Over the past year, many businesses have added another four letter word to their vocabulary - GDPR. This stands for the General Data Protection Regulation and it will replace the Data Protection Act (DPA) in May 2018. The aim is to give all of us control over the personal data we share as part of our online and offline lives. If you are like me, you want to know that your name, email address etc. given when buying something or at a networking meeting is going to be protected and not, for example, used to generate spam emails.
For a business, it presents opportunities to cut down on the personal data being held, make sure that it used correctly and to tell everyone what is done with it; more trust and transparency. But if you don't follow the rules, fines can be much larger than they are at the moment.
So where does decluttering come in? One of the principals of the GPDR is 'storage limitation'; if you no longer have a lawful use for personal data you need to get rid of it. Keeping it in the hope that someone will want to buy from you, attend an event you are organising, (re)join a membership organisation etc. isn't allowed. The tricky part to this is that a) there isn't any existing case law to say exactly how long you can keep personal data and b) there are no 'GDPR experts' as the GDPR is new. The best thing to do is read up on the subject or talk to someone that has spent time looking different aspects of GDPR, possibly having sat some GDPR related exams, and determine what is lawful for your business model.
A GDPR change** that may have an impact on many startups and SMEs is sending marketing messages, including emails and SMS messages. You will need 'unambiguous' consent to make contact, and if someone challenges you, you need to have the proof that they gave it. That should cut down the number of spam emails we all receive. The use of pre-ticked boxes and opt-out options will not be allowed. If you are someone that sends follow up emails after meeting people at networking events using MailChimp or E-goi, or adds their details to the list of people to receive your marketing blasts every week, you need to take another approach. Send a personal follow up email and ask if they would like to receive further emails about your product or services. When they reply that they would, you have their consent.
And finally, there was talk of directors being held liable for fines arising from data breaches. In December 2016 the Government said this would not be followed up.
Look on the GDPR as an opportunity to improve trust and transparency with your clients and business contacts.
**This is actually related to the proposed ePrivacy Regulation which will define marketing in line with the GDPR