It is now week 7 of our ten week run up to GDPR compliance and time to start making sure that our databases contain only the information that we have consent, or a solid legal basis for keeping or using.
Just in case there is any doubt that the Information Commissioner's Office is targeting businesses of all sizes and in all sectors, take a look at the list of recent actions taken under existing data protection laws on the ICO web site. All it takes is one complaint to start an investigation, then regardless of whether any blame attaches or not, a lot of time is used in the process.
The only way to make sure you don't suffer such disruptions is by being like Caesar's wife, beyond reproach. Thus any information in your database which is not there for a very good reason must be deleted or obfuscated. This applies to all data sources used in a business, not just the web site. In earlier news items, we looked at the benefit of cutting down the number of places in which data are kept, and this is one very good reason to do just that. The less data sources you have in use, the less likely it will be to overlook something that has no place there.
The first contacts to be removed must be the ones who didn't tick the box to sign up for your mailing list in the first place, when they enquired or bought from your site. For those that bought, there is a solid legal basis for keeping their information as we all have a legal obligation to the tax man to keep records of sales. What must not happen is for this group to receive promotional information. Flagging them in the database allows the records to be held while any broadcast email function in use can be programmed to miss out those contacts who have not opted in.
For all Village Websmith customers with GDPR compliant sites, that process will be handled automatically. Customers are labeled in the database separately to acceptance of GDPR policies and opting in to mailing list. Other data sources will need to be examined carefully to make sure that the records for the tax man don't get mixed up with mailing list members.
The final clean up should be scheduled for the eve of GDPR implementation, when anyone who hasn't taken the positive action to opt in must be obfuscated or deleted. Again, for Village Websmith customers, this will be taken care of automatically to ensure cleanliness of the database of enquiries from their web sites. There is still time for one more broadcast email asking current mailing list members to reaffirm their consent to contact. The ICO website has very clear and specific information about what constitutes consent and the ways in which it may be obtained, so is worth a read if you haven't already asked the people in your database.