5.5 GDPR

Collecting and Caring for your Customers Data

Claire, Plantpassion

GDPR logo diagram.jpg

GDPR what is it?

GDPR is a Data protection regulation and privacy act that was enacted on 24th May 2018 into EU law.
It addresses how and where data should be held and kept for all individuals within the EU and EEA and also addresses the export of personal data outside that area. This is why it applies to almost all paper, and electronic records that we keep.

GDPR applies to all data, but for us as flower farmers and florists, it is most likely to be key for:

  • Customer's data

  • Supplier's data and

  • Staff / Volunteers / Contractors data



What do we mean by data?


It could be as simple as name, address, postcode, email address

It could also be information about dates of events, customer preferences and tastes,

data counts if it is stored either electronically, or manually in files.

GDPR states that you need to

  • know if you are a data holder or controller

  • hold data securely

  • get permission to hold data

  • ensure that data can be removed and deleted

How do you ensure that you hold data securely?

Keeping data for Customers, suppliers and staff

Data collection forms.jpg

When can you hold data and use data?

There are 6 different situations under GDPR where you are permitted to hold data. In all likelihood, only the first 3 will apply to us as small businesses:

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

This is usually known as consent - It's where someone has said "Yes you can market to me and send me emails about what you are doing".

The consent must be an affirmative thing, e.g you can't have a tick box that says you've consented automatically, and it can't be a term of agreeing to something else - e.g just because you've bought this you've therefore consented to me keeping your data and sending you more information.

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

This is known as "contract" and as with terms and conditions it doesn't need to be a written contract, it can be that someone has asked to buy your goods and has expressed an interest in knowing about what you sell. However you can only use data to contact them about that particular product or service that they have asked about for the length of time the sale takes place.

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

A good example of this is where you need to keep details about staff and their right to work in the UK (i.e NI number or passport details)

(d) processing is necessary in order to protect the vital interests of the data subject;
Unlikely to apply to us, but if you needed data about them to protect their lives, e.g in a hospital emergency situation

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
The most difficult circumstances for collecting data are for children and those not able to speak for themselves. Whilst this may be a problem for medical and charity professionals, it shouldn't affect us as flower farmers.

Question
Which of these situations apply to you?
What information do you actually need?

A key part of my GDPR training with an expert in the field, was thinking about the key question
What information do you actually need?

My tutor's take on the subject was that most companies take far more information than they actually need, and keep that data even when it is no longer necessary for them.
He had been called in to help a customer that was sure they only kept data for 5 years, but he had found data relating back to 17 years before, because they had merged with another company.

So let's think about the information that we really need:
For a retail customer who is buying a bouquet
We need a name, an address, contact details, a description of what they are buying, a message to go with the flowers and an address to deliver them to. These are covered by contract, - but after the contract is over (e.g. we've delivered the flowers) what information do we need to keep?

GDPR says that when a contract is finished, we no longer have a right to use the data, then unless that customer has given consent for us to contact them again, that data is not needed. We may want to keep it for a while in case of a dispute, or for our tax or accounting records, but how long should that be?

How long do you want to keep data for?

Getting rid of data

Data destruction.jpg

When did you decide that you no longer need the data?
Was it 1 year for previous customers? 7 years for suppliers who you need account details about? What about if staff leave? What about if you're asked to take someone off your lists as they have the right to ask for.
Whatever you decide, at some point you'll need to destroy your data.
If it's on a computer, hitting delete seems to be the right thing to do, but have you remembered your backups?
Are paper files going to be burnt, or shredded? (mine are shredded and then put in my wormery!)
Whatever you do, it's important to (ironically) keep a record of what you've destroyed. A simple log of what dates destruction took place on of records from xxxx dates should suffice for small businesses.

How can you make sure customers want you to keep in contact?

As data can only be kept if consent has been given, how do we ensure that our customers, suppliers and staff can find out more about what we do, and want to keep in touch.
Information about what we can offer them is key!

Customer experience keeping in touch.jpg

Social media and email marketing are amazing tools for this. At this point, if someone has signed up to follow your social media feed, or said that "Yes" you can send them emails, you have them as a captive audience. This is a really important time to give them the information that will keep them as keen customers.

So what do they want to know?
This will differ slightly from business to business, but really it's a case of answering the most basic questions over and over again

  • Where are you?

  • What do you do?

  • Where do you sell?

  • How can I get what you sell?

  • Where do I find out more about you?

For customers to return time and time again and to want to give you their details you need to market to them and give them the information they want.

TASK
Think about a company that you get regular emails from
Why do you want to hear from them?
What might make you unsubscribe?
Can you learn anything for your own business from this?