Monday, 5 March 2018

GDPR for SME including Internet Marketing

For many of us GDPR is scary.  While we all know that while data protection has been with us a long time, the new rules mean that ALL of us, whether or not we are an SME or a Marketer, need to make sure we are compliant. 

Mostly, like the video I posted a few days ago, the information we get just tells us that we need to comply and if we don’t what the fines could be if we have a data breach.  Much of the new rules came in because there HAVE been serious data breaches, TalkTalk, Yahoo to name a couple.  Whenever it has happened, the business has lost significant money and clients/customers.

What the videos don’t tell us is HOW we comply.  Guidance is long and arduous to go through and I would recommend that you should at least look at the ICO (information Commisioners Office) guidelines.  It’s comprehensive although it can take some time to find what is relevant to you.

The two most important areas are:

Do I need to register or am I exempt? Check that out here:

Register your business.  There is a charge of £35 (no VAT) (unless your turnover is greater the £25.9m ) and you MUST do this before 25 May 2018.

Then you must
Report a breach with 72 hours, if it happens

In practical terms, most of us hold data on our clients.  This means we are data controllers.  If we use systems that process data for us, they are our data processors.  This could be your website management, your email marketing system, or similar. Remember as well that this applies to ALL records we hold, including paper copies.

Oci gives us a checklist to help us make sure we have everything in place.  I’ve reproduced it for you here :-

Being able to answer ‘yes’ to every question does not guarantee compliance, but it should mean that you are heading in the right direction.

  • Do I really need this information about an individual? Do I know what I’m going to use it for?
  • Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
  • Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
  • Am I sure the personal information is accurate and up to date?
  • Do I delete/destroy personal information as soon as I have no more need for it?
  • Is access to personal information limited only to those with a strict need to know?
  •  If I want to put staff details on our website have I consulted with them about this?
  •  If I use CCTV, is it covered by the Act? If so, am I displaying notices telling people why I have CCTV? Are the cameras in the right place, or do they intrude on anyone’s privacy? 
  •  If I want to monitor staff, for example by checking their use of email, have I told them about this and explained why?
  • Have I trained my staff in their duties and responsibilities under the Act, and are they putting them into practice?
  • If I’m asked to pass on personal information, am I and my staff clear when the Act allows me to do so?
  • Would I know what to do if one of my employees or individual customers asks for a copy of information I hold about them?
  • Do I have a policy for dealing with data protection issues? 
  • Do I need to notify the Information Commissioner?
  • If I have already notified, is my notification up to date, or does it need removing or amending?

The IMPORTANT thing to realise is we have a responsibility to look after the data we hold. 

Under the Data Protection Act, you must:
  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.
It is interesting that Oci have picked up on affiliate marketing.

So as individuals, we personally need to be sure that the systems we use are compliant as well as ensuring what we do ourselves is compliant.  Marketing applies is SME’s as in any other type of business, we are all in the market of promoting and selling our goods, whether directly or via a larger business platform.

Marketing – some simple steps

If you do telephone, email or other electronic marketing then you need to comply.

Privacy Notice
·       add a privacy notice to your website or blog
·       add a check box that people must check to show they are aware of how they information will be used
Obtaining consent
·       Use opt-in boxes
·       Specify what information you are collecting and how you will use it e.g email, text, phone,post
·       Do you pass on information to third parties? If you do clearly state who it is and describe them
·       Record when and how you got consent.

If you use an email marketing service, for example Aweber, check they comply with privacy controls.
·       When importing lists, ask for a further opt-in with your first email
·       Opt-ins should be refreshed every 6 months
If you buy in lists,
·       check the seller is professional
·       Use the information only for marketing purposes
·       Delete any irrelevant or excessive personal information
·       Tell people where you got their information

Retention of records
General Data Protection Regulation states that information should not be kept for longer than required.  Retention periods will vary depending on the reason for retention so you need to create a retention schedule stating how long you will keep certain records for.

  • review the length of time you keep personal data;
  • consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
  • securely delete information that is no longer needed for this purpose or these purposes; and
  • update, archive or securely delete information if it goes out of date.

I hope you have found this useful, please note: This guide is for informational purposes only and does not constitute legal advice which may be relied on in any situation. 

References and information reproduced from:

No comments:

Post a Comment