Marketing – 10 Essential GDPR Tips
Marketing – 10 essential GDPR tips for owners of small businesses who do virtually everything themselves. We all know that marketing can be a bit of a trial and that’s an understatement!
My experience has been a combination of blind panic, a massive learning curve for the tech and platforms I use, lots of time spent and frequent frustration because I’m not brimming with clever ideas that will make me and my business well-known and successful.
Most owner-run businesses will recognise the situation but, if you add to that being unsure about the various GDPR-related regulations that apply, then it’s a potential house of cards situation with a side-order of stress.
Marketing – 10 Essential GDPR Tips – here we go
Let’s break it down into manageable chunks:
1. What regulations do you need to understand when it comes to marketing?
The same principles apply as they do for everything that involves personal data in your business. The easiest way to describe those fundamentals is that your business should handle personal data ethically and you are responsible for ensuring that’s what happens.
2. Where can you find the legal rules?
The key piece of legislation relating to electronic marketing is the Privacy and Electronic Communications Regulations (PECR), although GDPR does apply, including to non-electronic messages like snail mail.
ICO Penalties: It’s worth noting that you are far more likely to receive a fine for failing to meet the requirements of PECR than GDPR* and, therefore your electronic marketing activities are potentially your Achilles’ heel. *The caveat is that the requirements of PECR are reflected in GDPR.
3. What does PECR cover?
Electronic communications = “any text, voice, sound or image message sent over a public electronic communications network”.
Marketing material = promotional materials for products, services and be aware that it also includes promotion of your business itself and its interests. In simple terms, ask yourself, “is the material promotional or informative”. Ask for help if you’re not sure.
4. What are the crucial direct marketing rules for your business?
- You must have informed consent that was freely given to use personal data to send marketing messages to non-clients and new contacts. This means telling them clearly what they are consenting to and what you do with their personal data by linking to your Privacy Notice on subscription forms, freebie sign-ups, your Facebook group, etc.
- If you are using cookies on your website to track visitors for the purposes of advertising e.g., a Facebook pixel, you must get consent – get a good cookie control banner set up.
- Existing clients/customers who have bought from you OR negotiated towards a sale (e.g., an abandoned item in a basket) – you are allowed to send marketing messages BUT they must be relevant. i.e. if they would reasonably expect to receive direct marketing on that subject, then the soft opt-in will be OK.
- Always include an “unsubscribe” option in your email marketing and don’t send any follow-ups after someone has unsubscribed!
- Keep a suppression list/do not contact list to avoid sending marketing messages to those who don’t want to receive them.
- PECR does NOT apply to corporate contacts but if you are sending to a partnership or sole trader remember that their info@ email address does identify them by context.
5. What else should you consider?
Stepping aside from the legal considerations and concentrating on the purpose of marketing in general, the last thing you would aim to do is alienate existing or potential clients. With that in mind, getting someone’s positive agreement to hearing from you about your products and offers that will transform their lives and businesses is always going to be the best strategy.
6. Email marketing – email platforms:
Breaking it down into stages:
Before you add people to your list
Get proper consent – be specific and remember to use separate consents for separate purposes e.g., one to receive seasonal sales offers and one to receive monthly updates.
Always use the double-opt-in option on your email platform.
When they are on your list
Carry out regular database housekeeping to keep your database clean. This will ensure good deliverability and lower costs (you won’t be wasting money on storage or sending to unresponsive subscribers).
Keep an eye on your database analytics from your campaigns and act on anything negative.
If they decide to leave your list
You must delete their details however, their details will remain in your unsubscribe list, which is not accessible as active information.
Don’t buy email lists! As a business owner where you are the business, finding your ideal client by that form of lottery is never going to work out well.
Make sure your marketing messages are relevant to clients or customers.
7. Online conferencing – Zoom
Hands up, who doesn’t use Zoom? It seems like we are all choosing this platform for online networking and conferencing in general but the same principles apply to all similar services. Zoom does allow you to set up a customised consent statement that will appear to all attendees before they enter your call. In addition, it now automatically plays a voice message with a generic message for each attendee before the recording starts. *These are separate consents.
The records of consent should be in your Zoom account (select your settings so that happens). Don’t forget to delete the personal data when you delete the video and no longer need it. Do remember to download a copy of the consents and file that in your GDPR records if you have retained a recording.
8. Have a marketing policy
A simple hybrid Policy and Procedure document is the most practical format for a one-person business. It fulfils the purpose of evidence should anything go wrong and, if you have freelancers, contractors or employees, it serves the additional purpose of explaining your business approach to marketing clearly to them.
What should you include marketing policy?
- A few simple instructions on each marketing area e.g., email, social media posting, messaging apps, zoom calls, including networking
- A note of the wording used for your various consents – useful when you are setting up anything else to save you checking/copying and pasting
- Reminders of your procedures for when and how to delete personal data as well as any other material when no longer required
9. Due diligence:
Check out the service or platform you plan to use/are using:
- Server(s) location
- Parent company location
- Their Privacy Notice information, security set-up and general online appearance
- Check if registered with the ICO for UK organisations
- Check if accredited or certified by relevant authorities or industry bodies e.g., Cyber Essentials, ISO, SOC2, etc.
- If outside of EU or Adequacy countries, their Privacy Notice should mention what they have in place to cover personal data transfers to them e.g., Standard Contractual Clauses
- Get a Data Processing Agreement – for organisations such as Google, Microsoft, etc, you will find it mentioned in their GDPR information and for most will be downloadable. Google takes you through the process of signing their DPA automatically when you set up Google Analytics, Adsense or Tag Manager. Microsoft has an online version, as do many other major platforms. TIP: go onto the platform’s support or help section and search for DPA. It will usually take you to the place you need to go. For smaller players, if it isn’t mentioned in their information notices, email their data protection/privacy contact you will find in their Privacy Notice to request one. Keep a copy in your files.
If you are struggling, you can always book some time with me to go through the problem together and sort out the answer that suits you and your business.
10. Social Media
A crucial part of most if not all businesses marketing strategy. The same rules apply as with marketing in general. For more details about your social media, take a look at my blog post about this subject.
Your marketing activities are designed to get you and your business noticed, therefore if you get them wrong it’s going to be seen and could land you with a complaint to the ICO and maybe a fine plus damage to your reputation and your business brand. That’s aside from the time it will take to deal with complaints and the fallout from them.
If you have questions and are unsure where to get answers that will be easy to understand and related to YOUR business, join my Jargon-free GDPR Facebook(!) group. It’s a dedicated safe space for unsure business owners where I provide guidance, give answers as well as current interesting and relevant news items.