GDPR And Your Company Part Two: Privacy Policy

As seen in Part One [LINK HERE], the GDPR comes into force on the 25^th May 2018 and affects ALL businesses that handle personal data for people within the EU.

One of the most important elements to achieve GDPR compliance is to ensure your privacy policy is up-to-date with the right clauses included. Here, we look at how to make the marketing communications privacy policy for your business GDPR compliant.

What Is Not Included In The GDPR?

Before creating your privacy policy, it’s important to know that it only applies to marketing communications and the handling of personal data.

This means that you can still send out customer emails if they are for a relevant transaction or an existing business relationship can be established. For example, you may send a customer invoice without operating within GDPR requirements.

You might also wish to contact a customer individually about a particular offer or business relationship opportunity. This is possible IF the individual has not already specified they do not want to receive that type of communication.

What to Include In A Privacy Policy For Your  Company

Whether you only operate your marketing strategies online, offline, or as a combination of both, it’s important to make sure that your privacy policy covers all types of marketing that you currently use.

If you use online marketing strategies, such as using Facebook adverts or digital tracking pixels for remarketing campaigns for visitors to your website, you must now state in your privacy policy how this information is used.

You may, for example, state that pixels are used to improve the customer experience. You must still state that this information is collected even if you anonymise any data used, as in order to provide anonymity you will still need to handle personal data in the first place.

Covering Your Future Marketing Opportunities in Your Privacy Policy

You should also include a ‘future marketing’ clause: this will help to cover you if you choose to add new marketing channels for your business. For example, if you don’t currently send direct mail campaigns, you might want to in the future.

Add a clause such as: “We may also use your information for other marketing types that are not listed above. Should we use your information for marketing purposes in a new way not listed above, you will be provided an opportunity to opt out at any time. You may also opt out of all marketing by contacting us.”

Understanding the Right To Be Forgotten

That last sentence in the example above is really important for GDPR compliance. The new regulations extend the ‘right to be forgotten’ for individuals. This means that a contact may request that ALL data held by you about them can be erased.

Should anybody explicitly state they do not want to receive any marketing communications from you, your business MUST comply with this request immediately.

The exception here is if you have transactional data, such as with an existing customer. When this happens, you must remove all non-essential information for the customer and remove them from marketing lists. You should then archive the transactional data on a separate, secure, encrypted (and ideally offline) database.

How to Tell People About Your Privacy Policy

Your new privacy policy must be in a visible place that is easy to access. The simplest way to do this is to add a page to your website. However, if you only use a Facebook page to advertise your business, for example, your privacy policy must still be accessible. You may wish to add it into the page description, or add it into the ‘Files’ links on your page.

If you don’t advertise your company online, you must still have a privacy policy available for anyone who asks for it. The simplest way to do this is to have it printed on flyers made available on customer request.

Disclaimer: The EU GDPR is a very complex legislation. We have provided a summary of the regulation but this does not constitute legal advice. If you have any questions about how the GDPR may affect your business, contact the Information Commissioner’s Office, handlers of GDPR within the UK.