In our regular series, Andy Yates, successful serial entrepreneur and angel investor, gives start-ups and growth companies tips and advice on how to overcome challenges and achieve their goals.
One of the most common questions I get from businesses at the moment is how to cope with the consequences of GDPR – and a lot of businesses are getting more and more worried.
If you didn’t know what GDPR is – you probably do by now.
Don’t miss the deadline: all business are requires to be GDPR compliant by 25 May 2017
If nothing else, if you are anything like me, you have been bombarded with emails and communications from companies trying to get you to re-sign up to their services.
This is because from 25 May 2018 GDPR is here – and here to stay. And it has important consequences for all businesses – both large and small.
So first a very quick introduction to GDPR. To summarise, the European General Data Protection Regulation (GDPR) means that businesses need to get consent from their clients to use and store the personal data they have now, and any they collect in the future.
There are a number of strict rules and very material fines for offenders who fail to adhere to them.
The new regulations are generally good for consumers. Many businesses, however, face the very real prospect of their customer databases being decimated and having to implement costly changes to their processes, privacy procedures and record keeping to avoid large fines.
But it is not all doom and gloom for businesses. Indeed for many firms GDPR represents an opportunity rather than a curse.
Here are some of the top GDPR tips I give to the businesses I help.
Don’t bury your head in the sand
How to make your firm GDPR complaint
Review the situation as it is at present
What personal data do you currently hold or process? How was it gathered? Where is it stored? What do you do with it?
Check the data consents that you have in place
You may have given ‘opt out’ options when you collected specific data (for example from customers), but these are invalidated by GDPR, so using this data for any purpose where consent is required could lead to prosecution. You may have to re-obtain consent from individuals where you are unable to demonstrate that they have given affirmative consent.
Businesses will have an obligation to make individuals aware of their rights
As part of the data collection process, consider whether you need to update your privacy policies or T&Cs. Review your supplier contracts, if you share data with them. GDPR has some specific provisions which have to be included.
Have a clear plan for what should happen in the event that you experience a data breach
Understand what data you hold counts as personal, where it’s kept, who has access to it, your mechanisms for spotting a breach and who it should be reported to.
For more information, read our guide on how SMEs can prepare for the new data protection rules.
It is tempting to think that new European rules don’t apply to your business – but they do – and are likely to even after Brexit.
The Information Commissioner Officer’s site has a wealth of information to help – including a guide to preparing for GDPR.
Remember you need to understand that personal data is more than a name and email – it can include anything from an IP address to political leanings and ethnicity.
Personal data can also include data stored on anything from a spreadsheet to a mobile phone – not just a marketing database.
And although SMEs with fewer than 250 staff might have a bit more leeway, the reality is companies which regularly use personal data and contact customers will be subject to the key GDPR rules.
In practice is better to be safe than very sorry.
Don’t panic – keep GDPR calm and carry on
Yes it’s a distraction. Yes reading and understanding the details of the rules can be turgid stuff but, yes it is very important.
Businesses need to undertake a solid review of the current personal data they hold on customers and contacts.
Understand what you hold and where you hold it.
Most importantly you need to understand how you got it. The broad rule of thumb is if you didn’t get explicit permission from somebody to hold and use particular personal data, you need to ask for it.
Make sure you update your ongoing privacy policies to be GDPR compliant – spelling out how you collect and store data, what data you will collect and how you will use it.
And you need to put new ongoing data procedures in place. Make sure that you renew permissions from ‘inactive’ customers every year.
You need to make sure you can easily access all the personal data you have on any particular customer if they want to exercise their rights to be ‘forgotten’ and be deleted from your database.
Make it easy for customers to give permission
It is good practice to make it easy for customers to update and change their data and communication preferences.
Staff training on what constitutes personal data and what you can and can’t do with personal data is also important.
The GDPR legislation is quite complicated but, put simply, it will introduce stricter rules on how companies and organisations handle our personal data
And remember if you either bring in personal data from suppliers or they use your customers’ personal data to provide services, you should review the contractual commitments of all the parties involved, and any practices and policies a supplier may have which could impact your own GDPR compliance and wider reputation.
GDPR is not just a one off date. Businesses need to stay compliant from now on.
Make GDPR work for you – not against you
Once you have sorted out your historical data and found the right and compliant way to process new data, then you need to see if you can use GDPR to your advantage.
Take away the GDPR fuss and fear factor and what have you got left? Good common sense practice for any business that arguably should help rather than hinder your long-term growth.
In the short-term the likelihood is the size of the database you can legitimately contact will shrink significantly – which is why a lot of companies are desperately emailing you to get your consent to send further communications.
But a bigger database does not necessarily mean better.
Remember that after GDPR you will have a contact base of customers that really want to engage with you and hear from you.
If you target these customers in the right way they can be far more valuable to you than a huge database of people who can’t remember why or how they signed up to your services in the first place and continue to ignore (or get angry about) your communications.
Who benefits from GDPR?
Colin Breavington, co-founder of leading property data business Geopify, told me: ‘In a GDPR world you can actually get stronger results from marketing campaigns.
‘Your loyal customers can be crucial advocates and supporters for you if treat them correctly.’
As an example of a business which seeks to help companies realise the benefits of GDPR, Geopify works with a growing number of large and small companies to help supplement their GDPR compliant personal data with home moving and other property data.
This allows companies to send the right message at the right time to the right customers rather than using indiscriminate mass marketing campaigns.
This approach provides useful communications to help improve customer satisfaction and results. Importantly this can also improve customer retention and reduce unsubscribes.
Another company standing to benefit from GDPR is Cogniclick.com – which has built a range of smart online product comparison tools to help businesses sell to their customers online.
Customers visiting a business website or social media channel can now quickly discover the right products for them in seconds and even understand if the product is suitable for them in the first place, rather than spend hours trawling through lots of irrelevant information or unwittingly signing up to unwanted communications.
SMEs are required to adopt the GDPR complaint data processes in order to avoid large fines
The result – customers get the sort of targeted information they want with much less hassle – and are therefore more likely to engage and buy from a business.
Helen Kensett, founder of Cogniclick.com, said: ‘Businesses typically lose 98 out of every 100 potential customers that come to their website. We help companies engage better with these early stage customers and gain their permission for follow up, which is a much more effective and GDPR friendly way.
‘The way buyers want to engage with businesses online has been changing for a while, and GDPR has sped this up.’
Promoting the fact that you are a GDPR compliant business – and proud of it – to your current and future customers can be a great way to win you business instead of losing it.
If you can demonstrate you take personal data seriously and treat customers with respect – they will respect you more for it.
Start Up Doctor verdict
GDPR is not the end of the world – it is the beginning of a brave new world.
Smart companies can use GDPR to win business by cherishing, nurturing and engaging with their valued customers – which after all is what good business should be all about.
Small Business Essentials