GDPR compliance tips for small businesses

If businesses want to make the most out of the most important retail event of the calendar year, it is imperative that they are aware of the legal restrictions around certain forms of marketing, and the legal implications of certain promotional activities that you may have planned. GDPR, and its implications for data protection are proving to have majorly altered the ways in which brands manage their clients’ and customers’ information.

The risks of getting it wrong

We have already seen some very high profile cases this year involving data breaches which will likely attract substantial fines form the ICO. But there’s no need to look at this new trading landscape as an overall negative for your business.

Online trading compliance – key areas

GDPR came into force in May 2018, which means there are now additional limitations on what you can do with customer personal data. Here are some examples:

You must make sure you have specific consent from customers to hold their personal data for any and all reasons you plan to use it

Online forms, whether for login details, for online competitions or subscription services, often include items such as “please tick here if you want to be added to our mailing list”. These can no longer be pre-ticked – the customer has to physically tick the box to be contacted by you again

This extends to signing up for prize draws. You cannot and must not automatically add customers to your mailing list if they sign up to a prize draw, or make it a condition of being entered into the prize draw that you can contact them at a later date

Please remember that all online terms and conditions, customer contracts etc. must be GDPR compliant. There must also be privacy notices available for your customers to view (make sure the notice is on your website). This means that you must state whether you are acting as data processor and/or data controller, what processes and procedures you have in place to keep personal data secure, and the procedures for customers to access the personal data you hold on them (subject access requests).

ICO fines are already in play

In addition, the Information Commissioner’s Office (ICO) has been given new powers to fine companies up to £500,000 for nuisance calls. It is now a legal requirement for individuals to specifically ‘opt in’ to receive these calls, rather than opt out. This should be borne in mind when considering launching any telephone marketing campaign in the lead up to Cyber Week.

Finally, if you needed a reminder as to the importance of complying with GDPR, consider the recent enforcement action brought by the ICO against Everything DM Ltd. This marketing agency was fined £60,000 on 5 September 2018 for sending out 1.42 million emails to prospective customers. Everything DM Ltd could not prove that the recipients had consented to receive these emails.

How to get prepared and compliant

If you are not sure that you are fully GDPR compliant, LawBite is here to help. There are a number of off the shelf and bespoke legal product packages to suit businesses of all size and every industry.