Reading that you need a ‘legal basis for data collection’ is enough to put anyone off getting their business ready for GDPR at the end of May! But it really isn’t that scary (honest!!).
In all there are 6 basis for collecting and using data specified in the new policy but for most small businesses like our’s ‘consent’ is probably the most appropriate. Now I’ve heard a few stories about what gaining consent means over the last couple of months (such as getting business cards signed at networking meetings!) so I thought I’d give you a few pointers that may help.
- You need to get consent to obtain, store and use any personal information. This includes things like names and email addresses.
- People need to positively opt in for the consent to be valid. It needs to be explicit. So no more ticking boxes to say you don’t want to receive something or using information just because someone’s entered a competition. They have to actively agree to their information being used.
- The consent needs to be specific. You need to explain exactly what the information will be used for. So you can’t get consent to send someone a monthly newsletter and then send them daily or weekly emails.
- It needs to be auditable. You need to prove that consent has been given so verbal consent is not really appropriate (unless you’ve video recorded them and that just throws up a whole new level of consent!!)
- Consent doesn’t last forever. You need to periodically update your list.
So what should you do now?
- Quite simply ask for consent from everyone you hold information on. Possibly the easiest way to do this is via email but there are automated tools that can help (Mailchimp’s double opt-in is one of them).
- Make sure you gain consent from any future names you add to the list.
- Regularly update the consent you hold.
From a personal perspective just because my email address is on my website it doesn’t mean I want to receive marketing emails from anyone who wants to send it. I also get rather frustrated at having to decipher whether I need to tick/untick a box if I don’t want to receive further information!
Hopefully GDPR will eradicate some of these issues.
While getting consent to hold and use information may seem like a headache it really is just best practice. It’s something we should all be doing regardless of the new regulations. And that’s as good a reason as any to get started.