We know you’re already busy juggling clients, managing your team and keeping a multitude of plates spinning. GDPR is one of those plates you really don’t want to drop. Data protection can seem daunting but it’s essential for building trust with your clients, not to mention, a legal requirement.
Hmm, what is GDPR again?
General Data Protection Regulation (GDPR) came into legal effect in May 2018, designed to protect fundamental rights to privacy for EU citizens and give them more control over their personal data (ie, their name, email or IP address). It applies to each and every organisation worldwide that processes personal data of people in the EU. Failure to comply could face a maximum financial penalty of up to £17.5 million or 4% of their annual global revenue.
Got it, give me the do’s and don’t’s.
GDPR do’s
✅ Get clear consent
When collecting personal data (especially for marketing emails) you must make sure that people actively opt-in. Use clear language, and don’t make assumptions – pre-ticked boxes are generally a no go.
✅ Only keep what is necessary
Take stock of the data that your business holds. Where did it come from, why do you have it, how long do you need it for? If you’re storing any irrelevant data, delete it and stay accountable for the data you do have.
✅ Keep it safe
All documents should be password protected and only available to team members who genuinely need it for their job. This protects you and your customers from data breaches.
✅ Update your Privacy Policy
Make sure your website’s Privacy Policy is easy to find and clearly written – and set a reminder to check it annually. It should explain exactly what data you collect, why and how it’s used. The transparency builds trust and is also a key GDPR requirement.
✅ Make it easy to opt-out
Every marketing email should have a clear and functional unsubscribe link. Individuals have a ‘right to be forgotten' so ensure there’s a process in place if someone asks to be deleted.
GDPR don’ts
🚫 Assume you have consent
Just because someone gave you their business card or bought something one time, it doesn’t automatically mean they want to receive marketing emails irrelevant to their immediate purchase. Always confirm they explicitly agree to receive marketing communications.
🚫 Share data without permission
Never sell, rent or share customer data with third parties unless you have explicit consent from the individual and your intentions are clearly stated in your Privacy Policy.
🚫 Ignore data requests
All EU citizens have a right to ask what data you hold on them (Subject Access Requests – SARs) You’ll generally have one month to reply and ignoring these can lead to fines.
🚫 Forget to train your team
GDPR is every member of the team’s responsibility. There are SO many training resources available, you could integrate this into your induction training as a non-negotiable.
We all know that data can be a business’ most powerful tool, but don’t make it your weakest link. Make sure you harvest the information ethically (sorry, the fruit bowl of business cards on an event table doesn’t fit the bill any more!) It’s not about creating headaches, it’s about building a foundation of trust.
