Five GDPR mistakes that businesses are already making

Our Technical Director, Dave Boddington, recently wrote this piece in Real Business looking at the mistakes that businesses are already making when it comes to GDPR. Here’s the article in full.

We’re only weeks into the GDPR, and already companies allover the country have misinterpreted and misunderstood the legislation, or just simply buried their head in the sand when it comes to getting compliant.Unfortunately, it’s not going away – but it’s also not too late to fix any issues. Here are five common mistakes that businesses are making, and what they should be doing to resolve them.

MISSING THE BASICS

GDPR is basically an extension of the pre-existing requirements set down under the previous Data Protection Act. However, there are some key differences, particularly in obtaining consent and assessing what data is considered ‘personal’. Default to opt-ins are no longer allowed (such as ‘tick to NOT receive communications’); consumers now need to make an explicit action, such as ticking a box. What is considered personal data, or ‘personally identifiable information’ (i.e. data that is able to identify an individual) now includes IP addresses of digital devices, social media usernames and images of consumers’ faces. So, if you’re storing photos that include individual’s faces or in someway processing social usernames, you need to obtain explicit consent first.  

Over-complication

One of the core principles of the GDPR is to give individuals control over their data and to enable them to make clear and informed decisions about companies’ use of it. But in an effort to ensure compliance, many companies are actually giving people too much information, written in the very best of legalese. Instead, businesses need to be clear, open and concise about what data they are using, what they are doing with it, and why.

Offline to online

It’s still common practice in some industries to collect data by asking consumers to write their name and address on the back of coupons or vouchers. If this information is subsequently data captured, businesses need to clearly state that this will be the case, and how this data will be used once ‘digitised’.  The scope of this is broad – consider where companies or clubs may take your name and address details, or even your photo – you don’t have to be onerous in the extent of the information provided and consent requested, but GDPR is relevant here.

Third party data

Many businesses assume that the buck stops with them, but if personal data is being shared with another company, this will also need the agreement of the individuals involved.  Who will be using the data and for what purpose they will be using it will need to be clearly explained. And vice versa if you are using the data obtained by one of your partners – has their consumers’ consent been provided for you to do this?

Beyond marketing

A common mistake is to assume that if you’re not using data to distribute marketing collateral, it doesn’t need to be compliant. Anything that includes personal data that you are analysing – for example to review content, products or assess drop-off on the path to purchase – will need explicit and informed consent.

What should business be doing?  

Preparation is key. Businesses need to think ahead to ensure that they identify the purposes for which they will collect and use data, who else will be involved and that they are clear with the consents that are requested.

They also need to make sure they establish the right level of communication.Informed consent is unlikely to be established by presenting a paragraph of legalese. Humanise copy to make sure that people understand what is being asked of them.

If we think businesses are not up to speed with the GDPR, just consider how consumers must be feeling. They have already been inundated with messaging and requests from the companies that they deal with, and are more than likely frustrated with the whole process. Consider what you say, and how you say it, in this context.

Finally, think long-term. Being GDPR complaint isn’t a one off project, it’s about fundamentally changing the way you think about data collection and its use. It’s not enough just to update your website’s consent statement, it’s about an appreciation of how and why you use a customer’s information, in all aspects of your business.