Data:
Essentially, it’s about asking yourself why you have people’s data and making sure you only using it for that purpose i.e. if someone asks for a quote and supplies their email address, you can email them the quote – but you can’t take that carte blanche that you can now send them marketing emails or other correspondence unrelated to the quote.
- If someone enquires or makes a purchase, you’d need a separate check box so they can OPT IN to any marketing (our leave unticked to OPT OUT of any marketing)
- You can’t sign people up to your mailing list for marketing without their specific consent i.e. just because they’ve bought from you or sent an enquiry your way
- You can’t say ‘click here to confirm your purchase AND be signed up to our list’. They have to have a separate option to opt in or out
Equally, any email correspondence you keep on file etc., you need ask WHY you have those emails. If they’re done with, you need to delete them.
Passwords:
For passwords, it’s recommended that you have a secure password keeper tool, so that passwords aren’t just in an Excel file somewhere or on bits of paper etc. that could get stolen or hacked.
Mailing lists:
In terms of mailing lists. Anyone who is on your current mailing list, you need to send a mass email to all of them saying that you are complying with GDPR legislation (maybe a short paragraph on what it is) and that if they want to keep hearing from you, they need to opt in again.
Give a simple button for them to press to sign up to your mailing list again.
As we understand, (and as mentioned this doesn’t constitute legal / formal advice), you can send them the reminder email around three times. If they don’t click to consent again, you have to delete their email address from your mailing list.
Further reading:
Hopefully that gives you some quick pointers on what to look out for as you move towards being GDPR compliant. We’d recommend the first port of call for further reading on the subject, being the ICO (Information Commissioner’s Office), as this helped us greatly when putting together our own plan for GDPR. Check out the ICO guidance, here.