If like me, you've been bombarded with emails and adverts discussing GDPR, then you might be wondering what all the fuss is about and whether it affects you anyway.
Some of the communication I've seen from lots of big companies seem to be over hyping it all and announcing that unless you hire them, you're going to end up with a huge fine. Or jail. Or both.
I, therefore, set off to work out what all the fuss is about and find an answer to a pretty simple question:
In 2018, will GDPR affect the way I run my email marketing campaigns?
I figured that if I could work this out, I could explain it all to you, too, and we'd all be happy.
Will I be going to jail?
I'm not, whether you go is entirely up to you, but I'm willing to bet that if you do, it won't be because of GDPR compliance, or lack thereof.
Hopefully, I can put your mind at rest.
Unless you're a robber or a murderer, in which case, you're on your own.
But it's a fair question seeing as many of the adverts I've seen offering to help are using some pretty hard-hitting words and phrases.
“Get compliant or be fined up to 20 million” is one I've seen, I mean, blimey! Just for collecting email addresses?
It turns out that, like the millennium bug and every other IT related scare since, some consultants are using fear as a sales tactic.
There might be some truth to it, but let's just all calm down a bit and work out if we really are going to end up being bankrupted just because we sent an email out.
So what is GDPR and who does it affect?
It stands for the General Data Protection Regulation, and it replaces the old Data Protection act.
It's a European Union regulation, but yes, it still affects us even if Brexit happens. It'll be rolled into UK law when (if) we leave, and anyway, if we want to continue dealing with our European cousins, we'll have to comply.
The aim of it is to cover all the holes that currently exist in the Data Protection act and trust me, there are plenty.
Put simply, the whole act will govern how and what data you collect, how you collect it and what you do with it. It also has some specifics on how you dispose of it.
It might seem like it's more unnecessary work for our small businesses, but it's actually very good, and it aims to protect your privacy, too. Don't knock it until you've understood it.
I guess the main thrust of the regulation is to ensure data isn't misused, so as long as you stick to the rules, you shouldn't have anything to worry about.
Just to cover my backside here, if you are at all concerned about your compliance, you should consult a lawyer. Getting caught and then printing this document out as evidence isn't going to cut it in front of Judge Rinder.
What data does it cover?
Any data that could be used to personally identify anyone is covered.
If you collect email addresses, IP addresses, names, dates of birth, in fact, anything that you could use to identify someone, then you need to ensure you're sticking to the rules.
The net is quite wide here, and it's unlikely that there's any data you're holding about someone that isn't covered.
This means that if you have this data, you need to be careful about how you use it.
How did you get this data?
Now, this is where it affects marketing.
When collecting data, you need to be absolutely clear how you're going to use it, and you can't use any sneaky tactics to try to fool people into signing up for a newsletter.
This is going to affect the business to consumer market the most.
For example, when you checkout from a store, you might see a bunch of check boxes, one of which is an acceptance of terms and conditions, the other might be to sign up to a newsletter.
It's important that the newsletter sign up isn't pre-ticked. People have to opt in to receive marketing emails.
This is probably the biggest change for most online stores because up until these new regulations, it was quite acceptable to email existing customers, as long as you don't go over the top, and as long as you offer them a way to opt-out in future.
However, it's always been a little on the dodgy side to have something like this:
You really shouldn't be tricking people to sign up, or asking them to do something to opt-out.
Opting in needs to be a clear decision.
And if they don't opt-in, you can't email them other than for transaction purposes
That means you can send things like “your delivery is on its way” and “thanks for your purchase” type emails that are related to a specific order, but you can't then send them adverts or any other marketing.
How about business to business?
This is where it gets a bit fuzzy.
Most of the existing rules, and indeed the new ones, were put there to protect consumers.
For businesses, it's been a bit of a free-for-all, with very little in the way of hard rules to stop people sending emails to other businesses.
This is likely to stay as-is for now until someone starts pushing it.
In effect, if you collect someone's email address in return for an e-book or other promotion, then you can continue to email them as long as you have an opt-out option in the email.
Every email you send must give people a simple way of stopping those emails, and that usually means a link to click.
And when they've clicked it, you must stop emailing immediately.
This rule is very easy to comply with because it's likely your mailing software already has these features built in, so check with your software vendor.
I've already checked the big ones, and ActiveCampaign, MailChimp and a whole host of others have already stated that at a technical level, they'll be fully compliant.
In simple terms, this means that if you're a pure business to business marketer, you're not going to have to worry about anything.
The right to be forgotten
We've already said that if someone opts out of an email then you can't send them anything else, but some people might want to go further and be forgotten completely.
This means that you'll need to destroy all the data you hold on someone.
Again, if you store everything in a CRM or mail system, this should be easy.
Find the contact, hit delete – they're gone.
But, if you use multiple systems, you'll need to have procedures in place to ensure you can delete them from every one if they ask for it.
So do I have to do anything?
If you're a large business with dozens of staff, multiple systems and many customers then you're going to need to get a dedicated team on it or get a consultant in.
It's too big an issue to just hope nothing will come of it, even though, to be fair, it's unlikely anything big will happen when the legislation first hits.
If you're a small business or sole trader, you're probably going to be absolutely fine as long as you stick to some very simple rules:
- Don't trick people into signing up and your forms make it clear you're going to be marketing to people
- Don't spam the bejeesus out of your list
- Stick to the subject. If you're a manufacturing company then stick to what you do and how it helps your customers, don't be tempted to sell vouchers for the local Beefeater
- Make it easy for people to opt-out
In short, be sensible, and you'll be in the clear.
This legislation is really there to deal with those who abuse the system if you're not one of those, and if you comply with requests as and when you receive them, you should be OK.