EU Data Protection reform: A bitesize guide for businesses

European Union Data Protection reform is a hot topic right now, as businesses realise that it’s time to clean up their act and ensure that their email marketing data will meet the new standards ready for 2018. So what are the first steps towards compliance that you and your business need to consider?

Storing personal data

It’s a good idea to look at all the customer data held within your business, so that you can get started with deciding which data you need to keep, get rid of, or re-permission. The EU General Data Protection Regulation (GDPR) requires that once data has filled its original purpose, there is no reason to keep it – unless there is other reasonable justification.

The purpose of keeping certain customer data should be obvious to a certain extent (e.g. if someone’s buying a contract mobile phone deal for the next two years, it’s entirely reasonable to keep their data until the deal is over). If there’s a situation where you’re not sure what to do with certain data, you can always contact your local Information Commissioners Office (ICO) representative to double check.

If your business is of a large scale and holds a lot of data on file, it could even be a wise and strategic move to appoint a specialist data officer that’s dedicated to processing and sorting customer data, and making sure that GDPR standards are met.

Cleaning up old data

Once decisions have been made on whether to keep or get rid of customer data, you should dispose of it safely. Businesses have a duty to safely destroy data so their customers are not at risk from identity theft or fraud.

Retaining anonymous data

It’s acceptable to keep customer data for additional requirements such as analytics, so long as the data is anonymised, and can’t be linked back to your customer in any way.

Using the correct wording when collecting customer data

It’s important that you and your business are transparent when sending out privacy statements to customers and collecting data. You have a duty to make sure that it’s clear which company the email has been sent from, how you plan to use collected data and to inform the recipient of any third-parties that it will be shared with. This way, when customers are giving consent for you to store their personal details, they know exactly what they’re being used for.

The Information Commissioners Office guidance suggests that using a layered approach to present your company’s privacy policy is the one of the most effective techniques. This means providing customers with a basic summary of the privacy policy when they request to sign up to a newsletter or promotional emails. It is acceptable to give them an option to read the detailed version elsewhere or via an additional link.

Explicit consent

The EU GDPR reform requires businesses to prove that they have clear consent from customers and individuals. Essentially, it’s probably a good idea to start contacting existing customers over the next few months and send out a re-permission email to politely ask your customers if they are happy to give consent for their records being held on your company’s system.

Non-compliance with the regulation from 2018 onwards once it’s introduced means that businesses could face huge fines. Read Communicator’s three-stage education pieces on the EU GDPR reform for additional information.

Ashleigh Wood ‎is Information Governance Officer at Communicator Corp