The advent of GDPR has swept through the consciousness of nearly every business to a far greater degree than most legislative changes. Could this in part be down to the prominent message ‘substantial fines’ should organisations fall short in their implementation? It has certainly focussed the minds. We assume that you will have explored GDPR and assessed the implications for your own organisation. Some elements of the GDPR guidelines are clear and unambiguous, such as the right to be forgotten. Other aspects surrounding Consent and Legitimate Interest invoke a degree more subjective interpretation. Some customers err on the side of possibly over-zealous policies, maybe even forsaking future contact with hard-earned customers. Others are taking a more pragmatic path, still in the spirit of the law but possibly retaining more of their contacts for future marketing. Whilst happy to advise, every customer needs to make their own policies based on their own circumstances and interpretation of the legislation.

Orphans, GDPR & ... Postal Mailings

We do a lot of mailings. And GDPR is making us change the way we do things, and very much for the better. Mailings tend to start with a customer supplied mailing list, most often e-mailed, sometimes but not always password protected. Broadly, our new policy is as follows;

  • use of private Google Drive folder, specific to customers and only accessible by customer contact and Orphans. The list is supplied to this folder by the customer.
  • list retained only for the purpose of processing into Royal Mail sortation order and the generation of mailing carrier sheets or addresses
  • proofs supplied via the Google Drive folder, not email
  • staff involved in mailings aware of company policy regarding GDPR and privacy
  • mailing list retained for a minimal period post the mailing. Then the original file and all subsequent files using this data are deleted

In summary, access to a mailing’s records is restricted to those who need it and we do not retain personal information for any longer than we need to.

Orphans, GDPR & ... Your Website

Websites are in all shapes and sizes so the implications of GDPR vary. Broadly, we want to liaise with every website owner to consider pockets of their website which may require adjusting to ensure compliance. The following is by no means exhaustive but here are some areas which we recommend considering;

  • subscribe – very common feature. Need to make sure it expressly requires a click to ‘opt in’ rather than assumed and, where possible, employ double opt-in
  • contact forms – if you have an enquiry forms which adds enquirers to your email software or CRM for marketing purposes you may need to add explicit new ‘opt in’ fields
  • CMS – enquiries may well be stored in your CMS, sometimes going back years. Is this information stored elsewhere on your emails or internal systems? If it is, we don’t need to keep it in the CMS – so perhaps consider automated deletion after an agreed period (i.e. 1 month)
  • e-commerce orders – likewise with order details from online shops. It is legitimate to keep data in the CMS but only if it isn’t stored elsewhere.

We are helping many customers with GDPR related modifications. Please let us know if you have similar thoughts.

Orphans, GDPR & ... Email Software (i.e. MailChimp)

Pre May 25th is the time to consider whether the email addresses you hold in your marketing system (MailChimp and similar) are GDPR compliant. This isn’t (in our judgement) black and white so we recommend this is carefully reviewed. It is not uncommon for lists to be a mix of customers, previous enquirers or subscribers, and others where no-one knows the origins. It may be tempting to put them into one pot and mail them to say (as many are doing) ‘we need you to affirm your subscription’.  If you need help constructing a similar approach please get in touch.

From our own marketing perspective Orphans will  will be emailing all customers and past enquirers to invite them to ‘subscribe’ to receive future news from us. Ongoing there will also be a very visible means to un-subscribe.

Orphans, GDPR & ... Website Hosting

We run our own website hosting services on  private servers. We treat security and confidentiality extremely seriously in both the building of websites and their storage on our servers. You are welcome to discuss any aspect of our server support in more detail but with specific regard to GDPR these are main points;

All customers have (or can request) a contract outlining our services, adherence to GDPR and actions in the event of a data breach.

Orphans, GDPR & ... Privacy Statements

Privacy statements need to be updated to include your approach to GDPR. If this seems a little daunting please let us know - we can point you to off the shelf statements which provide a good starting point you can adapt (and we can help with pre-populating your company details to save time).

Orphans, GDPR & ... Housekeeping

GDPR has focussed our minds on other matters relating to file storage and sharing. We have always treated personal data securely and responsibly but nevertheless we are streamlining and strengthening security in various areas. We are also documenting policies in this regard and these will be included in our Staff Handbooks so every member of the team are aware of their responsibilities.