A beginners guide to GDPR Data Protection Update

GDPR Data Protection legislation update

The data protection legislation in the UK hasn’t changed since 1998, that going to change soon with the introduction of new GDPR data protection legislation (General Data Protection Regulations).

You’ll have probably received an invite to a seminar from a professional services firm to explain the legalities behind GDPR. By GDPR we mean data protection changes.

Since Websand helps marketers create ‘data driven marketing’ we’ve been following this closely and making sure our platform helps make our users ‘future proofed’.

Now that the conscious uncoupling between the UK and the EU has begun, the GDPR will begin to take shape from a regulation to law.

Brexit is irrelevant to this. The UK will still be part of the EU when it becomes a legal requirement, and it’s going to be a ‘standard’ for doing business anyway.

And, it’s also a great excuse to put some ‘best practice’ in place and improve your business.

A date of 25 May 2018 has been mentioned, so that’s only one Christmas away. If you are a digital marketer or if your business collects customer data (pretty much everyone then).

Please take some time to read these posts, as you’ll need to get prepared.

The first GDPR data protection draft

In March 2017, the Information Commissioners Office issued the first draft consultation on the data protection changes.  So things are starting to become real.

You won’t find it under data protection, they’ve named the draft, GDPR consent.

Here is a summary of the key points from the ICO GDPR data protection draft.

The GDPR is setting in their own words “a high standard for consent”.

The concept of the new consent, is to put individuals in control of their data.  As a result, the ICO notes this will help to build customer trust and engagement, and will enhance your (business) reputation.

What is meant by consent?

Consent means offering individuals (that’s your audience, prospects and customers) genuine choice and control.

It’s opt-in from this point forward.  Consent will require a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.

You are going to need to keep evidence of consent – who, when, how, and what you told people.

Consent will no longer be a precondition of a service.  This is an interesting point. It suggests that if someone purchases or agrees to your service, you will still need to be prove explicit consent for future marketing communications.  This is still in draft form, and I think is likely to be strongly challenged.

Your data policies

Explicit consent will require you to show a very clear and specific statement of consent.  At this time it’s not clear if this replaces a Privacy Policy, or refers to an update of your Privacy Policy.   It is clear that this consent request will need to be separate from the other terms and conditions you use within your business.

Once in place, you are going to need to keep consent under review.  If anything changes you’ll need to change your policies and working practices accordingly.  Once the regulations are finalised and become law.  We can expect some initial challenges, and things will change.  So like employment law, business people are going to have to keep a close eye on changes.

You are going to need to make it easy for people to withdraw their consent from you using their personal data (unsubscribe or otherwise). You also need to tell them how in a clear manner.

Not for everyone?

Public authorities and employers will find using consent difficult.  Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.

I don’t understand the above statement from the ICO draft summary, it seems to contradict the other items within the draft.

However, one area which will need to be addressed is how existing people currently ‘signed up’ are transitioned into the new world of ‘explicit consent’.

What do I need to do?

Don’t delay.  Start putting ‘explicit consent’ into your data collection processes as soon as possible.

Check how you control your consent practices and your existing consents.  Refresh consents if they don’t meet the GDPR standard.

If you are using any third parties – such as Websand – make a list of the data related tools that you use.  It’s very likely you will need to name any third parties who will rely on the consent.

For more in depth detail.  Click on the link to read the full ICO draft GDPR consent

What are we doing in regard to GDPR data protection changes

Data Collection

We’ve built Websand to help you meet the expected change in standards.  For us, we’ve started to build explicit consent into our processes.

  • We focus on opt-in selection rather than opt-out at the time of signup.
  • The acceptance of your terms is date stamped.
  • We also collect source as standard, so we are logging where the initial signup took place.

We are in the process of building explicit consent into our data collection add-ons such as the Websand subscriber wordpress plug-in.  So if you use this process, you’ll be moving in the right direction.

Unsubscribe

As for unsubscribe, in our opinion unsubscribe is a good thing.  If people don’t want to receive your marketing messages, then we believe you should make it as easy as possible for them to do so.  So we operate a death-star unsubscribe policy.  When a member of your audience unsubscribes, that is logged against their record, and they will be removed from all future marketing communications.  That is until they decide to return, whereby they would need to explicitly opt-in.

Being a third party

Websand is designed around the principles that are reference by the ICO draft.  That businesses that control their data effectively, find it easier to build customer trust and engagement, and as a result grow through an enhanced reputation.

A lot of our blog posts focus on data strategy for this reason.  We believe that too much email marketing is list based rather than customer focused.  When you get customer focused, your engagement improves and you can unlock new opportunities.

Websand relies on customer data – you can’t segment or run marketing automation without it.  However it’s not clear yet if or how our users need to reference Websand as a third party.

Sources of reference for GDPR data protection

Other great sources of reference are as follows:

The Direct Marketing Association (the DMA).  They’ve been in the trenches for the GDPR since the beginning. Protecting the interests of marketers and UK businesses.

The Information Commissioners Office (the ICO) are the independent regulator for data protection issues within the UK

We aren’t lawyers, but the GDPR will become a key part of our business processes, so we are following this closely.  If you need help, please get in touch.

websand email marketing signup

Also published on Medium.