GDPR, a benefit for consumers; a headache for small businesses

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. GDPR compliance captures all manner of personal data processed by businesses and it applies to all businesses of all sizes, with few exceptions.

It applies not only to employees but also to customers and any contacts whose personal details are stored for business purposes. Non-compliance could include fines of up to 4% of worldwide turnover or €20 million/£17 million, with new criminal offences for responsible directors in specified situations.

There are numerous ways in which a business interacts with its customers. If you already have a database of existing customers or intend to create one this year, you must consider the implications of GDPR.  Failure to do so can now result in fines which could cripple your business.

Below will give you much more detail on the considerations for your business when you collect and use data from people who buy your products and/or services online.

It is important to make sure people who sign up for marketing information, or enter a prize draw at any festivals, fairs and shows you attend this year, have given their consent for you to use the personal information they give for these purposes.

Customers who buy products or services online

GDPR requires your business to communicate transparently regarding the personal data it is collecting, processing and storing.

For online businesses, this is best done through a standalone privacy policy clearly displayed and accessible through your homepage. Whilst all online businesses should have such a policy in place, it is highly likely that it will require updating to become GDPR compliant, hence reducing the risk of the Information Commissioners Office (ICO) imposing sanctions for breach.

A typical privacy policy would, and should, include details of:

  1. who the data controller is;
  2. reasons, including the lawful basis, for collecting and processing personal data;
  3. third parties you share any personal data with;
  4. personal data retention period;
  5. cookies used, where personal data is collected from them;
  6. any transfer of information outside of the European Economic Area (EEA); and
  7. the rights and choices individuals have in respect of their personal data and how they can be exercised.

Businesses should also review and update the data protection clauses in their existing terms and conditions to bring them in line with GDPR principles. For any business currently operating without formal terms and conditions, now is the time to put in place a compliant set, not only ensuring GDPR is addressed but also protecting the wider operation of the business.

Marketing campaigns

In the modern world, online marketing is a core strategy of many businesses. For those carrying out unsolicited electronic marketing campaigns, the recipient must have given express permission (consent) at the time their data was originally collected. Without this, a business is not permitted to market to them.

What is consent?

Consent means an unambiguous, freely given, specific and informed indication by an individual signifying agreement to the processing of personal data.

This form of consent cannot be implied. It requires a positive action (opt-in) in response to a clear, concise and prominent request detailing the data controller’s name, the specific purpose for processing and the types of processing activity.

Put simply, as a minimum in obtaining express consent to market you should outline:

  1. organisation name;
  2. the third parties who will rely on the consent (if any);
  3. why the data is wanted (the purpose of processing the data);
  4. what will be done with the data (the processing activity); and
  5. that the individual can withdraw consent at any time.

Recording and managing consent

Active opt-in consent can be obtained in a number of ways, including ticking an opt-in box on paper or electronically, signing a consent statement on a paper form, or selecting from equally prominent yes/no options.

All businesses should maintain records evidencing a person’s consent, detailing who consented, when they consented, how they consented, what they were told and if consent has been withdrawn.

It is important that consent can be easily and freely withdrawn by the individual wherever they choose to do so, i.e. by including an unsubscribe option on an email or including consent preference tools allowing individuals to manage and withdraw consent.

Consent records should be reviewed regularly and refreshed if anything does change, such as a change in circumstances regarding the purpose for which data is collected or where operating processes evolve.

GDPR does not outline how often consent should be refreshed, as it will often be dependent on the context in which consent is sought. However, the ICO’s “if in doubt” guidance outlines that consent should be refreshed at least once every two years. This is a sensible timescale for which to operate where there are no strong reasons to ‘refresh’ consent.

An effective way to manage this requirement it to build consent reviews into internal business processes, having clear lines of responsibility for this task. This is what ICO will expect to see and businesses will need to demonstrate.

The ‘soft opt-in’ exception

There is an exception to the above requirement called the ‘soft opt-in’. The conditions which must be met for the soft opt-in to apply are as follows:

  1. personal details have been obtained in the course or the negotiation of sale of a product or service;
  2. marketing campaign messages are solely marketing similar products or services;
  3. the person was given the opportunity to refuse marketing when their details were collected and if they did not opt out at that point, they are given a clear and simple way to do so in future messages; and
  4. you clearly inform the recipient who you are and provide a valid contact address.

What about contact details you already hold?

For businesses wishing to use previously collected contact details for the purposes of marketing campaigns after 25 May 2018, the above requirements need to be satisfied. Many current practices for collection and use of personal data will not be GDPR compliant

Unfortunately, it is not a quick fix to simply make contact with existing mailing lists to seek consent. The ICO has specifically advised that emails sent to individuals in such circumstances are themselves marketing emails and there are examples of organisations having been fined for doing this recently.

In summary

GDPR is complex and detailed. Larger organisations have recruited dedicated compliance officers to meet the scale of the task, whilst smaller organisations need to manage the exercise and satisfy these more onerous requirements from existing resources.

You cannot hide from the changes, they are not an option. There is one clear certainty, 25 May will be upon us in a matter of weeks. Businesses need to act now to ensure they are GDPR ready.

You can check online for further advice or contact a member of our Corporate Commercial team to review your existing policies and business terms and conditions.

Back to index