prove who gave consent originally.

Luckily, we have now nine months to send out emails to this list and put together a ‘clean’ mailing list that asks recipients to ‘tick a box’ to confirm their consent is given. Getting a head start on this now means you’ll be prepared for when the laws come into effect.

External Services

You are also responsible under GDPR for any data that is sent to and used by external services from your business, whether it be an accountant or social media marketing teams.

Get in touch with these services and see what their plans are for compliance, ensure they know you’re on the ball with the changes and if they seem to know little about it: it might be time to review who you work with!

At Formation, we’re busy getting ready for some of these changes, but our own ways of working already incorporate several of the protocols, such as having a secure, in-house CRM. For us, the most important thing is ensuring we’re leading the way for our clients, abiding by the law and still delivering a great service.

If you have any questions on the GDPR, or would like to know more about how it will affect marketing, don’t hesitate to contact us.