View PPC90

Anticoagulant resistance in house mice ...a moving target.

Move with it ...or miss out! Adrian Meyer is an author and editor of the British Pest Management Manual (BPM). He talks us through the issue of pesticide resistance and the research being conducted.More

<< back

Professional Pest Controller Magazine Issue 90

06 March 2018

GDPR May 2018 deadline approaches: what pest control companies need to know

Feature business practice | PPC90 March 2018

General Data Protection Regulations

The General Data Protection Regulation (GDPR) means that individuals have greater control over how organisations collect, use and protect their personal data. It’s potentially a big change to how you’ll use client information when you’re marketing to them.

Content and Communications Officer, Scott Johnstone, investigates how the changes will change the way pest management companies do their marketing and store data.

Fiction vs Fact

There are some big myths about how GDPR will affect a business. Let’s address them first.

Fiction	Fact
GDPR does not apply in the UK because of Brexit.	The ICO (Information Commissioners Office) have been clear that GDPR will reply regardless of Brexit.
The ICO can only fine businesses up to £500,000.	The ICO has been given increased powers and can now find up to 4% of global turnover if you breach GDPR.
GDPR only relates to personal consumer data, not businesses.	Some business data, such as Sole Traders, is personal data and GDPR does apply.
I need to ask my people every six months if I’m able to communicate with them.	If you have a legitimate interest to market to someone, but you must provide a clear and simple opt-out.
My data is protected by a third-party and confirmed compliance, so I don’t need to think about GDPR.	The company that uses the data can be fined for using incorrectly consented third-party data.

Handling data

Your accountability on how you collect, use, process and store data has now increased. You’re required to take privacy and data protection seriously, right from the point you begin to collect the data.

Data portability

Individuals can also ask for their data to be passed onto other organisations quickly and, above all, securely.

Breaches

You must report any data breaches to the ICO within 72 hours.

Forget me

Individuals have the right to be forgotten by your organisation - however you can hold this data as a suppression.

Subject access requests (SAR)

All individuals have a right to ask you for any and all data that is held about them. You will no longer be allowed to charge for this.

Profiling

You can still profile your individual contacts, however, the new rules mean you need to offer them an opt-out.

Its going to get a whole lot harder to market to cold prospects and you should do this with caution

Consent

Let’s quickly define two types of marketing:
First-party marketing – to a customer who has made an enquiry or expressed an interest in your goods or services
Third-party marketing – to a new cold prospect that hasn’t expressed an interest in your goods or services.

GDPR says that marketing to your existing clients (first-party marketing) is a legitimate interest. This makes it fairly simple to market to them. Offer them a simple and easy to find opt-out option when you collect their information and when you communicate with them.

Following on, any marketing you send must also have an opt-out.

When you buy data or harvest it yourself, it’s harder to stay compliant. This means your audience must opt-in and it can’t be a condition of another service, prize draw or competition.

Updating Privacy Policy

If you want to update or correct your privacy policy to let people know how you’ll be using their data, how you intend to communicate with them or upgrade your opt-out policy, you need to publish a Privacy Notice which informs everyone there are changes to the policy. There’s guidance on how to do this on the ICO website: ico.org.uk/for-organisations

What this means for marketing

You need to make sure you’re collecting, processing and storing data in the right way.

With your current clients, it’s more important than ever that you keep them engaged and don’t let them lapse, otherwise, you won’t be able to claim they have a legitimate interest. There isn't a specific amount of time suggested by the ICO for when a contact has “legitimate interest”, however, if you communicate with them regularly and they respond (and you have a clear opt-out section in the communication), then you have good grounds to keep marketing to them.

It’s going to get a whole lot harder to market to cold prospects, and you should do this with caution. Hopefully, after GDPR has been implemented for a while, data sets should improve because of the regulations (however the price for such data will probably increase).

Getting ready for the deadline and moving forward

Map your data flow
Understand how the data has been collected and what consent is in place
Check the quality of your data and do a gap analysis
Fix the data gaps or purge the contact from your database
Check your opt-out messages are working or need improving
Capture all new data in a way that is compliant with GDPR
Spot check all third-party data regularly

Disclaimer

At the time of writing the exact requirements for GDPR are still being considered by the ICO. You should not take this article as legal advice.

Contents