And now for some Straightforward Step-by-Step GDPR – Marketing and Social Media…
I’ve covered both of these subjects in previous blog posts: Marketing – 10 essential GDPR tips and GDPR and Social Media for Small UK Businesses. This article covers the two subjects plus some others, including those that relate to you as a VA based in the UK or where you have clients based there.
The subjects I’ve included all carry an element of risk, not only data protection but also your brand image, effectiveness, and communication.
To kick off –
Straightforward Step-by-Step GDPR – Marketing and Social Media and the legislation you must comply with:
- Data Protection Act 2018
- UK GDPR
- Privacy and Electronic Communications Regulation (PECR)
- EU GDPR – if you have clients in the EU
- Other local legislation in other countries in which you have clients. Take care with the USA as legislation is different by state e.g., California Consumer Privacy Act CCFA
The legislation that most affects your marketing efforts in the UK is the Privacy and Electronic Communications Regulation (PECR) BUT the mechanisms for marketing that involve personal data e.g., email marketing are ALSO covered by the Data Protection Act 2018, and the UK GDPR. The UK GDPR is the overriding authority if there is any conflict, and it covers any non-electronic methods such as snail-mail.
The basics that always apply:
- Personal data is what the Regulations cover. That means a piece or pieces of information or a context that positively identifies a living individual. That includes digital and biometric data.
- Direct marketing covers any method of communication directed to individuals for the purposes of promoting aims and ideals as well as goods or services.
- Marketing material covers pretty much any form of communication material such as email, text, voicemail, image, video, etc.
- You must have a lawful basis before you collect any personal data for marketing activities the 2 that apply are consent (the data subject’s) and legitimate interests (your business’s)
- You must inform people what you do with their data
- Only collect what is necessary and keep it for as short a time as possible
- You are required to keep the data secure from collection to destruction
The 2 lawful bases – more details:
- Informed consent is usually (but not always) the better choice from a customer service point of view.
- The Lawful basis for using the soft opt-in for existing business contacts is Legitimate Interests (your business’s). If you are collecting any special category data such as ethnicity, health, etc. data, you must have explicit consent i.e., all the details of what and why of the purpose must be clearly set out.
- You can rely on Legitimate Interests for marketing activities if you can show the way in which you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing. You may need to carry out a Legitimate Interest Assessment (LIA) to check the balance between your business’s interests and those of the data subjects.
The rights of the individual
- The rights concerning direct marketing are absolute – if an individual objects you must cease sending marketing messages immediately. You must keep a “do not send” list to prevent anything from going out to someone who has objected. Your email marketing platform will have this facility built in, most likely called a suppression list (do check though!).
- The right to be informed is best handled by your Privacy Notice. Be completely open and clear on what you do with personal data. For example, include a link to your Privacy Notice if you ask for email addresses to add members to your email list when people join your Facebook group.
- All consent requests must be clear and accurate and link to your Privacy Notice.
- If you have cookies or icons on your website to take people to your social media accounts, you need to get consent via a cookie consent banner (that includes a link to your Privacy Notice) and have a record of it.
Social media basics
- Most important – you must have consent to send any marketing information to people you haven’t already served as a customer or client. That includes contacting them by a messenger app, by voice, image, video or text to offer them a service or product. You can contact them to say hello, such as on LinkedIn!
- If you have recently done business with an individual, you can contact them with relevant messages/material but don’t forget the unsubscribe option in each one! TIP: When they sign up/buy from you it’s OK to have an opt-out option such as a box that they can tick if they DON’T want to hear from you.
- I’ve already mentioned gathering email addresses when people sign up for your Facebook group (link to your Privacy Notice) – remember you can’t make it a requirement to join your group however if you word it well, people will want to hear from you.
Email marketing basics
- When someone signs up, you must give them the details of what they should expect – a rough outline and frequency of the emails should be sufficient.
- Link to your Privacy Notice.
- You need a record of their consent and what they agreed to (the wording).
- Use the double opt-in settings on your email marketing platform – this is good customer service and a legal requirement in some countries, although not the UK.
- Include the unsubscribe option on all the marketing emails you send out – this is a practical step to ensure you don’t miss it off when its needed.
Your website
Include the following:
- Your Privacy Notice – link to it wherever you are collecting personal data
- Your Cookies Policy
- Your T&Cs
- Straightforward cookie control
- Valid consent(s) for all uses, including subscriptions, online chat and so on
Other things to remember
- Have a written policy for your marketing, including social media – it will provide you with consistency for yourself and any employees or contractors, especially as your business grows. Make it simple – you’ll find a hybrid policy/procedure document will be sufficient. If you are handling marketing or social media tasks for a client, ask for a copy of their policy to ensure you are clear as to what they expect.
- Do your due diligence on the services and platforms you use – maintain your supply chain standards of data protection (and head off any problems before they occur).
What about if you’re a Virtual Assistant working with clients or you are a business that works with a VA?
As a VA:
If you work for coaches and consultants dealing with their admin and they want you to add to that their GDPR-related work (if they haven’t already), you have an extra set of issues because you aren’t the one who can make decisions or are legally responsibile for getting things right for the individuals whose data you are processing on behalf of your client.
It’s often easier to deal with your own data-protection responsibilities from the point of view of assessing the risk and creating your systems to handle it than when trying to sort someone else’s processes out because you can decide if something needs to be changed or improved. The delay and (often) necessity of discussing and explaining the need for change can make this awkward and stressful.
As a VA’s Client:
You have the ultimate legal responsibility as the Data Controller. You also have decision-making authority. It’s essential to have honest communication with your VA to make sure they are acting correctly according to your requirements when they process the personal data on behalf of your business.
For both of you:
You should have a Data Processing Agreement in place between the two of you. It should come from the Data Controller, and it states in writing what the VA’s responsibilities are as a Data Processor
It will include any specific instructions for handling of personal data. Such matters as if the appointment of new sub-processors or changes in suppliers used by the VA must be agreed in advance or be notified to the coach or consultant (Data Controller).
Get help, if you need itif
If you want to know more about this and other GDPR-related subjects join my Jargon-free GDPR Facebook community group or contact me directly to book a FREE no-pressure 20-minute Introductory Chat to answer questions, clarify problems, and look at what type of help might work best for you and your business.
WHAT ELSE IS AVAILABLE FOR VAs (and their clients)?
I have an online hybrid cohort programme for UK-based VAs who work with entrepreneurs and solo business owners. It includes GDPR-related templates and online resources to teach you and for you to refer to and live online group support sessions. It also covers practical help with finding and setting up incredibly useful digital tools for working online That includes apps, software and platforms both new and existing favourites. Your VA business will benefit from the added layer of safety and support. If you are offering GDPR-related admin services to your clients, it is essential you get it right because the damage you could cause to their brand is immense and that will only bounce back on your own business.
If you aren’t already offering GDPR-related services to your clients, this is a highly valuable additional income source, which is greatly needed, especially at present! I know this because I regularly come into contact with and have worked with the type of clients you have. I know first-hand that coaches and consultants have their focus on their chosen field, rarely the essential nuts and bolts of day-to-day running and admin work. This is the forte of professional VAs.
I shall announce the release in my SBU (SMALL BUSINESS UPDATE) News & Tips emails first and there will be a special discount for subscribers. I will also mention(!) it on my various social media channels (but no discount there!).