Before I start I want to state that GDPR is a complete minefield, with many various opinions and interpretations about what needs to be done, and what doesn’t need to be done. This article does not constitute as legal advice, but merely as a guide and recommendations.
There seems to be a lot of unfair scare mongering going on around GDPR at the moment, SME’s are being petrified into making drastic decisions on how their business deals with data and their marketing exploits. As well as many supposed ‘GDRP experts’ charging huge amounts to make your business compliant and your business data safe.
GDPR is of course to be taken seriously, however if your business has a genuine legitimate reason to contact your customers, and they have consented to that – then you are fine.
So let’s take a look at some points…
Can your business still send SMS marketing messages and marketing emails after GDPR?
Yes of course you can. As long as they are legitimate customers and you have a genuine reason for sending them your messages, then you can carry on.
Do I need to get my existing customers to re opt-in?
No. If they are genuine legitimate customers, then you do not necessarily have to re-request their permission to keep sending marketing messages.
However moving forward you will need to put an explicit ‘opt-in to marketing messages’ whether that be on a sign up form or in a shopping cart.
One specific requirement of GDPR reads: you must have lawful basis in order to process personal data.
“Processing… means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data… it is difficult to think of anything an organisation might do with data that will not be processing.” (Source: ICO)
There are six lawful basis, none more important than another, however it is just the justification you have for processing their data. So if you have consent, so they have ticked yes to receiving your marketing emails for example, they yes great that’s fine.
However one of the other lawful basis is a little bit more flexible and not as black and white as the consent. And that is legitimate interests.
ICO state, “ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” (Source: ICO)
So your marketing message of sending an email or SMS message constitutes as an act of processing, which needs to tick one of the following…
1 – Do you have a legitimate interest for sending the message?
They are an existing customer and you are sending another product/cross selling them something that they might be interested in – perfect fine, crack on.
2 – Do you need to send the message in order to achieve those interests?
3 – Have you balanced the act of sending the message against the individual’s interests, rights and freedoms?
There is a more detailed explanation and a template for the Legitimate Interests Assessments from the Data Protection Network here.
So contacting existing customers is fine, however lapsed customers is now a little bit more tricky and getting consent from them to continue to contact them would be strongly recommended.
But GDPR is not all about how you contact customers, it’s also about how you hold your customer data. Business data is very very important. There have been several high profile data breaches and hacks on huge global companies recently, and now more than ever it’s so important that you keep your business and it’s data safe from breaches and hackers.
Below is a great infographic from Mintivo, that tells you how you can keep your business and data safe, some simple steps but is imperative for any business.
VISIT THE SOURCE ARTICLE
Author: Jake Jeffries