And now for some Straightforward Step-by-Step GDPR – Marketing and Social Media…
I’ve covered both of these subjects in previous blog posts: Marketing – 10 essential GDPR tips and GDPR and Social Media for Small UK Businesses. This article covers the two subjects plus some others, including those that relate to my audience of UK-based coaches and consultants. I’ve also added some information for VAs who work with UK-based coaches and consultants that works for both sides of that relationship.
The subjects I’ve included all carry an element of risk that covers not only data protection but also brand image, effectiveness, and communication.
To kick off –
Straightforward Step-by-Step GDPR – Marketing and Social Media and the legislation you must comply with:
- Data Protection Act 2018
- UK GDPR
- Privacy and Electronic Communications Regulation (PECR)
- EU GDPR – if you have clients in the EU
- Other local legislation in other countries in which you have clients. Take care with the USA as legislation is different by state e.g., California Consumer Privacy Act CCFA
The legislation that most affects your marketing efforts in the UK is the Privacy and Electronic Communications Regulation (PECR) BUT the mechanisms for marketing that involve personal data e.g., email marketing are ALSO covered by the Data Protection Act 2018, and the UK GDPR. The UK GDPR is the overriding authority if there is any conflict, and it covers any non-electronic methods such as snail-mail.
The basics that always apply:
- Personal data is what the Regulations cover. That means a piece or pieces of information or a context that positively identifies a living individual. That includes digital and biometric data.
- Direct marketing covers any method of communication directed to individuals for the purposes of promoting aims and ideals as well as goods or services.
- Marketing material covers pretty much any form of communication material such as email, text, voicemail, image, video, etc.
- You must have a lawful basis before you collect any personal data for marketing activities the 2 that apply are consent (the data subject’s) and legitimate interests (your business’s)
- You must inform people what you do with their data
- Only collect what is necessary and keep it for as short a time as possible
- You are required to keep the data secure from collection to destruction
The 2 lawful bases – more details:
- Informed consent is usually (but not always) the better choice from a customer service point of view.
- The Lawful basis for using the soft opt-in for existing business contacts is Legitimate Interests (your business’s). If you are collecting any special category data such as ethnicity, health, etc. data, you must have explicit consent i.e., all the details of what and why of the purpose must be clearly set out.
- You can rely on Legitimate Interests for marketing activities if you can show the way in which you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing. You may need to carry out a Legitimate Interest Assessment (LIA) to check the balance between your business’s interests and those of the data subjects.
The rights of the individuals
- The rights with respect to direct marketing are absolute – if an individual objects you must cease sending marketing messages immediately. You must keep a “do not send” list to prevent anything from going out to someone who has objected. Your email marketing platform will have this facility built in (do check though!).
- The right to be informed is best addressed by your Privacy Notice. Be completely open and clear on what you do with personal data. For example, include a link to it if you ask for email addresses to add members to your email list when people join your Facebook group.
- All of your consent requests must be clear and accurate and link to your Privacy Notice.
- If you have cookies or icons on your website to take people to your social media accounts, you need to get consent via a cookie consent banner (that includes a link to your Privacy Notice) and have a record of it.
Social media basics
- Most important – you must have consent to send any marketing information to people you haven’t already served as a customer or client. That includes contacting them by a messenger app, by voice, image, video or text to offer them a service or product. You can contact them to say hello!
- If you have recently done business with an individual, you can contact them with relevant messages/material but don’t forget the unsubscribe option in each one! TIP: When they sign up/buy from you it’s OK to have an opt-out option such as a box that they can tick if they DON’T want to hear from you.
- I’ve already mentioned gathering email addresses when people sign up for your group (link to your Privacy Notice) – remember you can’t make it a requirement to join your group but if you word it well, people will want to hear from you.
Email marketing basics
- When someone signs up, you must give them the details of what they should expect – a rough outline and frequency of the emails should be sufficient.
- Link to your Privacy Notice.
- You need a record of their consent and what they agreed to (the wording).
- Use the double opt-in settings on your email marketing platform – this is good customer service and a legal requirement in some countries, although not the UK.
- Include the unsubscribe option on all the marketing emails you send out – this is a practical step to ensure you don’t miss it off when it’s needed.
Include the following:
- Your Privacy Notice – link to it wherever you are collecting personal data
- Your Cookies Policy
- Your T&Cs
- Straightforward cookie control
- Valid consent(s) for all uses, including subscriptions, online chat and so on
Other things to remember
- Have a written policy for your marketing, including social media – it will provide you with consistency for yourself and any employees or contractors, especially as your business grows. Make it simple – you’ll find a hybrid policy/procedure document will be sufficient.
- Do your due diligence on the services and platforms you use – maintain your supply chain standards of data protection (and head off any problems before they occur).
What about if you’re a Virtual Assistant working with coaches and consultants or the reverse, a coach or consultant with a VA?
As a VA:
If you work for coaches and consultants dealing with their admin and they want you to add to that their GDPR-related work (if they haven’t already), you have an extra set of issues because you aren’t the one who can make decisions or is legally responsibility for getting things right.
It’s often easier to deal with your own data-protection responsibilities from the point of view of assessing the risk and creating your systems to handle it than it is when you are trying to sort someone else’s processes out!
As a Coach or Consultant:
You have the responsibility as Data Controller, you also have the decision-making authority. It’s essential to have honest communication with your VA to make sure they are acting correctly when they process the personal data on behalf of your business.
For both of you:
You should have a Data Processing Agreement set up between the two of you. It should come from the Data Controller, and it states in writing what the VA’s responsibilities are as a Data Processor
It will include any specific instructions for handling of the data. Such matters as if the appointment of new sub-processors or changes in suppliers used by the VA must be agreed in advance or just be notified to the coach or consultant (Data Controller).
Get help, if you need it
If you want to know more about this and other GDPR-related subjects join my Jargon-free GDPR Facebook community group or contact me directly to book a 20-minute chat to see what type of help you need to protect your business and your clients.
COMING SOON FOR VAs (and their clients)!
I’m creating an online hybrid course now for UK-based VAs who work with UK-based coaches and consultants. It includes templates and online resources to teach you and for you to refer to as well as live online group support sessions. If you are offering GDPR-related admin services to your clients, it is essential you get it right because the damage you could cause to their brand is immense and that will only bounce back on your own business.
If you aren’t already offering GDPR-related services to your clients, this is a highly valuable additional income source, which is greatly needed, especially at the present time! I know this because I work with coaches and consultants and their focus is rarely the essential nuts and bolts of day-to-day running and admin work. This is the forte of professional VAs.
Join the waiting list for news of the launch date and special early bird discount!