Given that personal data dominates the email marketing world one would assume that most businesses affected by the GDPR have plans for the go-live date of 25 May 2018 or, at the very least, expect to finalise before that date. You need to have processes in place and tested by that date. But what of companies with just a few employees? Isn’t there a get-out clause for them?
To put it simply; No. Article 30 of the GDPR states that organisations with fewer than 250 employees will not be bound by some provisions of the GDPR with regards recording of information. This clear and unequivocal statement must come as a relief. However, there are a number of conditions attached.
The one will probably affect us because of our email marketing lists is that the GDPR will apply to businesses with fewer than 250 employees if the processing of personal data is not occasional. It is a sensible exclusion. Why have the requirement for all that information if data processing is infrequent? However, if it is a significant part of a company’s daily function, as in email marketing, then the number of employees is irrelevant. Mind you, my experience is that when processing is infrequent it is treated more casually.
So there seems little doubt that email marketing companies will have to comply fully with the GDPR despite rumours to the contrary. It is not so much a factor with regards the size of your lists as to how frequent the processing is. And if you don’t process it regularly, you’re not doing it right.
There are two other categories which will mean that the GDPR will apply to a small business. The reasons for the first are rather obvious; if the processing includes special categories of data as defined in GDPR Article 9, which includes racial, ethnic, political, religious, philosophical and trades union membership details.
The remaining condition is if there is a risk to the rights and freedoms of data subjects. This is more esoteric but don’t run away with the idea that it is limited to those companies which deal with one of the more volatile countries.
Regardless of what happens in the Brexit negotiations, it will still apply if you deal with EU citizens and further, the digital minister, Matt Hancock, has said that UK legislation will replace the 1988 Data Protection Act (DPA) with something more or less identical.
The Information Commissioner’s Office (ICO) has a great deal of information on the GDPR, much of it helpful to small businesses. Their clear ‘12 steps now’ .pdf has been downloaded 73,000 times. Starting this month, the ICO has made available a phone line dedicated to help small businesses cope with all current regulations and legislation, including electronic marketing and Freedom of Information. In particular they offer help with the GDPR that is specific to small businesses.
Call the ICO helpline on 0303 123 1113, select option 4 and you will be put through to an advisor.
The GDPR is the most important piece of legislation for email marketing companies since 1988. It is fairly straightforward but all help is valuable.