One year on from GDPR and how it has affected businesses

It felt like only yesterday that the GDPR apocalypse had hit and businesses were running around like headless chickens, scared that if they sent an email or SMS message they would be hit with a 20 million pound fine. We now know that isn’t the case and even just a few months after GDPR, businesses needn’t have worried so much and they just needed to “keep calm and carry on sending”.

In fact, now the fallout from GDPR has settled down, consumers actually think it is a good thing.

GDPR stats

So, with all this fuss around GDPR, what has the actual impact been? Well in a nutshell, more pop ups on website asking you if they could store your data to improve the service they offer you.

Of course, that wasn’t the only thing, but it did feel like the stress was all for nothing. It seemed like for businesses who were keeping customer data safe and were not sending unsolicited messages, they were only required to make a few minor tweaks to their current processes to be in line with the new rules.

We have however identified 2 key areas that we believe have been the biggest areas for businesses in terms of both GDPR as a whole, and more specifically SMS marketing. We would like to note that the below information is not legal advice and if you require more information on GDPR please visit the ico website where you can read up more about GDPR.

Opted in data and legitimate interest

Being able to send customers marketing messages, promoting your products or services, and informing them of sales is pivotal for businesses to be able to sell. With GDPR this became an issue, both because businesses didn’t have opted in data and because the legitimate interest area was a bit confusing.

Opted in data
This was the biggest area that affected businesses, they did not have proof that their customers were opted in and happy to receive messages from them, which caused panic which saw a flourish of emails and text messages being sent out asking consumers to opt it. After these messages were sent out, because many decided to not opt in, businesses would have lost a large chunk of the data, which seemed bad, but in truth was actually good for them.

All this meant was that when a customer replied and opted in, they were truly engaged with that business and were very receptive to the messages they were receiving. For all those who didn’t opt in, they were probably never engaged with your brand in the first place and were ignoring your messages anyway.

Remember quality is better than quantity. So sending fewer messages to a smaller, more engaged group, will save you time and money in the long run, whilst giving you the same outcome.

Legitimate interest
For a lot of businesses, they thought the opt in rule was a bit harsh, many had long standing customers that they had no proof of an opt in form, businesses still need to be able to sell their products and services and this seemed very strict that they could no longer send these customers messages.

This is why with GDPR there was a ‘legitimate interest’ section. This allowed businesses to communicate with consumers who had not opted in, but believed they had a genuine reason to connect with them.

This area is still a grey area and is purely down to the business to decide if the consumer fits into their legitimate interests’ assessment (LIA). There are 3 areas to consider when working out if a consumer fits into your legitimate interest assessment.

Identify the legitimate interest and keep a record – You must first identify where the legitimate interest comes from and then keep a record of this. A good reason of legitimate interest would be if a new customer has purchased from you, the interest is that they may want to know about more of you products or services.

Show that the processing is necessary – By this we mean, is sending them an email or SMS message the only way of communicating with them, or is there another way to achieve the same result in a less intrusive way?

Balance it against the individual’s interests – You must balance your interests against the individuals and you should not send them a message that they would not reasonably expect to receive from you. Therefore, if someone hasn’t purchased or heard from you in 5 years, then they would probably not expect to receive a message from you.

We strongly suggest that you include an opt out on every marketing message you send, this way if the recipient doesn’t want to hear from you, they can easily opt out. This will also help if you ever receive a complaint, because every time you sent them a marketing message you included a free opt out, if they really were annoyed and wanted you to stop sending them messages, why didn’t they opt out?

For more information on this have a read of the legitimate interests section on the ico website.

Processing personal data

The second area, where all those cookie pop ups on websites have come from, was that businesses were now required to tell consumers what information they were storing on them, and if they are happy with them to do so.

For your business to keep information on an individual, you need to:

Ask for approval – You need to tell the consumer what information you are keeping on them and ask them if it is ok for you to keep that information.
Keep safe – Store the data in a secure place and not share it with anyone.
Correct data – Ensure that personal information is kept up to date.
Provide information – If the individual asks for the information you have on them, you must be able provide them with it.
Don’t keep information – Don’t keep information on consumers for longer than required.

Think about it this way, would you like a business to keep information on you, that you never gave them permission for, in an insecure location, and 10 years after you bought from them? Probably not.

You need to remember that individuals have the right; to be informed, of access, to rectification, to erasure, to restrict processing, to data portability, to object, in relation to automated decision making and profiling.

For more information on this have a read of the individual rights section on the ico website.

What can your business take from this?

To summarise, you should not worry about GDPR and just make sure you;
– Can prove an opt-in or have legitimate interest
– Inform and ask for data to be kept
– Keep that data safe
– Provide the information when asked

Then there is nothing to worry about.

We would advise that if you are still unsure about GDPR to read the ico website on their Guide to the General Data Protection Regulation.