Does your inbox look a little like this?
As an individual, you are probably thinking, "Another one? Seriously?"
As a business owner, you may be thinking, "ummmm, wait do I need to do something like this too?"
The answer is, most likely, yes.
CLARIFICATION: We are NOT lawyers offering legal advice. We ARE social media consultants who have done some research into this beast and are prepared to share what we know. Because we care.
Okay, now that is taken care of. Here is what we know:
1. What is the GDPR?
General Data Protection Rules. In short: new international rules that are protecting people's private information and data. Including yours. Which is good for the people aaaannnnd a little extra work for organisations to hold us accountable.
2. What do I need to do first?
It's time to take some time and do a quick audit. If you answer "Yes" to any of the following questions, you should take action:
- Are you located in the EU?
- Are any of your customers located in the EU?
- Are you considering growing into the EU?
- Do you have IT, admin services, or cloud storage services based in EU?
- Finally, the question to rule them all, "Are you collecting personal data*?"
Even if you answered "no" to every question except the last -- it is just good trade practice (it's the polite thing to do!) and NZ may be soon to follow suit. So be aware.
*Personal Date: any information relating to a person who can be identified either directly or indirectly. See NZ Law Society for a comprehensive list.3. Okay, what do I need to do to comply?
You must receive "freely given, specific, informed and unambiguous" consent to continue using personal data from your clients, email lists, and leads.
4. What do I do to earn their consent?
It's up to you. This is an opportunity to creatively communicate onbrand and let your customers know that you are respecting their privacy. However, everything we read suggests the following tasks. Note: This is not a comprehensive list but some high level suggestions to get you started:
- If you use any forms on your website, be sure they are compliant with checked consent boxes.
- Send out an email much like the ones you have been receiving to your entire email list. In this email: A. explain - in clear language - every way that their data may be used. B. ask for consent.
- Use the information you have to thoroughly clean out your database.
Important: silence, pre-ticked boxes, or inactivity is not technically considered 'consent', anymore.
In fact, it is considered a "no" and those people should be swiped from your contact list.
If you collect information through your website or social media via cookies, pixels or magic - it would be good to include a website popup or easy to find note that states what you are doing and request consent.
5. What if I do have a data breach?
Don't run and hide, now is the time to put on your brave face. You legally have 72-hours to inform your people.
Go forth and get it done!
6. What if I don't do any of the above?
The powers that be are cracking down on this privacy stuff. If you are caught, even if you are small beans, you could be fined a significant amount of money.
Still clear as mud, or so fascinating you want to know more? Here are some links we found helpful:
- WTF GDPR American media company, The Skimm share their take through a short clip with a touch of snark. We like short. We like snark. We appreciate this clip.
- What NZ Marketers Need to Know About GDPR
- GDPR compliance in four steps NZ Law Society
- GDPR: 15 (good & bad) examples of repermissioning emails & campaigns