The new marketing laws that your business needs to act on NOW
From May 2018, new legislation will require your business to take extra measures to ensure customer data is kept safe and used properly
Does your business engage in email marketing? Have tick boxes on your website? Or do you store information about your customers?
Then you'll need to prepare for the general data protection regulation (GDPR) which comes into force at the end of May 2018.
While there are some exemptions for small businesses – for example, only organisations of over 250 people need to appoint a data protection officer (unless they’re in the data management business) – broadly speaking, small businesses will need to comply with the new regulations.
What are the new data protection regulations?
GDPR requires that any business or organisation that collects data from EU citizens – or stores data in the EU – adhere to the new data law. This law increases the powers of data regulators. It grants individuals greater rights to access and control the data any organisation has on them.
It introduces substantial fines for organisations that misuse data or that cannot provide evidence of permission to use a person’s data for a specific purpose. The term ‘personal data’ will expand to include details like our IP address and any data stored in cookies from sites we browse.
The introduction of GDPR will require organisations of all sizes to evaluate and change the way they use, share and store data if they want to avoid hefty fines (which can reach up to 4% of global turnover).
What should small businesses do to prepare for GDPR?
1. Assess current data collection and storage processes
GDPR will require all organisations that use or store the data of EU citizens to be able to trace where they capture date, to define how they’ll use it, and to ensure the security of the data. Small businesses need to take this time to assess their current data collection and management processes before the new law comes in to force.
2. Review and overhaul data security
What risk management processes do you have in place? How securely is the data stored? Can it be copied on to a USB stick? Is it on a spreadsheet that someone could easily print out, screenshot or take a picture of on their phone?
You could have a secure database, with stringent access protocols, but all of that is made redundant if someone can just take a screenshot of the data. Any security solution you have in place must guard against this.
3. Ease of permission change
How is your data stored at the moment? Most small businesses tend to store data across spreadsheets – both in the cloud and stored locally (on people’s computers and the company server). But how easy is it to revoke access? You may be able to edit access rights to the file on the server, but what happens to the copy someone made on their personal USB?
GDPR means that businesses need to get tough on access rights. Get a system in place that means the documents are stored in one place, and that gives you control over who accesses it, where they can access it, and how long they can access it for.
4. Tracking access
With permission management in place, you should be able to track who is accessing your data. Your sales team will need to access their lead-gen list, but can you tell where they are accessing it from? If your star sales person is accessing it from his mobile, on his day off, in the offices of one of your competitors, that’s something you’d want to know.
5. Inform and educate your team
Don’t assume that everyone on your team knows about the new data laws, or understands how it affects their work. Inform, educate and train your team on the correct use of data.
If someone accepts your connection request on LinkedIn, that doesn’t mean they’ve agreed to be put on a mailing list. Yet a practice that is simply rude and annoying at the moment, will go against GDPR rules in a few months. It’s best to get your whole team following best data management practices now.
6. Develop a culture of privacy
Privacy is a major concern for UK consumers. GDPR will require that organisations make it easy for those they store data on to access and delete their data. Despite the fact that the law only applies to organisations over 250 people, and only to those that deal with the data of EU citizens (or store data in the EU), all organisations will need to take notice.
As more organisations focus on consumer data rights, people will expect the same level of service from any organisation they do business with. Any business that develops a strong culture of privacy will benefit when GDPR is introduced.
7. Simplify processes
Be transparent with customers from the outset. Be clear about what data you need from them and why. Set up a simple process for them to manage the data you hold on them – it should be simple for them to delete their data or transfer it to another organisation.
You might want to provide customers with their own digital storage – something that they can access to check on, edit, copy and delete their data. The data deletion process must be quick and easy for people to use.
Many smaller firms won’t be directly affected by GDPR, but in the long-term, all organisations will need to re-evaluate their data management processes. Once larger organisations get to grips with the new data regulations, people will expect to manage and control their personal data to a greater degree than they do at present. Small businesses will need to change the way they manage data, or risk being left behind.
By Dharmendra Patel, head of Strategy & Finance at Pushfor