The information and advice available on the GDPR legal requirements coming into play on the 25th May 2018 is enough to make your head spin.
For those of you that don’t know, the GDPR is regulations on how you collect, store and use your customer data. It’s important to note that this is not a new data protection obligation. It replaces and mirrors the previous requirement to have ‘appropriate technical and organisational measures’ under the Data Protection Act 1998 (the 1998 Act).
However, the GDPR provides more specifics about what you have to do about the security of your processing and how you should assess your information risk and put appropriate security measures in place. Whilst these are broadly equivalent to what was considered good and best practice under the 1998 Act, they are now a legal requirement.
It all looks very complicated and very scary, so we’ve gone through it to give you a simple and easy guide on what you need to do and how, updating Strelitzia along the way to make it as easy as possible.
Collecting Personal Data:
Every day, you collect new customer data. You enter customer details and recipient details. But how should you be collecting that data to make sure you’re GDPR compliant?
Customer details and recipient details are vital parts of taking an order. This is still ok to do, and you do not need to alter the information you are taking if you are inputting data directly into Strelitzia.
Alterations made to Strelitzia for GDPR compliance when collecting personal data:
- Tick box more prominent when taking an email for marketing purposes:
When you are entering a new customer into Strelitzia, you will see there is a new tick box underneath the email boxes:
This box has always been there, but in the messages tab. We’ve moved it, so it’s more prominent and you remember to ask the customer. Note that the email address you enter into the marketing box will be the one that is used for emailing promotions and special offers.
Collecting email address for marketing purposes is important for small businesses. It’s an easy and effective way to reach your customers and generate more sales. If the box isn’t ticked, when you move on from taking customer details, the referrals box that appears has a new question, prompting you to ask your customer about using their email address for marketing purposes. If you’ve already asked the customer and they said no, just ignore it. Select where your customer heard about you and continue taking the order.
- Favourites feature has been removed:
When you go to recipient details, there used to be a favourites feature. We have removed this and you can only see past recipients.
So, you have personal data, and you’ve collected it correctly. What do you need to think about next? There’s 3 things to take into consideration:
Strelitzia has an auto-log-off feature, and if you don’t currently use it, it’s something we suggest you consider starting to use. This is an extra security feature that means the data held on your system has an extra level of protection.
Think about scenarios connected to where your computer is positioned. For example, if your computer is at the front of your shop and you have a workshop at the back, someone walking into your shop could see personal data if left on the screen. With the auto-log-off feature, this eliminates this risk.
Aside from that, you need to make sure your computer is up to date with current firewalls and you have strong and safe passwords to log-in.
The GDPR states that it is up to you to work out how long you should keep personal data, depending on how valuable it is to your business.
Customer and recipient information is extremely valuable to a florist business in terms of repeat custom. It means you can run your business and take orders in a quick and efficient manner, avoid future mistakes in address taking and allows upselling.
It is completely up to you how long you keep personal data, but remember:
HM Revenue & Customs charge penalties for not keeping adequate records for the required period. They go so far as to recommend that businesses keep their records for a minimum of six years.
So, how do you go about deleting personal data from Strelitzia?
If you go to the accounts tab, you’ll see all your customers listed. There is a new ‘erase’ button at the bottom of the screen. This allows you to delete personal data of customers that have not placed an order with you since a specific date:
If you want to erase a specific customer from your database, then find that customer and view their details. Go to the Options tab on the customer box, and you’ll see at the bottom a feature to erase the customer details, and to erase the recipient details attached to that customer:
Note that deleting personal data off Strelitzia will not affect any reports you run on sales.
When it comes to marketing to your customers you need to think about data that was collected before the 25th of May, as well as data collected after.
Your current email database:
You can continue to market to your current database if they have opted in for receiving your marketing emails and you have evidence of this.
We would advise you to send an email out to all customers that is simply asking them to unsubscribe if they are no longer interested in what you have to offer them.
Make sure that every email you send going forward has the option to unsubscribe. The email service we recommend to send marketing emails is MailChimp.
Quote from GDPR Consent Guide on the ICO’s website on existing databases:
“You are not required to automatically ‘repaper’ or refresh all existing DPA
consents in preparation for the GDPR. But it’s important to check your
processes and records in detail to be sure existing consents meet the
“Recital 171 of the GDPR makes clear you can continue to rely on any
existing consent that was given in line with the GDPR requirements, and
there’s no need to seek fresh consent. However, you will need to be
confident that your consent requests already met the GDPR standard and
that consents are properly documented. You will also need to put in place
compliant mechanisms for individuals to withdraw their consent easily.
On the other hand, if existing DPA consents don’t meet the GDPR’s high
standards or are poorly documented, you will need to seek fresh GDPRcompliant
consent, identify a different lawful basis for your processing
(and ensure continued processing is fair), or stop the processing.”
Click here to read the full document.
Collecting emails in the future:
You have to make sure that you ask every single customer simply and clearly if you can use their details for marketing purposes.
We advise you to collect your data using a GDPR compliant method, as explained above in Collecting Personal Data. To repeat that information, when taking an email address, tick the box that states ‘Allow email for promotions and special offers’ if the customer has agreed.
This means that when you export your email database for marketing purposes, only the emails that have had the box ticked will be exported.
*Florisoft, trading as Strelitzia Software, is now fully GDPR compliant. We do not keep or store any of our user’s databases, and exactly how our users collect, retain and use their own databases is their liability. The information outlined in this document are suggestions and it is up to the florist to make their own decisions.
To read the full GDPR guide, CLICK HERE
To read an earlier statement from Strelitzia about GDPR compliance, CLICK HERE
We hope that’s helped, but if you have any questions, please don’t hesitate to contact us on 01325 722398, or send us an email: [email protected]
Don’t use Strelitzia and need a software that will help you become GDPR compliant? Get your free demonstration now by calling 01325 722398 or sending us an email: [email protected]