It’s finally here. There’s no getting around it now, the headache that is GDPR is finally here. Like that unwanted invitation to a dislikable cousin’s wedding that’s stuck on your fridge, “Sort out GDPR” has been sitting there on your to do list for 18 months. But the day has finally arrived.
So, dig out your wedding outfit, hope it still fits, put on a brave face and try to make the whole thing as painless as possible.
The EU's General Protection Data Regulation comes into force on 25 May and whether you're in Europe or not, if you have a web presence or run digital marketing, you’ll need to know about it.
Here are three questions to ask yourself which will help check that your digital marketing is GDPR compliant.
- Is your opt-in clear, optional and fair?
- Have you deleted everyone who isn’t opted-in?
- Is opting out easy and straightforward?
1. Is your opt-in optional, clear and fair?
If there’s one thing I’ve learned from attending weddings that you think are going to be a bit meh, if you throw yourself in and get on with it, you usually end up having a great time. That said, GDPR isn’t exactly a barrel of laughs. Granted. But it’s not the mind-melting catastro-headache that we thought it was going to be.
When it comes to achieving GDPR compliance, it’s best just to dive in at the first touch point your digital marketing audience will have with it: Opting-in.
At any point in your marketing where you can gather personal data from a user, it needs to be clear, optional and fair for them to opt in to being marketed to.
Optional
If you have contact forms on your website - be it for somebody to actually get in touch or for requesting an eBook, price guide, or any piece of content - they need to have the option to opt-in to marketing comms.
You can’t pre-tick that the user has given consent and you can’t force them to give consent in order to receive their requested comms/content.
Clear
Likewise, when taking information (data) from a user, is it clear that you’re offering consent to receive marketing information, and is it equally clear that you have a privacy policy for them to check?
Furthermore, is said privacy policy itself clear and easy to understand? It should be in plain English, avoid small print and provide the same user experience as the rest of your site.
Just because it’s the 'legal bit' of your site, it can no longer read like a piece of legal writing.
Fair
Opting in to receiving marketing comms from you and consenting to have personal data held needs to be fair. Rather than being related to requesting permission from or presenting information to the user, being 'fair' in this instance relates more to how you hold a person’s data.
If a person does not give consent by opting in and they use a contact form to request a price for a project which begins in a year’s time then, yes, you may hold their data for 12 months. It is fair and reasonable for you to do so.
But you have to be fair, in return, and delete their data if they’re no longer interested when you follow up the lead in a year’s time. And 'delete' means delete.
2. Have you deleted everyone who isn’t opted-in?
You actually do need to delete anyone who hasn’t given consent to have their data held and be marketed to, unless you have practical justification for holding their information. Sorry.
And this needs doing for any leads or prospects who haven’t consented - before the 25th May. And you need to keep deleting these people after the deadline too. You also need to check that you’ve got a process for doing so.
Unless they’re a customer. If they’re a customer, it’s a bit different because the legal people who drafted the GDPR directive have left shades of grey, as you might expect, and it’s called legitimate interest.
Imagine that you sell central heating boilers with a ten-year life expectancy. You realistically might discover a fault with your product and need to update them nine years and 364 days into the future otherwise their house might explode. In that case, you really should hold onto a customer’s data.
Just make sure that they can opt out of marketing comms.
3. Is opting out easy and straightforward?
Opting out needs to be straightforward. Nothing too much changing here, you’ll already be showing 'Unsubscribe' options in your email templates. But there might be a couple of things which need updating.
First, give people the quick and easy option to be 'forgotten'. Your privacy policy can take care of this by providing an email or postal address where somebody can request this to happen in writing.
Second, make sure that the presentation of and wording on your subscription settings page is nice and simple. Make it clear and easy for people to opt in or out of newsletters, general marketing comms, helpful product related info or whatever other types of digital marketing you execute.
If you’d like to send a type of marketing comms, give them the chance to opt in or out, easily.
And, of course, make sure that you don’t then send these people the information that they’ve chosen not to receive.
And, also of course, make sure you actually do delete and forget anyone who tells you to do so.
Don’t do what I did and end up forgetting to RSVP with apologies to a cousin’s wedding, drink through the small-talk-pain and be left to face the world’s worst GDPR hangover.
Disclaimer time: Digital 22 aren’t your GDPR consultants. This post is just intended to help as much as possible. We’re just passing on the advice we’ve been given and what we will be doing. If you aren’t sure on anything to do with GDPR compliance, we strongly recommend speaking to a legal expert.
