GDPR: How to deal with

After four years of preparation and debate, the GDPR, General Data Protection Regulation approved by the EU Parliament in 2016, will become effective on Friday, 25 May 2018. If your business is based in the Euopean Union or European Economic Area, or you process the personal data of EU citizens, the General Data Protection Regulation affects you. Did you do the necessary to adapt to the new rules?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. It’s a kind of revolution in the way businesses and organisations are nowadays treating personal data of EU citizens.

Two first important things you should know about GDPR is that the new regulation affects everyone, also tiny and one-person businesses, and applies to data you already hold: you need then to make some work to adapt to the new standards by May 25, as huge penalties – up to 4% of annual global turnover or €20 Million – will be applied for the ones who won’t follow the rules.

A. Key themes

1. Personal Data

Personal Data are any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, telephone number, bank details, posts on social networking websites, medical information, or a computer IP address.

2. Consent

Consent given by any Data Subject is mandatory to allow any business and organisation to handle and process concerning personal data. This means, all data that lack of a clear and explicit consent given by the affected person by May 25, must be deleated and could not be used any longer. The conditions for consent have been strengthened too: the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. It must be as easy to withdraw consent as it is to give it.​

3. Data Controller

All EU businesses that handle personal data should be registered as Data Controllers with the data protection authority in their country of primary operation. You can find here a full list of all EU data protection authorities organised by Country.

4. Right to be forgotten

Also known as Data Erasure, the right to be forgotten entitles the Data Subject to have the data controller erase his/her personal data, stop further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, include the data no longer being relevant to original purposes for processing, or for removed consent.

B. Check List

What you need to do by May 25 in order to comply with the GDPR.

1. Data Audit

Keep full records of all data you process, including the type of data and its purpose:

-What data are collected (first name? last name? email? tel? photo?…)

-How you collected these data (email? sign up form? thelephone? event?..)

-Why you collected these data (to informe? invitations? sales? prospection?..)

-Who collected them (you? your team? a third-party supplier?..)

-How they will be used (email? messages? newsletter? calls?..)

-From who they will be used (you? your team? a third-party business?..)

-Where do you stock and how do you protect them (CRM? Excel sheet? Password? Cloud?..)

2. Cookie & Privacy Policy

Review/rewrite your cookie and privacy policy. Who you are, how and why you process persona data (see the list at point 1) needs to be explained in a very clear, transparent and easily accessible way. This means you can’t just link to a General Terms & Notes page on your website and assume users to read it. You need to articulate by yourself your data privacy policy properly. Your new Privacy Policy should be visible and easily accessible on your website. Your business contacts (company name, address, email) should be clearly visible on your website, in the footer on in your contact page.

3. Consent procedures

Review your consent procedures like sign-up forms. All main marketing service providers like MailChimp have normally made all required changes to comply with the new regulation, and help you with the procedure.

First thing, enable GDPR fields on your signup forms:

Description: Why you are collecting the information on your form, such as providing marketing and product updates

Options: this field uses checkboxes to get consent for each marketing activity you conduct. Remember that each marketing activity must be clearly communicated and requires separate consent.

Legal text: this field explains how you’ll use contacts’ data. Statements you make in this section must be consistent with your practices, so be sure to edit this field to meet the needs of your business. Include your contact details on the signup form – the GDPR requires the organization collecting the personal data to identify themselves. Let your customers know they can change their mind at any time with the Unsubscribe link.

Privacy Policy & Terms: link to the Privacy Policy.

After you’ve set up your marketing permission checkboxes, segment your list to make sure you send your campaign only to the people who have given consent through your signup form.

4. Collect Consent

All personal data that won’t be authorised by May 25 must be deleated. So, take your time to contact all data subjects concerned by your data, to inform them about the data you own and ask them for their consent to keep on processing these data. For what concernc email address you use for your newsletters and marketing campaigns, you need all your existing contacts to opt-in to your marketing permissions. The best way to do this is to send a consent campaign to each list affected by the GDPR. Email marketing service providers like Mailchimp have created an email template for that, to facilitate your job. After you send your consent campaign, you can use the campaign URL to share it on your social channels.

To ensure maximum response before May 25, you might want to send a reminder a week after your first email. Use a descriptive subject line to let your contacts know that an action is required. After May 25, use your Marketing Permissions segments to communicate only with contacts who have expressly opted-in to your marketing. You may find it helpful to bulk unsubscribe all contacts who have not opted to receive any marketing from you.

5. Check you’re only communicating for the purposes you have consent to

It’s very important you use the data you have only for the purpose you got consent to. For example, if you got permission to use an email address for sending newsletter, this doesn’t mean you got permission to message that person through email

C. Prospecting under the GDPR

1. Emails

For many companies, GDPR means sales teams need to make some changes to their sales techniques to stay compliant with the new rules. If you’ve been sending out cold prospecting emails and sales pitches on auto-pilot lately, then you’re going to have to stop. With GDPR, you can’t send automated sales emails to prospects without getting their permission first. This includes product demo, quick catch up and “just reaching out” emails, or any other form of communication that your prospects didn’t ask to receive. That being said, you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients, and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).

2. Social Selling

GDPR doesn’t prevent you from finding and connecting with potential customers on social media. Whether you connect with customers online and ask for recommendations or if you decide to reach out to new prospects directly, you can continue to use social media as part of your overall sales strategy.

3. Purchased leads lists

Contact lists can often be a great way to fill up the sales pipeline. From May 25, if you acquire leads that contain personal data from third-party ‘lead generators’, then not only do they need to have consent to share that information with you, but you will also be required to get specific consent to use the email addresses on the list – unless they have given their consent to be approached by associated partners. (i.e. said “yes” to their data being transferred to third parties). In this case, you can contact them. However, you must document proof of their consent from the third party you purchased the list from, and you will also need to allow people to unsubscribe from your email campaigns.

4. Calling

Calling doesn’t come under the same regulation as GDPR. But each time you add a new prospect to your CRM database, you’ll need to get their consent before you can start sending them promotional offers. So, while you are on the call with the prospect, ask them if they would like to receive emails by your company. If they say yes, you can send them a link to a “manage my subscriptions” page where they can opt-in to specific news, content and updates. To prove the contact by phone, you can follow up the call with an email that sums up everything you have discussed. In this email, make sure you include the purpose of why you called them, what was agreed during the call, and why you are following up by email.

5. Networking

Networking at events is a great place to meet new customers: a large part of networking includes the tradition of exchanging business cards. In the past, this meant taking the contact information on a business card, such as name, company and email address and storing it in your CRM system. While you can continue to exchange and store business card information, you cannot use their email address for marketing purposes, unless you have their consent and they have opted-in to receive marketing emails. But, you can still send one-to-one emails and follow up with prospects that have given you their business card since a legitimate interest has been established.

D. Look at the bright side!

This is a great opportunity to build a relationship based on consent with your contact list, so be positive about it! Furthermore, it’s also a good occasion to look at your list and make some cleaning, for example by removing all those contacts who haven’t been engaged with your business in any way. The ones who will give you their consent is because they’re finding what you’re sending them very useful, and the engagement rate of your list should grow up increasingly.

Hope this sum-up can help you get ready to May 25 and be compliant with the GDPR! Keep calm, no panic and good luck with your work!