ISSUE 3 - GRC'S GDPR GUIDE


SME NEW WINNER 2022 GRC INFORMATION MANAGEMENT SERVICES


Hello, It’s lovely to have you on board. I want to say thank you for your interest in GDPR and data protection. I know your time is extremely valuable, so it’s great that you’re taking time out to plan for GDPR and your business. In this edition, I’ll be covering three things:

1. Privacy Respectful Marketing – Is This Achievable? 2. Will You Be Fined Under GDPR? 3. Thriving in Your Business


Privacy Respectful Marketing – Is This Achievable?

In 2022 so far, up to two-thirds of GRCs clients are Copy Writers, Graphic Designers, Social Media Managers or Website Designers. Marketing professionals enable business growth and without them, many businesses simply would not survive. Some Marketing experts say they are often asked by their clients to stretch the GDPR and data protection rules to boost brand awareness, brand visibility and sales. It’s a delicate balancing act between ethics, keeping the client happy and respecting individuals’ privacy.


Rising awareness of GDPR and data protection legislation has encouraged a number of Marketing professionals to routinely “think privacy” when designing large-scale digital marketing campaigns, when implementing affiliate marketing strategies and when pushed to take ad tech solutions to the next level.

Business owners’ high demand for sales, growth, marketing and remaining competitive is likely to raise questions about data protection and privacy. Do you know the GDPR rules that allow you to avoid the pitfalls and do direct marketing in a compliant way?

There is a lot of hostility towards the way the Big Tech firms –Facebook, Apple and Amazon, Netflix and Google – dominate the technology market and social networking market and their use of troves of personal data to maintain their dominant position. It’s probably too early to say whether it is better to find alternative digital solutions to Google and Facebook to address the privacy dilemma. The Big Tech alternatives offer us food for thought but we can’t conclude that it would be better to use such tools when there may be limited knowledge or visibility of the technology that underpins these alternatives. More transparency, clarity and accountability may come in the near future.

In the meantime, GDPR and related data protection legislation provides you with useful important rules to allow you to do marketing in a way that respects individuals’ privacy. Some of these rules are as follows:


Justify Why You Are Collecting And Processing Peoples’ Data For Marketing

Under GDPR, as a business owner, you must have a valid reason or justification when you use personal data for marketing or for other business reasons. For example, you must obtain consent for marketing and in doing so use an opt-in box and keep a record of the consent you have obtained.


If you buy marketing lists, there are additional rules that you must follow.

Consent Must be Granular and Specific

There must be clear transparency about the commitment that individuals are consenting to. For example, consent to receive daily text message notifications about offers from third party organisations, consent to receive a daily newsletter via email, consent to receive a monthly newsletter via LinkedIn or consent to receive telephone marketing calls.

The Personal Data Must Be Obtained Lawfully and Fairly

The individual must be told that you have their data and they must be informed that you intend to use it for marketing and/or for other business reasons. For example, it would be unlawful or unfair to retain customer data indefinitely in order to send them direct marketing indefinitely!

Make It Easy It Easy For People To Opt-Out

Doing the right thing under GDPR and related legislation requires you to make it super easy for people to opt out whenever they wish to do so. Individuals have the right to withdraw their consent at any time.

Individual Consumers (including sole traders and partnerships) and Business-to-Business (companies and corporate bodies)

The data protection rules do differ if you are doing direct marketing to individual consumers or business-to-business customers. There are different specific rules that must be followed.


The Short Answer!

Therefore, the short answer is “It is possible to do privacy respectful marketing”: you do not always need to necessarily rely on digital alternatives to Google, Facebook or Mailchimp.

There are a number of GDPR rules and data protection principles that you must follow when carrying out direct marketing.



SME NEW WINNER 2022 GRC INFORMATION MANAGEMENT SERVICES

Will You Be Fined Under GDPR?

As a business owner, you are responsible for the personal data that you hold and it will always be your responsibility to demonstrate your commitment to GDPR and data protection requirements. Equally, it will be your responsibility to pay the significant regulatory fine if your business experiences a data breach or a security incident and the personal data that you hold is compromised in some way.


If your default position is non-compliance with GDPR because you’ve buried your head in the sand thus far and you’ve escaped a fine so far, surely ongoing non-compliance must not be your ongoing or indefinite default position.


The UK Data Protection regulator – the Information Commissioners Office (the ICO) – is taking affirmative enforcement action against individuals (yes, actual individuals!) and organisations of all shapes and sizes across different industry sectors. So ignoring this is not a wise long-term strategy.

At GRC, a few of our clients are start-ups, freelancers or sole traders and they are investing in GDPR and data protection compliance. If cash-strapped start-ups can invest in data protection compliance, anyone can – and what would you say to your customers or the ICO if they asked why basic things are not in place?

The buzz of the “May 2018 GDPR deadline” may have declined but the legal requirements around data protection compliance have been in force in the UK since 1998 and the more stringent GDPR expectations still remain.


It’s never too late to start and you do need to get started perhaps by taking one step at a time.


As a business owner, your customers will not forgive you if their data is compromised in some way so the following “Take Three Takeaways” should help you:


a) Know What To Do If A Disaster Strikes eg. If the data that you hold is lost, stolen, hacked or compromised in some other way make sure you have a policy document that tells you what you should do.


b) Prevention is Better Than Cure eg. Take preventive measures by ensuring that you have got the right policies in place, making sure that your data and systems are adequately protected and making sure you have Internet Security and/or website security controls in place.


c) Talk to three people within your business network to hear what they say about the risk of being fined under GDPR, what have they done to reduce the risk of being fined, and could you pair up with someone to keep your accountability?


If I can encourage you to think about risks and consequences while you take the little steps towards achieving GDPR compliance, I would like to congratulate you on what you have achieved so far. So keep going.


Thriving in Business

I love helping passionate, creative business owners to take charge of their GDPR and data protection obligations. You work hard to develop and grow your business and I would like to see more business owners like you who are using GDPR compliance as a tool that genuinely protects their business, enabling them to do business safely and securely online.

I do this work so that I can help you create a mature, stable and resilient business that attracts customers who admire your professionalism and your commitment to privacy. Why? Because you are providing valuable services to communities that matter and I want to help you achieve your vision by making things easier for you when it comes to things like GDPR and data protection compliance.


I see this as a platform for us to get to know each other as you share your GDPR questions and business requirements that I will solve for you.

I hope you enjoyed reading my newsletter – if so, please consider replying to me:

christina@grcinfomanagement.com or Christina Tueje CIPP/E | LinkedIn