By now I’m sure the acronym GDPR is ringing in your ears, if it isn’t then it should be! If you collect, store or use personal data and trade within the EU then you need to comply with the General Data Protection Regulations (GDPR) which came into force on the 25th of May 2018.

So, what does this actually mean?

In short, GDPR is an update to existing data protection regulations making them more stringent, however, the biggest change is around the consent gained upon collecting data.

Under the new laws, consent requires a positive opt-in – therefore, in order for consent to be considered valid, it must be freely given, i.e. ticking an unchecked opt in box instead of the formerly used method of presumed consent (pre-ticked boxes).

With that in mind, what exactly are retailers supposed to do with existing databases? Well, the ICO (Information Commissioners Office) issued a draft guidance stating, “You don’t have to automatically refresh all existing consents in preparation for GDPR, but it is important to check your processes and records in detail to be sure existing consents meet the GDPR standard”. So, if you want to continue using your database, you have two options:

  1. Either be able to provide documented evidence that your entries have previously consented, in other words, establish what they consented to, when and how.
  2. If you don’t think you can provide detailed evidence or are worried that existing consents don’t meet the new criteria, you will have to obtain fresh consent through contacting your database and requesting that they confirm they would still like you to hold and use their data, making sure you use the positive “opt-in” format when doing so.

Moving forward, how can you gain new data? When collecting new data, it is strongly emphasised that you use “clear and transparent” language, going into as much detail as possible about why you want their data, what you intend to do with it, who has access to it and how long you intend to keep it.

With that being said, if you run a loyalty scheme, you need to make sure that your customers understand what sort of messages they will receive when they sign up, for example, that they are likely to get occasional updates on how many points or vouchers they have earned. It’s okay to send emails about other promotions, but only if you’ve clearly communicated that they can opt-out when they sign up or include a memo in every appropriate email you send out.

The same goes for sending e-receipts. You cannot assume that just because a customer has given you their email address to receive an e-receipt, they are happy for it to be used for marketing purposes. Again, being ‘clear and transparent’ about the collection and use of data and giving customers an informed choice as to how their data will be used is key to guaranteeing compliance with the law.

Being aware of coming legislations and what it means is so important for your business. You have to ensure that you are properly prepared, otherwise it could mean that you end up risking financial penalties or other serious consequences if you fail to comply.