In this blog, Birmingham City University marketing and legal academics answer SME’s burning GDPR questions.

The GDPR clock is ticking! While you’re busy ensuring that your business is compliant in time for the deadline, it’s important to also keep an eye on the longer term impact. But for busy SMEs like you this can be a challenge, especially when you don’t have relevant experts on hand.

To help, we spoke to two of Birmingham City University’s leading academics in marketing and law and asked them what ongoing GDPR implications SMEs need to be aware of. Their expert advice in this blog will provide you with useful tips on how to adapt your marketing strategy and minimise GDPR risk.

Firstly we put some burning questions around GDPR’s marketing impact to Birmingham City University Business School Senior Lecturer, Andrew Salmon.

Does GDPR mean we won’t be able to call or email someone without their prior permission?

“Yes and no. If your business is contacting consumers the rules are very clear. You won’t be able to do so without prior permission. Even if they permit contact but then revoke it you must remove them from your database and cease all contact. But if you’re contacting other business entities you can contact them via email, on the proviso that they have a legitimate interest in what your company offers and they can easily request no further communication if desired.”

• Tip! Make sure you know who you’re contacting and what the rules are.

We’ve tried to get customers and prospects to confirm they want to stay opted in but many just don’t respond. Do we have to delete their records and will this shrink the business leads we generate?

“If customers don’t respond to your confirmation attempts you should respect their wishes – it’s indicative that they simply don’t want further contact. However, it’s likely these are inactive contacts who don’t want to engage anyway, so it’s not really going to reduce leads. Removing those who don’t respond is actually good practice and forward thinking SMEs should be doing this regardless of GDPR. It actually means you can clean your data and really focus on nurturing the engaged people.”

• Tip! Don’t worry about your data shrinking – it will be higher quality as a result!

What marketing strategies and tactics can I put in place to encourage new opt-ins?

“There are two key elements here. The first is producing high quality content that’s relevant and interesting to your audiences. If you give people things they find useful and engaging they will naturally come back to you and ask to receive more. You may never have the same large number of contacts on your database but you’ll certainly know that those you do have all want to hear from you.

“The second area is making use of digital marketing tools. There are now many alternative ways to engage customers, reducing reliance on methods like email. Research what information sources your target audiences use. Do they hang out on social media? Or do they do research on the internet? This will help you find the best alternative ways of reaching out to them.”

• Tip! Review your wider marketing strategy and consider what changes you need to make.

The legal view

Ewan Kirk, Senior Lecturer at Birmingham City University School of Law, contrasts this marketing advice with some vital GDPR legal perspectives.

What should I do if a breach by my company is reported to the ICO?

“Pre-preparation is vital in ensuring you can respond to complaints – if or when they do arise. If you can’t show you’ve made steps towards compliance it’s likely that the ICO will take a harsher view. What’s critical is that you have evidence that the breach has been detected, that you are investigating why it happened and making remedies to your processes to avoid future issues.

“While small scale breaches won’t need to be reported to the ICO, a record should still be kept of what happened and actions taken. This is actually a legal requirement but also means that if a complaint is raised you have all the evidence at hand.”

• Tip! Be prepared in advance!

What should I do if someone exercises their right to be forgotten but I think I need to keep their data for legal reasons?

“Firstly, the right to be forgotten is not an absolute right. If there are sufficient grounds for keeping data legally these can be exercised. What’s important is ensuring you respond to the data subject, clearly stating the reasons why their data needs to be kept, how long for and what will happen to it once it’s no longer required. It’s not enough simply to refuse to delete it.”

• Tip! Evaluate what data you’d need to retain in these circumstances

Could an individual sue us for withholding their information or not deleting it, in addition to us being fined by the ICO?

“Yes – Article 79 of the GDPR outlines the right of an individual to pursue an ‘effective judicial remedy’. This means they could take you to court and sue for compensation if they believe that their rights have been infringed.

• Tip! Ensuring compliance is the surest way to minimise potential litigation

While you’re busy focusing on GDPR compliance, make sure you also know how your business might need to respond and adapt as a result of the regulation. Seeking expert help such as this is a great place to start.