October 9, 2017

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

GDPR and Direct Marketing - it's all about relevance, that's all.

September 25, 2018

Data Protection: Is it safe to come out from behind the sofa? YES!


Did the mention of GDPR {General Data Protection Regulations) fill you with panic and fear back in the springtime? Does it still loom over you, and make you quake at the knees each time you think about sending a marketing or any other message to your customers, in case you are doing the wrong thing? 


The media subjected us to the usual scaremongering we should by now expect and know to take with a very large pinch of salt when it comes to anything of newsworthy merit, and GDPR certainly gave both the media and the agencies who promised to solve all our GDPR fears for a ‘worthy’ fee, an opportunity to capitalise on the usual elongated legislative language that gives even the best boffins a headache.


I met one of those boffins recently, and she will not object to that description, since Catherine Hunt of GDPR Charity Solutions admits herself to being a geek when it comes to pouring over legislative documents that lead most of us cross-eyed.


She set up her businesses early this year, to support organisations and charitable trusts with applying systems to adhere to GDPR regulations, since administrative systems is the core part of this legislation, supporting how a business gathers and holds data, why a business is holding data, how they use it, how long they hold it and how they dispose of it. Catherine told me: “It’s all about transparency and honesty.”



It’s NOT about opting-in 


Not the belt-and-braces version anyway. What you need to prove is “legitimate interest”, so if you have a hotel and someone books a room or an event with you, they have expressed an interest in your business. Without asking them, you can retain their relevant personal details (name, purpose of booking, contact details) and communicate with them, about your business: general news, special offers and future event. You cannot, of course sell their data for other marketing purposes but you can cultivate a relationship with them as a customer.


Again, if you are a retailer or provide any form of activity, if someone volunteers their contact details on a form to join a database to receive information about your business, they are showing “legitimate interest” so keep their details and communicate ‘til your heart’s content and the consumer remains of value to you. A tick box to opt in is not mandatory and neither is an ‘unsubscribe’* on email communications, although it’s probably best practice to do so.


 * If you did apply ‘opt-in’ you must ALWAYS provide ‘opt-out’. If you choose not to provide an unsubscribe option, ensure that on all communication you have a statement that explains how the data subject removes their contact details i.e. by getting in touch with your business and how they do that.  This covers you as far as regulations are concerned.  



Data Management Audit


Here’s what is the important part of GDPR, which you probably don’t know about: proof you are responsibly gathering, holding and using data.


Catherine has a very useful spreadsheet for businesses to follow, that provides a great template to enable you to record every element of your business’s activities that involves the management of personal details. That includes your employees, since their data is as important to protect as a customer’s.


Having this in place and following what you state are your processes is important and this is what will be scrutinised to ensure that you comply with GDPR.


Matters such as sensitive data (Special Category Data) are of particular importance and necessitate approval from the individual. These cover the following categories of data you may hold about a person:


  1. Race

  2. Ethnic origin

  3. Politics

  4. Religion

  5. Trade union membership

  6. Genetics

  7. Biometrics (where used for ID purposes)

  8. Health

  9. Sex life; or

  10. Sexual orientation


So, for example, if you own a hotel and to look after regular guests you hold data about their health in relation to dietary needs, that’s sensitive data and you MUST gain written permission to hold this data. 



You and your teams are accountable


There are Data Controllers and Data Processors. In a nutshell, as a business owner you will be the Data Controller and any member of your team managing data on your behalf or a third party business you manage data through, such as website companies, consultants and systems such as Mailchimp or others you import data to for email marketing, are Data Processors and they should act on your behalf.


You are BOTH accountable for the data and how it is used. Data management agreements may be necessary.    


For your team, as they also hold responsibility for the management of data it is required that proper training is given, and proof of that training is evident. If they follow your instructions and that complies with GDPR all is good, if you or they as individuals break the rules, you and they can be held responsible.



Sensitive Data


Proving that you have legitimate reason to gather sensitive data is vital and your Privacy Notice should cover this and all factors relating to the gathering and processing of data.


  1. Your Privacy Notice should include your lawful basis for processing as well as the purposes of the processing.

  2. If your purposes change, you may be able to continue processing under the original lawful basis.

  3. If you are processing special category data, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.



Have a Privacy Notice


Your Privacy Notice on your website, for example, should be simple and relevant – most companies make it elongated and often web developers create a formulated version that may not match the business’s actual activities in relation to data processing. It should be a clear purpose for use of data. In your Privacy Statement say what is ‘legitimate interest’ – convince the data subjects it’s ok to retain their data.


Your Privacy Notice should:


  • Say who is collecting the information and whether they are the data controller or data processor. If you are the data processor you must also name the data controller;

  • Say what you are collecting;

  • Give the lawful basis you are using;

  • Say why you are collecting it (you have to have a purpose – ‘just in case’ isn’t allowed);

  • Tell your customer who you are going to give it to;

  • State clearly how long you are going to keep it and

  • Indicate the rights available to individuals in respect of the processing.


Security of Data


Security of data is essential, and you need to consider every element of where you store the personal data you have collected: -


  1. Offices

  2. IT systems and computers in the office

  3. Memory sticks

  4. Home working

  5. Policies about clear desks etc.

  6. Training of staff

  7. Disclosures


Make sure that it is secure, and you can prove it.



A fee may be necessary


Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt. 


By going through a questionnaire on the ICO website you will be able to decide if you – as an individual or on behalf of your business – need to pay a fee to the ICO.


If your business is not exempt, but you choose not to register you are committing an offence.

The fee varies according to the size of your business and must be paid annually.



Don’t run for the back of the sofa again!


The ICO (Information Commissioner’s Office) is an independent body set up in the UK to uphold information rights. They are not to be feared though, so I have been told.


They are here to support businesses to ensure that they are complying with GDPR. They are not there to beat you with a stick but to see that you are rectifying any breach of GDPR and dealing with complaints and addressing any non-compliance issues.



Smokes and mirrors and we were all under the illusionist’s spell: GDPR drove many of us into panic stations!


If you sent emails to your database pre 25th May it was a good thing! If you had not been in the habit of communicating with your data subjects you may have reawoken their interest; if you didn’t, when will you? The cleansing was good.


I DO think it gave a perfect platform to engage with clients so see that as a positive thing and put the right foot forward from now on and stay in touch! 



How long should you keep data?


I would recommend that you refresh every 5 – 10 years. This seem reasonable to ensure that you continue to engage with consumers who are genuinely interested in your business and therefore likely to respond to marketing communication. Obviously, data subjects may ask to be removed at any time.


People not responding to your communication i.e. not re-booking/buying your goods/services – what’s the point?  You are paying for email marketing. So, work out a system and stick to it.



Direct Marketing done right…


Collecting the data that you need is all you need. There’s no point gathering data about customers that you will not find a use for so keep systems simple. Gathering onerous information will just put off your customer anyway.


Plan who you are targeting and what's your message.  Keep email communication consistent and reasonably constant – out of sight; out of mind. Know the purpose of your communication, make it engaging and don't forget the call to action.



Let’s sum it up…


Here’s some rules to follow and you won’t go wrong: -


Data should be: 


  1. processed lawfully, fairly and in a transparent manner in relation to individuals;

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  4. accurate and, where necessary, kept up to date;

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and

  6. processed in a manner that ensures appropriate security of the personal data.


Marketing – the balancing test: -


  1. whether people would expect you to use their details in this way;

  2. the potential nuisance factor of unwanted marketing messages and

  3. the effect your chosen method and frequency of communication might have on more vulnerable individuals.



Your Check list: -


Have a…


  1. Spreadsheet record of data collection purpose.

  2. Privacy Statement on website, including how you use the data.

  3. Unsubscribe option on ALL emails.


Using email marketing and postal communication, the old-fashioned way, as well as text communication are valuable elements to your marketing mix and doing it in a meaningful way, bearing in mind commercial intent that engages with your customers will deliver results.


Plan your messages and the audience they apply to carefully. I can help with strategic planning and creative narrative: just get in touch...


Catherine can help you make sure your business follows the GDPR rules. Only 2% of businesses were ready for GDPR, since many of us focused on the wrong thing.


As small to medium size businesses, we have time to set in place our processes, but this time will run out. Don’t panic though; see it as a further opportunity to look at this valuable part of your marketing activity and get ready to go for it!




Catherine can be reached by email: gdprcharitysolutions@gmail.com or phone: 07846 782420



Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags
Please reload

  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

Tell Tale Marketing

Riverside Cottage, Newpark

Brydekirk, Dumfries and Galloway

DG12 5LP Scotland

E: lyndamcd2017@gmail.com   

T: 07948 201635