GDPR – Small Businesses Need to Review Marketing
As a small business the personal information (data) that you collect from your buyers is essential to your business. For example, without a buyer’s name and contact details you can’t fulfil their order but that information is also gold-dust for your marketing activities to entice buyers to make their next purchase with you.
However, just because someone buys from you, it doesn’t mean that you can automatically assume you can contact them about something different after you have fulfilled their order (sent the product or provided the service). If you subsequently want to tell them about your new products, services, upgrades and anything else you think they may be interested in you need to think twice.
Data protection law is about protecting an individual’s personal data – this means that you can only contact an individual if
- There’s a lawful reason (such as to fulfil someone’s order or to comply with a legal obligation) OR
- They have agreed that you can (consented)
For marketing purposes, most businesses rely on obtaining an individual’s consent so that the business can contact them – it makes good business sense to use the initial buying process to ask your customers if you can contact them again to tell them about your products/services or to enrol them in a loyalty scheme. However GDPR changes means that you now need to take a good hard look at the question of consent from individuals, including your customers, to be sure that you can contact them without breaching your data protection obligations.
Many business currently rely on obtaining consent to contact the individual using
- Pre-ticked boxes
- Consent that’s hidden within their terms and conditions of business
- Inferring consent from silence or inactivity (i.e. not saying that they do not want to be contacted)
The problem is that changes to data protection (the General Data Protection Regulations or GDPR which comes into force in May 2018) demand that the consent from your customers must be
- Freely given
- Informed and
- An unambiguous indication of the person’s wishes (i.e. there is no doubt as to the individual’s wishes)
What do you need to do?
Look at what information you collect from your buyers and how you want to use it. If you want to be able to contact them for particular purposes, such as marketing, look at how you obtain consent and how you can make changes now.
If you don’t you will find yourself with data that is useless because you will be breaching data protection if you contact people without their express permission.
What happens if you don’t?
The Information Commissioners Office (ICO) who enforces data protection clearly means business. They are urging businesses to start getting ready for GDPR now because from May 2018
- You will need to tell them if you breach any data protection and
- If you do, or are not complying with your data protection obligations then you will be fined up to 4% of your turnover