With the new law in place for GDPR compliance started last year (25 March 2018), small businesses that collect personal data from consumers don?t have much choice but to reconfigure websites and install new privacy policy content.

GDPR is naturally going to affect your SMS marketing efforts. This article tells you everything you need to know to be GDPR compliant.

What is GDPR?

GDPR stands for General Data Protection Regulations, a privacy law that gives European consumers more rights about how their data is collected, stored and used. The directives have been signed in Europe, but have a worldwide reach under the provision that any website that asks a European citizen for personal data is obligated to comply with GDPR.

So even if you are an American small business owner, and there is a possibility a European will visit your website ? even if they?re on holiday ? you have to give them options about the data you collect from them.

The new law states business owners have to give explicit and legitimate reasons to customers about why they are collecting personal data. It also means you are not allowed to reuse the information for another purpose.

For example, when you ask customers to opt-in to your SMS campaign, you can?t use their email address or phone number to send them a newsletter. Before you can send out your newsletter you need to get consent for that separately.

Furthermore, notification that you are collecting data and why you are collecting it has to be transparent and visible to customers. In most cases, that means building notification boxes into your website or adding notification to the bottom of your offline ads.

SMS opt-ins

Before businesses are eligible to send SMS messages, marketers have to request consent from customers first. GDPR does not affect this procedure, but it does have an impact with what you can do with the information.

There are essentially two rules to opt-in; hard and soft.

A hard opt-in is when you have advertised an offer and invite customers to send a text with a short code in order to accept the offer. Another example of a hard opt-in is when customers have ticked a box on your website or tick list confirming they would like to receive text messages from you.

Providing you are clear about how you intend to use this consent, you are okay to send SMS for different offers. For example, when you create an offer and invite customers to send a code, you must make it clear that by signing up for this offer, they give you consent to send other offers.

GDPR also says you must keep a record of how you received confirmation from customers giving their permission. This will be needed in the event someone makes a complaint.

Then there are ?soft? opt-ins. This is when you already have customer information because they are an existing customer or new customers that signs up for a specific product or service. For example, if you make a sale through your website, you are not permitted to send SMS messages unless the customer has ticked a box giving you consent to contact them by SMS, email, newsletter etc?

It?s important to note that you have to ask for permission at every touchpoint. You can?t ask for permission once and use that as consent for everything. Customers have to give their consent for you to contact them or use their personal data for each individual option.

If you only have a soft opt-in, you are still permitted to contact customers but only in reference to the service or product they initially signed up for. So for example, if you own a sports shop and a customer opts-in for a deal on tennis rackets, you can?t send an SMS for a deal on skis, only tennis rackets or tennis related equipment.

Option to opt-out

When you give consumers the option to opt-in to your services, you also have to give them the option to opt-out. Furthermore, this option has to be made easy for them. For example, give them the option to take you up on a ?soft? opt-in which only relates to a one-time offer.

What?s more, any personal data you collect has to be accessible to customers. Firms are being asked to appoint a Data Protection Officer (DPO) that is to work independently of your IT and marketing team.

Customers have the right to request access to the data you have about them. Therefore, you should provide a contact number for the DPO so they can request this information.

Consumers also have the right to ?be forgotten?. If they choose this option, businesses are obligated to delete their contact details from their records upon request.

Giving customers the opportunity to opt-out is no different to current laws. The only difference now is that businesses have to present customers with this option in advance. For SMS marketers, one option is to invite customers to text one code for a ?hard? opt-in and a second code for a ?soft? opt-in.

Secure data

The last regulation to note is that sensitive data is stored securely and can only be processed for the purpose you have been given consent to use it. The GDPR software requirements here mostly relate to information you collect on a website, but does applies to data you receive via SMS.

Businesses are obligated to do their upmost to protect customer data from online theft, damage, destruction and accidental loss.

The purpose of GDPR is to give customers more choice about how businesses collect and use their data. The immediate impact for businesses is that as of 25 May 2018 you had to update your website, policies and operational procedures to ensure you are GDPR compliant.

Failing to make your business GDPR compliant will result in a hefty penalty; either 4% of you global turnover or $24.18m whichever is the greatest. Needless to say, small businesses can ill afford to receive a fine because you did not comply with GDPR.

Scroll to Top