GDPR (General Data Protection Regulation) is coming and it’s something I know is scaring a lot of small business owners and marketers.
I too have been nervous so I put a call out on Facebook and LinkedIn for someone to come on to the podcast and talk us through the basics.
Annabel Kaye from KoffeeKlatch answered that call. This is a podcast you’ll want to listen to if you do business in the EU, UK or if you sell to people who live there.
Listen to Annabel’s GDPR wisdom
What is GDPR?
It stands for the General Data Protection Regulations. It does what it says on the tin. They are general regulations protecting individuals data which affect all businesses that trade with the EU. They also affect UK businesses because it’s been decided that post Brexit we are going to apply this legislation.
The idea is to bring up security on how you handle data to what some people already regard as good business practice. How big a change this is for you really depends on how you are using and accessing data at the moment.
So this data would be things like emails we’re collecting. What else?
Most businesses have emails and your emails are being held somewhere.
Most people have an accounting system, and many businesses have that information in the cloud.
And then I’m thinking Dropbox because I back up a lot of my stuff into Dropbox and of course that’s going to contain all of my spreadsheets that have email addresses on them?
Absolutely, so at the very least you are going to have those. Depending on how you trade your business you’re going to have a great deal more. There’s your email marketing software, webinar platforms, websites, shopping carts. All of the information we collect from these is arriving somewhere and being kept somewhere.
Should we be worried about cookies on our website?
Yes if you are using the cookies to collect data. If your cookies are collecting data that allows you to identify individuals then they’re covered by this. If they are saying 20% of people who visit my website are between the ages of 45 & 55 and you can’t tease out any individual information from any of that then probably not.
So it’s not that there’s a cookie, it’s the effect that using that cookie has. Cookies are quite intrusive, aren’t they? They almost follow you home and ask you out.
If you hold in mind this fundamental test, does it allow me to identify an individual?
Supposing you had nine clients called ‘John Smith’. You’re not identifying an individual by collecting the name John Smith because you still can’t tell which John Smith it is. The minute you add an email address or a shipping address to that you can tell which John Smith is which.
So would it be a good idea to minimise the data we’re collecting? To make sure we’re only collecting the data we need in order to run our businesses?
Yes, not only is it not lawful to collect it unless it’s necessary or you’ve got consent but you don’t have to worry about storing it if you didn’t collect it in the first place.
I’m quite offended by the number of sites I go onto for something. Let’s say to buy a pair of shoes. When I go to check out the cart asks: ‘What’s your name’, ‘What’s your shipping address?’ then ‘What’s your age’.
Yes, I’ve not bought from sites because they’ve looked for my date of birth in the past. I always wonder why they need that information. What is the benefit of knowing my date of birth?
That’s a very good place to be. What that website should be saying is that when you give us this data we need it for this reason. If that reason doesn’t correlate to the data they’re collecting, technically that’s not going to be lawful unless you give consent.
You might think you must have consented by putting your data in in the first place but this is something that is changing. If you have been running a business where you had a massive mailing list and you just said to people tick this box if you don’t want the following things that won’t work anymore.
Consent is now positive. You have to have ‘I do want this’ and ‘I want this for this reason’. So if someone signs up to buy your shoes you can’t put them on mailing lists just because they purchased from you.
Most businesses would have a mailing list they want people to sign up to. How should we advertise that on our website? Do we need to add a checkbox to that?
You will hear differing opinions on this. The new idea is granularity of consent. I like to use the analogy of dating. If you meet someone you like and you hand them your phone number. Are you expecting them to turn up at your house at dawn every day? Are you expecting to be on the Christmas card list? Are you expecting them to send you texts every 20 minutes? No, you weren’t, you were just thinking maybe they’ll ask me out.
Many marketing systems are like the guy who takes your number and stalks you. They take permission to do one thing as permission to do anything.
Granular consent means that people who sign up to your mailing list need them to know what they are going to get. So you might say ‘We’ll send you information on this subject and from time to time we’ll try and sell you something’.
Do we just put that in our privacy statement and link to it or do we put it on our pop up window? Or wherever we collect emails? For example ‘By downloading this eBook you’re going to get emails from us’ That doesn’t sound like positive consent though?
Positive consent is ‘Send me the eBook’. If as a result of the eBook you’re going to get an automated sales cycle you haven’t consented to that, you’ve only consented to getting the eBook.
So you would say. ‘You’re going to get the eBook, you’re going to get some follow up emails too but you can unsubscribe at any time.’
So I don’t have to add a checkbox?
Well, that’s the telling bit. Opinions at the moment are a bit mixed.
If the Data Protection Officer comes calling and looks for evidence that people opted into your mailing list how will you prove that?
So I need to keep records? What do I need to do?
The way I’ve gone for is putting it on the sign-up form. ‘This is the purpose of the list, this is what you’re going to get’. I’ve also gone for double opt-in. That means I’ve got an audit trail that they affirm that they want this list.
Double opt-in is when someone signs up for your list and they get a second email asking them to confirm their subscription.
That means when the Data Protection Officer comes calling I can show him that I told people what they were going to get and they confirmed that they wanted to be on the list.
Double opt-in is not mandated in the legislation at European level. What it says is ‘You must keep a record of their consent and what they are consenting to’. Double opt-in is an easy way of doing that because it is attached to the list.
You don’t have to set up double opt-in but you need to ask yourself how you are going to evidence that people have consented.
So the next stage is (and let’s stay with MailChimp as an example) we need to know where MailChimp stores the data. Am I correct?
How do we find that out?
You can ask them. I’ve been compiling a list. MailChimp data is kept in America. 80% of the products that ordinary small businesses use store their data in America.
MailChimp has something called the Privacy Shield. If you are using companies based in the USA you need to be sure they have Privacy Shield. If they don’t you can’t lawfully send your data to the USA without complicated contractual provisions being in place. The EU hasn’t decided what those provisions are yet.
So we know who is storing our data and where it is and if it’s in the US they have Privacy Shield. How do I keep a record of that?
I’m working with groups and we’ve gone for an audit process. We audit what data we are using, what platforms, what data are we keeping there?
You don’t just need to know what you are collecting and where it is stored but also who has access to it? That might sound a bit daft if you are a one-person business but if you hire a VA, web designer and you give those people access to your mailing list…
So do an audit of who has access to your data and always give people the minimum access they need. Most software will give you levels of access in the backend.
You also need to think about turning people off when they no longer work for you.
So what we need to do for starters is:
- Be honest when we collect data about what we are going to do with it.
- Know who is accessing it
- Know where it’s stored
- Keep records
So it’s a good idea to put a process in place to know that you are doing this?
Yes, you should do it as frequently as you reconcile your bank accounts.
You also need to have a data retention policy so that people can see what you are doing with the data, who has access to it, where it’s stored, how to see it and how to get off the list.
I’ve been doing a lot of work on devices. You can lose your data when you lose your laptop or your phone so you should encrypt these. Also, encrypt data that you save to external hard drives and USBs.
Annabel is running Webinars on GDPR. Sign up to her GDPR list on her website KoffeeKlatch.co.uk
Find Annabel on:
For more information on GDPR in Ireland visit GDPR And You