The world has been rocked by the new GDPR legislation that is being brought in by the EU. Many businesses are confused, panicked, and scared of what this means for them and the consequences of not getting it right. We want to remove some of the myths and the scaremongering and show you what we've done to comply.
In this episode you'll learn what is GDPR, why it's a good thing for your business, and what we've done to comply. We think there are some real golden nuggets in this episode, and we're sure it's not one to miss.
We've included a transcript below in case you can't listen at this moment in time.
In this episode, you'll learn:
- The what, why, and when of GDPR in layman's terms
- How GDPR impacts sales systems
- Why GDPR is a good thing for you and your business
- What we've done to comply with GDPR
Links and resources mentioned in this episode:
Thanks For Listening!
Thanks so much for joining us this week. Be sure to join us in episode 7 where we will be discussing Chatbots, and how this new technology is delivering huge results.
Have some feedback you’d like to share? Leave a note in the comment section below.
[00:00:01] Welcome to the Leadspeak podcast with me, Alex Thackray.
[00:00:17] Welcome to the episode six of the podcast where we're ta lking about au tomated sales systems that you can build into your own businesses. Who am I? I'm Alex Thackray, founder of Leadfreak. Where we build automated sale systems for many different business types.And we want to pass on some of the expertise and knowledge that we have to you.
[00:00:45] So welcome to Episode 6 of Leadspeak. I'm joined by Emma Thackray. Hello. And today we're going to be talking about the dreaded GDPR, because everyone's not already sick enough of it.
[00:01:00] No, we just want to get our little bit in talking about GDPR. Now, in reality it's a massive thing and it's not long before it comes into play. So we want you guys to be fully equipped to handle GDPR. And we feel that some of the stuff that we've been doing might help you out.
[00:01:18] So, in this podcast episode we're going to be looking at what GDPR is, a very brief overview. And then ultimately why we think it's a good thing, what we've been doing to be compliant with GDP and how GDPR is going to affect automated sale systems. Because that's what Leadspeak is all about. So we've got one packed episode for episode six so let's get going.
[00:01:52] Okay, so we're going to begin by firstly just talking about what GDPR are actually is. We're not going to talk for too long about it because there is really a very specific place online that you should go to figure out exactly what GDPR is and what it means for your business and hopefully by now most people have at least heard of GDPR and what the basics are because it is coming into effect quite soon now.
[00:02:18] So if you're a bit behind then you probably need to catch up. But let's start by just asking what is GDPR. What is it Alex?
[00:02:31] So GDPR stands for General Data Protection Regulation. Well done. We are really starting at the basics.
[00:02:43] And it's EU based legislation that comes in around protecting an individual's personal data. It's giving the power back to an individual on their data online and in the physical world because GDPR applies both physically and digitaly . I think you've seen with the legal cases that were brought recently against Google around the right to be forgotten? Yeah. I think it largely stems from that. I think the EU showed pretty early on that they wanted to clamp down on people's data rights and they weren't going to let the big tech companies who store and make all their money from vast amount of data to be in control of all that information. Okay.
[00:03:31] So it's an EU wide thing. But who it does affect is companies that are working in the EU and also any company that wants to transact or hold personal data from people within the EU. So that's one of the first kind of almost like myths that I think has come up about GDPR as some people are saying "Oh well if it's an EU regulation, we're leaving the EU. Is it going to be relevant they're going to do all these changes and then we're not going to need it anymore." But actually if you're selling a product or if you're collecting data on anyone who lives anywhere in the EU then you still need to do it and it still applies to you.
[00:04:13] So that's why obviously companies in the U.S. and other places are still having to comply with these regulations because it affects everybody. So it's something that they still need to do. And who knows when we're leaving the EU anyway.
[00:04:28] So when is it happening May 25th. 25th of May. After my birthday. That's over a week. Yeah. So you say that is quite soon now to be fair.
[00:04:45] Yeah, it certainly is. Both GDPR and my birthday. For your information.
[00:04:54] So people really need to start thinking about it if they've not already done so, because it's been something in the background, something in the pipeline for quite a long time now. But we're really getting to the stage now where if you've not looked into it or you've not figured out any changes that you or your business needs to make to comply with GDPR, now's the time to do it because you don't want to be kind of scrabbling on 24th of May to make changes.
[00:05:25] But certainly if you are a larger organization where you have different levels of intimate information collection you can go from the smallest of businesses and they might have a marketing list. So the only way they need to be GDPR compliant on the face of it is around that data collection and the marketing and make sure they've got consent. And then ultimately how they handle that data within their business. Yes.
[00:05:50] It is far simpler than an accountancy firm who is dealing with a lot of personal data, not only for their clients but for their clients' employees, their clients' suppliers. There, you're looking at whole infrastructures within a business. So for accounting firms and doctors, and solicitors or anywhere else who's dealing with that level are going to have a more complex job.
[00:06:16] Yeah, and you would really hope that these companies are already at least in the process of changing things. But I think that's part of what spooked a lot of much smaller businesses is you know people from more complex businesses obviously stressing out about it and you spent a lot of time researching and implementing changes and obviously small businesses are thinking "I can't do that, I've not got the resources to do that." But actually you may not actually have to do that much, but again on the flip side - that's not to say that if you're a small business, there's nothing that you have to do. Because equally on the flip i've had quite a few much smaller businesses saying I'm too small for that it doesn't apply to me, I don't collect data. But I find that quite hard to believe about most businesses. At least in one some respect collect data on whatever, if they use it for marketing purposes or anything like that. Chances are you still hold data in some form and if you do then it applies to you and you still are going to need to make some changes to make sure that you comply.
[00:07:25] Yeah even to the point where we spoke with one client who said that they did not collect personal data. Any personal data. But ultimately you ask them about their customer list, that's personal data, their employees - it's personal data. Yeah, absolutely. So this isn't just marketing list, this applies right down to everyone. Yeah. Everyone's personal data is now theirs and they have the rights to their own personal data.
[00:07:58] Yeah and that's the fundamental thing that people have got to remember about GDPR. I think that's what it is on like a really base level- is you're giving the power of people's data back to them. So you need to obviously research on what exactly you need to do for everything that you do to be focused on making sure that you're giving people that right and you're being honest and transparent about what you're doing when you do collect their data and also putting the processes in place to make sure that you can get rid of it if asked as well.
[00:08:32] I think for me there are two core elements of GDPR: That is the legal basis for collecting that data in the first place. So it needs to be legal, and those bases are [00:08:46] Consensual, so that is consent based,
[00:08:49] Contractual, so you have a contractual reason why you need that personal data.
[00:08:55] Legal obligation. So if you need to collect that personal data to aid in any trials or request by the government.
[00:09:05] Legitimate interest which is a bit more of a broad legal basis for collecting personal data but ultimately you can have a legitimate interest.
[00:09:14] So there's a legal basis as to why you collected that information. The key point to add that is you should only be collecting the information that is required for that legal basis and no more. So information for contractual isn't the same as information for consent. Yeah. So if you wanted to market to your clients, then you would need them to consent into your marketing email lists rather than using the basis that you have their data because they're a client as the reason why you should be able to send them a marketing Yeah exactly . Yeah. So it's just about getting much stricter - How you collect in terms of data I guess.
[00:09:54] And then going on to the rights of the individual is the second key element of GDPR. Yes this is what the users or the individuals have the right to do.
[00:10:03] So it's a right to be informed,
[00:10:05] the right of access. So they can access what personal data you own.
[00:10:09] The right to rectification, so an individual has a right for that information to be correct.
[00:10:16] Right to errasure - so that information can be deleted.
[00:10:19] Right to restrict processing - so as an individual I can tell Leadfreak I only want my data to be processed in a certain way.
[00:10:23] Right to portability - so as an individual I can transfer that data away from you to someone else.
[00:10:33] The right to object - which is I object to my personal data being used under any circumstance.
[00:10:40] And it's important that all of this is very transparent as well in terms of you make it easy for people to do those things as well. So you've got to you know you can't have it kind of written in really complicated language of all these things, you've got to make it very easy for people to be able to have things deleted or changed.
[00:11:03] I think for me that's what companies are worried about. They're worried about that and they're worried about the penalties which will get on to in a minute. But they're worried about that transparency. So if they show that individual how they are going to use that information, then that individual is not going to want to engage. That's what they're worried about.
[00:11:25] Yeah. So do you think that's right? Do people have a right to be worried about that? Only if it causes harm. Yeah. I think individuals, if there's a value transaction between them giving their personal information across and they receive something that they deem valuable enough to give that information, then everything should be okay. Yeah, I think that's the whole thing really. I think people are worried that that kind of transaction is what's going to stop them - no longer be able to collect or analyze data or people won't buy their product. But I don't think that's true at all. Because I think people are generally happy to provide their data online because people acknowledge that they have to in order to do most things online now, to purchase anything. It's just about being transparent with it. But if there's nothing shady about what you're doing with that person's data anyway then why should it really be a problem. You know there's no option now, like there's no choice to keep it hidden without looking massively shady now. So you've got to comply with the regulations. Absolutely. Otherwise you just you know you're gonna lose all your customers confidence. So you know there's no other option, you've got to do it. And if you've been engaging in slightly shady practices thus far then it's just a good opportunity to stop really because nobody should be. It's a fundamental kind of human right that you shouldn't have your you data abused, or misused in any way. So you know it can only really be a good thing.
[00:13:11] If I can just touch on the episode five of Leadspeak where we talked about empathetic marketing and how if you're addressing the problems of your perfect client, then they're going to want to engage. Yeah. It's all about, this is a value transaction isn't it? That's all it is. And if you're you know honest with people and you say - this is what data I need from you, I need it because this is what I'm going to do with it. I'm going to provide, I'm going to take it, but I'm going to in return provide you a value whether it's through you know promotional offers on a marketing list or whether it's giving you content that sort of thing. Anything that provides a service to them then chances are people are still going to give you that data. And some people might even be more likely to. I think you know now that they'll know that you know is written in law that their data can't be misused - and they can have it returned or removed any point in time. People know that - okay well if I give them that and they start sending me emails I don't want or I want them to remove my data or change it or some way, they know that they've definitely got that legal right to do so. So I think that I'd almost be more likely to put my e-mail in a box knowing that and thinking Okay what's going to happen if I provide this information. There are ways you know legitimate concerns in there but I don't think it's you know something to make a massive deal about.
[00:14:56] so I think the next thing we've got to talk about is the penalties, Yes. They are severe in their biggest form. So we're talking about four per cent of global annual turnover. There's a maximum of 20 million euros. Whichever one's higher isn't it? Yeah, that's quite a lot. I mean if Leadfreak was hit with a 20 million euro fine, we would not be doing this podcast anymore, but we might be doing it from Mexico with different names. No. So that's it at it's extreme. Yes. And this is one of the things that I wanted to do on this episode - was to kind to debunk the myths and remove some of the panic around GDPR. Yes it is complex. Yes, you know there's a lot of things that you need to do to be compliant with it. If you're not already responsible with data management which under data protection act you were to a certain extent anyway.
[00:16:01] So let's lay it on the line as to what these penalties are all about the ICO said themselves that yes, there are these enforceable penalties. But this is a last resort. They've said that very clearly this is a last resort. I think that's the key thing really. I think if you wake up on the 25th of May and you've not got this stuff in place or you've trien but you're missing something you're not like automatically going to get like a 20 million euro/dollar fine. One would hope not anyway. It's like it's a last resort thing isn't it.
[00:16:39] There's a process to get to that point. Yeah. You're going to have to be a pretty huge company to even for that to be in the ballpark. But that's after you try and become GDPR compliant. If you don't make it the ICO will actively work with you and this is obviously the case for the UK but the ICO will actively work with you to make sure you are GDPR compliant, and then they will revisit to make sure you are compliant after they've stopped working with you. So they want you to be GDPR compliant. Yeah yeah .
[00:17:12] And that's again I think not much has been made of that is that there's an education process If you know they're understanding the nine times out of 10 companies aren't GDPR compliant it's because they've misunderstood something or they've you know not considered something that actually is relevant to them because it is quite complex. The ICO aren't just going to come out and say No you didn't comply - 20 million euro fine. They're going to say - you're not complying we'll work with you so that you do comply. And it's only really after quite a long process I think of you continually burying your head in the sand and not that you will be looking at any real sort of fine - something as high as 20 million. It's a lack of intent. Yeah. So if you don't show intent to comply, that's when they're going to come down hard on you. Yes, because that's what they're looking for - they're looking for shady businesses. I mean you know genuinely using data in misleading or abusive ways. So you know they're not out there to make a buck.
[00:18:18] I mean, take their Data Protection Act. The ICO has the power now to fine companies who aren't compliant with the Data Protection Act. The difference is the fines aren't nearly as high as what they are under GDPR. Yeah. But they don't - doesn't necessarily mean that everyone who doesn't comply with the data protection act gets the maximum fine. It's proportional. And goes back to intent to comply. Yes absolutely . So a big, not necessarily a myth because obviously the fine and the maximum fine exists but there's just a lot of scaremongering I think about how and when that would be enforced that you know people need to chill out about basically.
[00:18:58] There's going to be a process or ranking of those they want to be speaking with first. The ICO doesn't have the officers available for them to work with every single business in the UK on making sure they are GDPR. They're going to go for the big data handlers first, making sure that they're compliant. Those are the guys who are going to be working on it for years already as it is to make sure they are compliant and you can see now with the raft of software platforms who are releasing statements on data privacy policies to ensure they are GDPR already in place. So that's who the ICO are going to be working with at that first instance, before it filters down to the smaller and smaller businesses. Yeah yeah .
[00:19:42] So if you're not like Amazon, then you'll probably be alright for a little while.
[00:20:02] Okay, so moving away from the what, the why, and the when conversation with GDPR, shall we start looking at our views on it? Whether anyone is interested in our views with GDPR. No one cares. I think we've already you know we've already kind of hinted at the fact that we think it's a good thing and some of the reasons why, but it is something I think more people should get on board with it. It's kind of the fashionable opinion is there for business at least is that it is a pain, no one - Bureaucracy for both bureaucracy's sake. Yet no one knows how to do it. People think there's not enough information online. But actually I think that it's not that bad.
[00:20:51] So in this bit, we're going to show you at least tell you what we've been doing GDPR wise. You know we're not lawyers, we don't claim to be data protection lawyers. We are not lawyers. So this is the advisement only. I guess I'm have to say that in case our lawyers get me to stop. Disclaimer.
[00:21:11] We're just going to the broader level on how GDPR affects automated sale systems and the automated sale systems that we've been building for our clients and building for ourselves, and we talk about in this podcast is I think for me one of the ways that we navigate that buyer journey is through audiences once they've engaged with our materials or clients materials.
[00:22:30] Obviously you want people to engage with and accept these but you have to give them the choice. Yeah. And then looking at consent forms and consent forms in subscription forms on email opt ins - to make sure that actually not only are people not only are you transparent about people opting in to receive a free download but ultimately they have a choice to opt in to additional marketing offers. All about consent it and making it clear. So I think the key bit is that actually the automated sale system still works. You just have to make sure that you are transparent about the way that you are using people's data.
[00:23:12] Yeah absolutely and if you are really providing valuable content information as part of that sales which we should be anyway providing things that people are interested in and they should be happy to receive it and they will be in a sense well you know they won't kind of complain that their data's being collected because they get value in the things that we specifically deliver to them. And we're able to do that by them giving us the data for us to see what kind of things we should send them.
[00:23:43] Yeah I think that leads nicely onto why we think it's a good thing. So the big one for me is that you know we our sales systems are built on value. If our materials that we develop for our clients, for ourselves are not in our prospect eyes to have the right level of perceived value they are not willing to engage with this and they are not willing to consent to be marketed to. Then we see the value in what we're creating is not enough and we need to up our game. So if they don't opt in - it means that they don't think it's worth trading their data for what we have to offer, which means we are not delivering value and it means we need to work harder to do that. So it helps us measure it really.
[00:24:30] Yeah I certainly think that what it does, it aligns data with value. Before it was everyone's got my data and they can do what they want with it - which devalues my own personal data. But now, I'm in control. I can give my personal data to who I want to give it to and maintain control of that. So now it is more valuable. Yes absolutely . So we need to make sure that what we are creating in our marketing materials is valuable enough to receive that information and engaging enough in terms of problem solving for people to want to engage with us and then to consent to be contacted by us. Definitely. And I think that's really going to separate the wheat from the chaff. I think so too.
[00:25:21] And looking at it from another perspective as well is thinking about how the new regulations kind of offer you the opportunity almost to do like a spring clean of your data as well. So not just in terms of making sure that you comply with the regulations but also the fact that you are going to have to get people to opt in or kind of re-opt in to your emails means that ultimately you will lose people. And I think people panic about that panic about email list shrinking. But equally you should see it as an opportunity to actually spring clean your data because you don't want people on your email list who aren't engaged. You want people on your email list who are genuinely interested in what you have to offer. So if people aren't really opting in to your marketing it's not necessarily a bad thing because it means you're not wasting your time on them.
[00:26:23] Yeah, no I agree with that. I think what you're going to find is that your conversion rates on your email campaign are going to go up, because actually you just talking to people who want to receive your information. Yes exactly. You're just filtering out basically, it's not something to be scared of. And certainly now with GDPR you're not going to be able to hold people's information who 1) don't want you to have it or 2) will take no value from from what you've got to say. Yeah. I think one thing you're going to see is that because people know GDRP is coming in any emails that come in that they've not re-opted into they're going to complain . Yeah. Or at least definitely unsubscribe and then that's it. And kick back which is why you really need to be careful to make sure that these people have opted in because you don't want to harm your business reputation in that sense, it's going to be pretty obvious I think if you've not if you've not done your homework on it. Either with intent or without still doesn't look good for business I think to not be on the ball with that sort of thing.
[00:27:21] And that's again why it's another good thing is that it's a reputation boost. It shows you're a credible organisation that - you respect people's personal data and you act accordingly. I can't wait for it because I receive so much spam. This is just a way for me to whitewash my whole email inbox. Yeah, I have a lot of emails saying we need you to resubscribe and most of them I'm like nope. But yes they obviously you know those companies will lose you know a lot of people but equally those you know they didn't want me on their list really because those emails that I get now, I just marked as read or send them you know send them to trash or whatever.
[00:28:03] You know I'd rather someone just not reconsent into my email than have lots of people just marking me as spam because those negative data points on those go back to the email campaign platforms and has a detrimental effect on you being able to email everybody. Exactly. So better not to have those people in the first place and that's what it'll do. So any more reasons why GDPR is a good thing in your view?
[00:28:34] I guess just on a personal level I think it's a good thing. I think I would like my personal data to be treated with respect and for me to have control. Yeah absolutely And you've got to remember that you know businesses and individuals are made up of the same people. So it's kind of that do unto others as - I don't know my Bible verses - so you would have them do unto you. But that's the crux of it really is that you wouldn't want your data to be misused so don't misuse other people's data.
[00:29:09] I mean a great example is this and I was watching the Congress discussion between Congress and Mark Zuckerberg, and the guy asked him if he would like to give away the location of his hotel. And Zuckerberg said no. And it's like the same kind of thing. He respects his personal data but obviously, no but Facebook has been in this whole data quagmire about treating people's personal data with respect and there Zuckerberg part of the entity was wanting to be a bit withdrawn on his own data - always these are high profile person. Yes yes but the principle is the same. Yeah absolutely. Quagmire, didn't think that word would make it on to the podcast but there it is.
[00:29:57] Okay, so are we pretty much there? Do we have anything else to talk about GDPR wise?
[00:30:03] So just a quick overview of what we've done to comply. So the biggest bit of information around complying with GDPR requirements is go to the ICO website. ico.org.uk.
[00:30:24] That is the information commissioner's office for the UK and obviously each country will have their own version of that. But that is where the data is going to be correct. Yeah absolutely. You'll hear a lot of things, lots of different blog articles, podcasts. Some of them from us saying a lot of different things, but again we're not laying too heavy on the advice on what you should do because really you need to go to the ICO website because that's where the facts are correct.
[00:30:56] What do you think about the facts that some people have been saying that they don't think the information on the ICO website is clear enough?
[00:31:05] I've certainly trawled through the ICO website with regards to GDPR very heavily. Some of it does take some thinking about, and putting it in and applying the information the ICO is giving you to your own circumstance. I think that's the difficult part of it because the ICO is trying to talk to everyone and trying to talk to every business, every business type, any layer of the amount of data that they have in any respect and it's obviously going to be very difficult for them to find the message in which resonates with everyone, goes back to our customer persona workshop. So building a customer persona for your business. We want to talk to one direct person but the ICO has to speak to millions of profiles in the resource it has available. Exactly. It can't go to every business in the UK and say this is exactly what you need to do. So there's going to be - there is always going to be a level of interpretation that you have to do. But yeah I agree I had a good look through most things not to the same level as you and I think that yeah that's where the difficulty is this knowing - okay how much of this do I have to apply to my own business, but I do think it is possible you just have to give yourself the time to do it really and not expect someone to do it all for you.
[00:32:17] Yes exactly . This is legislation coming into play just like any other legislation that comes into play, you have to conform to it. Yeah. And you know if you are going to be the owner of a business then you have to deal with it basically. Suck it up.
[00:32:33] So yeah, what else have we done? We've data mapped internally all the personal data that we collect and who has ownership, who has access rights, and where is that data stored, are these storage secure? So is it encrypted from transfer on storage perspectives?
[00:33:09] So I think the key message with that is plain English isn't it? No legalease in those privacy policies. You need to be really kind of clear about what you're doing with people's data, and what is the legal basis for collecting and using that data.
[00:33:25] We have created data processing agreements that we have issued to our clients because we wanted to be proactive in establishing that contractual responsibility on data management. We have updated our opt in forms on the website to include a transparent consent base for opting into additional marketing. This then links up to our CRM system so we know exactly who we can and can not market to.
[00:33:58] We've installed cookiebot - which is as used by the ICO. They don't officially recommend it but they use it. Cookiebot gives the cookie notice when someone access your website for the first time and actually restricts cookies from starting until someone opts in - which I thought was very clever.
[00:34:17] And we have also reviewed the software platforms that we use across the board to make sure that they are GDPR compliant. They will be storing personal data to the requirements of GDPR. So that we're covered on all angles. Yes. So yeah, we've we're pretty much there now. Yeah, lot's going on. So how long did it take you to do that, because you pretty much did all of that.
[00:34:44] For people wondering - ah that's a lot, how long is it going to take and obviously not everybody's going to have to do all of that, but how long did it take you to get all that done. To get all that done it probably took me a few hours every day for a week. Okay. So you've still got time. I say we're quite heavy on how much personal data we collected so that was ample time it wasn't like I was stressed out about it. It was just ticking the boxes, getting things in place. There's a 12 stage checklist on the ICO website, which is very useful. Yes I saw that. Thats pretty good. I think we're good to go. Yeah, I think so, great stuff. Okay, so what are we talking about next time?
[00:35:25] Next time we're going to move on from GDPR.
[00:35:27] We're going to be looking at the rise of Chatbots. Chatbots, everyone's talking about chatbots. Yeah, and how chatbots can ultimately help us to automate our sales process and certainly reduce some of the workload in the early stages of the buyer journey. Sounds good.. It is going to be exciting, can't wait. Yes, I'm quite interested in that one, because I don't know much about chatbots but I would like to know more about them so..Excellent!
[00:35:59] Well join us next week for our episode on chatbots. We hope you enjoyed and taken a lot from this one. If you have any questions drop us a note at the bottom of the podcast page and we'll get back to you. And we'll probably direct you to the ICO website. But enjoy the hell that will be the next week before GDPR kicks in, and we'll see you next time,
[00:36:23] See you next time!