General Data Protection Regulations

It’s been a long time coming, brought a lot of big impact headlines and confusion, will shake things up forever more and involves the letters E and U… but don’t worry, it’s not Brexit!

Very soon, on May 25th, the General Data Protection Regulations (or GDPR) will come into force. From that point on how we collect, store, treat, maintain, and use customer data will change forever!

Ok, bit dramatic perhaps, but it will change for sure, and we believe it will change for the better. This perhaps isn’t being as widely heralded as the fines of up to £17M or 4% of global turnover, and whilst some marketing teams may be concerned about their customer database volumes dropping, all in all, these new data protection regulations are a good thing – here’s why.

Since the draft guidelines were released by the Information Commissioner’s Office (ICO) in April 2017, business networking channels, social media, agencies, businesses, and individuals have been sharing their thoughts and also asking me about what they need to do.

We’re not legal professionals. I’m also not a data expert. At best I’m a failed musician who fell into the world of eCommerce about 20 years ago, and it just turned out I was pretty good at it. Over that time I have worked for big retail websites, and for large, traditional mail order catalogue companies who moved online. So I think (I hope) they’re asking me because of my experience, my obsession with data and doing digital really well, and the breadth of different businesses I come into contact with here at Marvellous. I know enough about what these data protection changes would mean in reality for eCommerce managers, website owners and businesses, and that’s exactly what I’ve tried to summarise in this post.

First off, let’s deal with the big headline about the fines.

In 2016/17 the ICO dealt with 17,300 cases, but they issued only 16 fines… so don’t worry about the ICO putting you out of business. Their job is to help businesses get their heads around the new regulations, and ultimately improve things for the consumer (that’s all of us). They’ll issue fines to companies that constantly abuse or ignore the regulations, but that’s not going to happen straight away. Their process will be more about leading businesses with a carrot to understand, align themselves, and stick to the regulations, rather than beating them with a stick because they don’t fully comply on day one.

Now let’s move on to what you actually need to do with your website.

Make your website GDPR-friendly

  1. Update your privacy page
    Review and update your privacy policy and cookie notice, keeping it clear and concise.
  2. Dig into the cookie jar
    Review your cookies and identify what they do, whether they’re 1st or 3rd party and session based or permanent and display this information clearly on your privacy page
  3. Double lock the doors
    Ensure your customer data is secure, you have monitoring in place to detect any breach and this is documented and reviewed periodically
  4.  Make it easy
    Let customers decide by offering a preference centre (within My Account). This is not essential, but a nice to have and great for the customer if you have complex, multi-channel marketing campaigns

Make your Marketing GDPR-friendly

  1. Consent is crucial
    If you’re not really sure you’ve got consent, then ask again eg: email your prospect database and ask them to opt in to your database. Then you’ll only be talking to those that are really interested
  2. Re-engage
    Build re-engagement campaigns into all aspects of your marketing plans as consent doesn’t last forever!

Make your internal processes GDPR-friendly

  1. Initiate
    Document what, when, how, where and why you collect data. What systems do you integrate with? Who do you share it with?
  2. Nominate
    Nominate someone in the business who is responsible for data
  3. Communicate
    Brief all your employees on the importance of customer data, and any new processes they need to follow

Undoubtedly this isn’t everything, and once the big eCommerce sites start to release their updates, then best practice will emerge. We’ve seen a smattering of emails from companies getting on with the marketing element of the above and cleaning up the consent on their email databases. We’ve also seen a couple of 3rd party tools for cookie consent should you need a full on “belt and braces” approach. This felt a bit OTT at first, but then we noticed the BBC have done something similar with their cookie settings, so we presume this will become the norm in time.

One other site to keep an eye on is the ICO website itself. We’d recommend speaking with them directly should you have any specific questions that haven’t been answered in anything you’ve read above, on LinkedIn, Twitter, or that you’ve discussed with your mates down the pub (because it’s obviously a perfect Friday night discussion topic).

You can always give us a call too, and I’ll try to help make things a little less blurred!

Here at Marvellous we already work with a number of our clients assisting them by providing information and updating their websites. If you have any questions, please get in touch and we’ll try to help make things a little less blurred!


A Marvellous blog by Alex

Alex enjoys films, great TV shows, developing websites and (apparently) writing about himself in the third person.

See all our Marvellous blogs