GDPR: what you need to know & do as a Folksy seller

Have you heard about GDPR? Are you confused about what it is, if it even applies for you and what you need to do as an independent maker? You’re not alone. Big businesses and even lawyers don’t have all the answers and there are some grey areas where you’ll find conflicting advice. While there is a lot to get your head around, much of it is best practice anyway, some of it won’t apply to you as an indie business and you might be doing some of it already, so don’t panic – it isn’t as scary as it seems!

In this blog post, we’re going to try to lay out the main points of GDPR and explain how the new regulations apply to you as a small creative business and what you need to do to make sure you comply. However, this shouldn’t be taken as legal advice and you should always contact an expert if you are unsure about any aspect of the new legislation.

What is GDPR?

The GDPR (General Data Protection Regulation) is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It comes into force on 25th May 2018 and is designed to give people increased protection and control over their data, and place greater obligations on how all organisations, large and small, handle personal data.

Does GDRP apply to me?

In a nutshell, yes! The legislation applies to all businesses operating in the EU that process personal data, as well as organisations outside the EU who offer goods or services to individuals within the EU. As an online seller, you will be collecting data such as a customer’s name, email address or postal address. So whether you are a sole trader, a limited company or a hobbyist just selling a few of your products online, if you have have an online shop selling goods within the UK or to the EU, you will be collecting and processing personal data, which means the GDPR does apply to you.

GDPR applies even if you don’t do anything with that data other than just post the product a customer has bought. You don’t even need to store data about your customers for the new regulations to apply to you. As lawyer and GDPR expert Suzanne Dibble explains: “Anything you do that involves personal data brings you into the realm of GDPR.” –  https://suzannedibble.lpages.co/gdpr-replay/

The good news is that, the regulations are mostly based on best practice, so there are many aspects of the new legislation that you will probably be doing anyway. Which means that, although it might seem like a lot of hoops to jump through, becoming GDPR compliant isn’t as daunting as it can first appear and it can even be a positive thing for your business.

What do I need to do to be GDPR compliant if I sell on Folksy?

You will find lots of conflicting (and wrong) advice around GDPR, especially concerning consent and gaining ‘reconsent’ for marketing purposes like mailing lists. To make sure you are getting the right information, understand what is expected of you under the new regulations and get practical tips on how you can meet them, start with the Information Commissioner’s Office (ICO) GDPR Toolkit > https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/

We have summarised some of the main points that relate to you as Folksy sellers below. But please bear in mind that this information is intended to help you as a Folksy seller and should NOT be taken as legal advice. We do not have all the answers and are very wary of giving incorrect advice. If you have your own online shop, there may also be other actions not mentioned here that you will need to implement, for example, a GDPR-compliant Privacy Policy in the footer of every page. Again, please refer to the ICO’s guidance to ensure you are fully compliant.

Understand what data you have and where it is stored.
One of the obligations you have under the GDPR is to understand what personal data you have and how it is stored and processed. As a Folksy seller, the personal data you collect will probably be:

• Customer’s name
• Customer’s postal address
• Customer’s email
• Customer’s username on Folksy
• Recipient’s name (if applicable)
• Recipient’s postal address (if applicable)

This data will be stored in your seller dashboard and also in sales notifications emails and any correspondence (email or otherwise) that you may have had with a customer or user. If you have a mailing list you may also have other personal data, such as a subscriber’s name and email address. You may also have lists of suppliers or names of contacts in shops and galleries.

•   what type of information you have (emails from buyers, emails for mailing lists, delivery addresses, etc.)
•   where you store it (a spreadsheet in Google Docs, written in a notebook in your filing cabinet, etc.)
•   what you do with it (store it for your records, send monthly newsletter, etc.)

You must only use personal data for the specific purpose you have collected it for.
In the case of a purchase, that would be: delivering the item(s), emailing confirmation of the order, emailing the customer with delivery details for that order, and storing for your financial records. You must not use the personal data you have gained from that order for any other purpose. You must not add them to any mailing lists or use that data to contact them about anything unrelated to that particular purchase.

You must delete someone’s personal data if requested. 
An important part of GDPR is the right to erasure. This means everyone has the right to be deleted from your records and database (rather than to listen to the era-defining Eighties pop band on repeat). The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. You have one month to respond to a request. You will need to delete their data from all your records as well as any third-party service providers, such as your email service.

If a customer asks to be erased from Folksy, we may also contact you (as the seller) if they have purchased from you and ask you to delete them from your records and any databases. In both cases, if you need to retain information about an order they have placed with you for your business or legal records, you can still do that but you will need to anonymise that data so there is no way of identifying the person (eg their name, email or postal address).

Read more here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

Check whether you need pay the ICO Controller Charge
Many small businesses and independent makers don’t realise that, if they handle data, they might need to be registered with the Information Commissioner’s Office (ICO) which includes paying a notification fee. Did you know that? Most designers and makers don’t! When the new GDPR legislation comes into effect, this system will change and rather than registering with the ICO in the same way, businesses that process data will need to pay the ICO a data protection fee (unless they are exempt). This is also called a Controller Charge. You can check to see if you should be registered with the ICO here https://ico.org.uk/for-organisations/register/self-assessment/

More information here > https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf

UPDATE:
Complete and enable the Privacy Policy on your Folksy shop
You can now add a GDPR-compliant ‘Privacy Policy’ to your Folksy shop. Go to your seller dashboard and you will see a new ‘Privacy Policy’ tab under ‘Shop Settings’. This is prepopulated with a standard policy that you can change according to your needs.

It’s worth noting that the GDPR does not set a specific period for retaining personal data. Instead, it says: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.” The ICO recommends reviewing the length of time you keep personal data and why you hold that data. It also says that if an organisation keeps personal data to comply with a legal requirement or professional guidelines – such as information needed for income tax and audit purposes – it will not be considered to have kept the information for longer than necessary.

With this in mind, we have set the default time to retain personal data in the new standard Seller’s Privacy Policy to six years. Although you may not need to retain the personal data related to orders for tax purposes, this will ensure you can meet any HMRC requests (1) and fulfil your obligations as an online seller if a customer complains about a purchase within the timeframe given below (2):

1. HMRC recommends keeping your records for at least 5 years after the 31 January submission deadline of the relevant tax year https://www.gov.uk/self-employed-records/how-long-to-keep-your-records.
2. Customers have up to six after they buy an item to complain (even though they may not be entitled to a return or refund) – see here https://www.gov.uk/accepting-returns-and-giving-refunds  and here https://www.moneysavingexpert.com/shopping/consumer-rights-refunds-exchange

What if I have a mailing list and send out newsletters?

If you have a mailing list, there are additional things you need to do to make sure you are GDPR compliant. It can be confusing – can you keep your existing mailing list, should you ask for fresh consent or do you need to bin your entire mailing list and start again? Again, there is lots of conflicting advice, but here are some of the main points. This does not constitute legal advice so please do check with a legal expert if you are unsure.

You can only add customers to your mailing list if you have their explicit consent.
You can only add someone to your mailing list if you they have given you their explicit permission to do so. You are not allowed to contact a previous customer about a special offer or anything else, or add them to your mailing list unless they have given you explicit consent to do so. This has not changed with GDPR, although the rules have tightened and the standards of consent are higher than before. Consent must now be explicitly given, which means you have to ask people to opt-in to your newsletter rather than have a pre-ticked box, for example. As another example, you cannot automatically sign people up to your mailing list as part of a competition – if you want them to sign up to your newsletter, this needs to be a separate tick box that they check to opt into (ie not bundled together with entry into the competition).

Tell people what you are going to do with their data when they subscribe to your mailing list.
One of the key components of GDPR is transparency. For example, if you have a form on your blog where people can sign up to your newsletter, you need to tell them exactly what you will be doing with their data. So if they are signing up to your mailing list, will you be sending them an email newsletter just with offers on your products or will you also be sending them information about workshops you are doing with other makers? Will you be sharing their data with anyone else – someone else who is running a workshop with you, for example? Will you be using their data for anything else?

Under GDPR, consent must be specific and informed – that means if someone has signed up only to receive news about future workshops, you cannot then email them with an unrelated offer on your products. Or if you change your business you cannot use their data, add them to your new mailing list, or use the same mailing list for your new business, as you haven’t been given explicit consent for that purpose.

So if you have different newsletters, make sure you give people the option to opt-in to each one separately. If you just have one newsletter that you send out which contains information about offers, news, exhibitions, craft fairs and new products, that’s still fine! Just make sure you tell people what they will receive from you at the point where they sign up, and be as clear as possible – the more “granular” you can be about what people are signing up to the better.

You will also need a GDPR-compliant privacy policy at the point where people give their consent to be added to your mailing list.

You must be able to show how consent was granted.
As part of GDPR business owners need to show what consent has been given and how. So if you have a mailing list, you need to demonstrate how people have signed up to it – ie did they subscribe to your mailing list at a craft fair and you then added them manually, or was it through a hosted form on your blog? This shouldn’t be as tricky as it first sounds, because if you are using a third-party service, they should have a record of how people signed up and the information they were given at the time. Do keep a record of your privacy policy if that has changed though, and similarly document the text people were shown when they signed up to your mailing list and any different versions of that text.

Make sure the data held on your mailing list is secure.
As before, any personal data you hold needs to be secure. So if you have a mailing list, check this is safe – if it is stored by a third-party service like Mailchimp, Fusion Mail or Octopus it *should* be secure as you will require a password to log in.

You must give people simple ways to withdraw their consent.
Any marketing emails you send must have a clear and easy way for the user to unsubscribe, and you need to tell people when you collect their data that they have the right to withdraw their consent at any time. If you use a third-party service (eg Mailchimp, Fusion Mail or Octopus), an unsubscribe button is normally included automatically in the footer of every email.

Only keep personal data for as long as necessary.
For example, if you collect people’s email addresses for a newsletter and then stop sending that out, you need to delete those email addresses. You can retain order information for financial and legal purposes.

Make sure data you keep is accurate and up to date and regularly refresh consent.
This means regularly reviewing your mailing list and asking people if they would still like to be subscribed. Only retain the minimum data necessary, ie when people sign up to your mailing list, don’t ask them for their gender, birthday or cat’s name unless you absolutely need to know it.

Do I need to get fresh consent from everyone on my mailing list?

You just have to check your inbox to see all the emails asking if you still want receive their news and offers to know it’s probably the thing most businesses are worried about. In fact, whether or not you need to get fresh consent from your subscribers is probably the most difficult question in the whole GDPR thing. The simple answer is that if you already have GDPR-compliant consent from everyone subscribed to your mailing list, then no, you don’t need new consent. This means, for example, all your subscribers actively chose to sign up to your newsletter via an opt-in (not opt-out) button, they were given the right to withdraw consent at any time, and you were clear about how you would use their data and exactly what they were signing up for.

If your mailing list is not GDPR compliant, or you have subscribers on your mailing list whose data you collected in ways which do not meet the new regulations, you will need to either remove those people from your mailing list or get new consent (also known as ‘reconsent’).

This article has useful advice on whether you need to ask your current newsletter subscribers for fresh consent – https://suzannedibble.com/do-i-need-to-get-reconsent-from-an-existing-list/

A note on newsletters and the GDPR
Newsletters are still one of the best forms of marketing there is, so don’t let the new regulations put you off! If you don’t already have a mailing list, maybe you could look at the regulations as an opportunity to start one and build a GDPR-compliant mailing list from scratch. If you use a third-party like Mailchimp, Fusion Mail or Octopus, they can store all the personal data for you, allow you to set up GDPR-friendly opt-in forms that you can host on your blog or website, and record when and how consent has been granted. You’ll then be able to start building a really engaged list of subscribers who you know actively want to see your new products and find out about your offers!

The new regulations come into effect on 25th May 2018, and although it is unlikely that, as a tiny independent business, you will face the huge fines that have threatened for companies who don’t comply, customers can complain about you if they believe you are using their data without consent or in breach of the regulations. So don’t risk having your reputation damaged by an investigation. Make sure you understand what you need to do, document the data you store, how you obtained it and how you used it, and always make sure you have clear, specific and explicit permission before adding anyone to your mailing list or contacting them for marketing purposes. 

We’ll keep updating this blog post so if you have any questions, post them below and we’ll try our best to answer them.

Picture credit: Personalised address stamp by Typewrite Design 

—————–

Where to find more information on GDPR:

Find FAQ on GDPR – https://ico.org.uk/for-organisations/business/guide-to-the-general-data-protection-regulation-gdpr-faqs/

The ICO offers a phone service aimed at people running small businesses. Dial the ICO helpline on 0303 123 1113 and select option 4 

Watch this webinar by Suzanne Dibble on GDPR Mythbusting – https://suzannedibble.lpages.co/gdpr-replay/

Learn how to set up GDPR-friendly sign-up forms on Mailchimp – https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms

Preparing for the GDPR: 12 Steps to Take – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Join the GDPR Facebook Group for Online Entrepreneurs – https://www.facebook.com/groups/GDPRforonlineentrepreneurs/

Do you need ‘reconsent’ from your current newsletter subscribers – https://suzannedibble.com/do-i-need-to-get-reconsent-from-an-existing-list/