First things first, GDPR is an acronym for General Data Protection Regulation. It’s a new set of guidelines being implemented by the European Union to make sure that the way each EU citizen’s data is being handled is clear to them. This is important because there are around 500 million internet users across Great Britain and the EU (GDPR requirements apply to GB too).
They will be put into force on the 25th May 2018 and must be followed by all companies operating in the EU - even those based outside of Europe. That means it isn’t a choice, compliance is mandatory and any breaches will result in heavy fines.
So what is it?
Well it’s not a brand new thing, it has been in the pipeline since 2012 and the guidelines were formally agreed upon in 2016. The date of implementation however is nearing and that’s why we’re being inundated with its name.
There are 99 separate articles that make up GDPR but the condensed version is, that GDPR aims to put the rights of the customer first by making the following compulsory:
Language - No more jargon or “legalese” is allowed. Language must be plain and clear - understandable even to a layperson
Clear consent - Using contact details to send updates and offers must only happen if the customer has consented using a clear opt-in setup.
Breach Notification - If data handling is breached then authorities must be notified in 72 hours of noticing the breach
Right to Access - Data collectors must provide a full copy of all of the data when requested by the individual
Right to be Forgotten - All stored data on any individual must be cleared if and when asked
Privacy by Design - Only necessary information is to be collected and it is only to be accessed by people who are a necessary part of the processing
Centrally Located Data - Data will no longer be dispersed across many systems, it will all be collated in one spot for seamless security
Personal Details - There will be an increased scope of “personal data” to include political views, sexual orientation, health data AS WELL AS name, address and phone number as before
To find out more about the guidelines you can read about it on the EU’s GDPR homepage or by viewing this handy infographic.
These guidelines means different things for different people depending on their original data privacy settings.
Things you can no longer include:
Refer a friend campaigns - if that friend has not expressly given consent to receive mail
Notify only - Simply telling customers how you will treat their data is no longer good enough - you must get consent through e.g. a tick-box
Segment using personal data - Identifying internet users by their political or sexual preferences or even health status is disallowed
So, does this affect the way you can tailor personalised recommendations?
No. It doesn’t affect the way you use personalised recommendations within your webshop because no personal data are collected (even with the updated definition of what personal data means) to make these recommendations. Plus, as long as you make sure that you ask customers to subscribe to any email communication, it won’t affect how you send out these recommendations either.
The same goes for segmentation - if your email is already GDPR compliant, using tools such as segmentation will naturally also be compliant because - again - as long as they don’t use personal details (as per the new definition). Customer behaviour such as purchase history is good to use.
Make sure when you are managing these functions, internally or externally, you are GDPR compliant from 25/05/2018. A good external provider will already be updating their terms and conditions and will be making them clear to you!