Running a business can be exciting, ever changing and rewarding! It can also be challenging, continually monitoring sales, staying ahead of competitors, having a marketing strategy that works and keeping the team motivated and engaged! With so much to manage it’s not difficult to lose focus and go off track.

Here, we take a look at five ways to keep your new business on track.

Have a plan

To know in which direction your business is going, you must have a plan! It doesn’t have to be long-winded, full of forecasts, graphs and charts which mean nothing to anyone except the person who created it! It should be tailored and relevant to your business. Only you and your team know your vision and the final destination if 5 key points on the board work for you that is great. Keep it simple and stick to it.   

Know your finances

Keeping on top of your finances is an absolute must! Cashflow problems are the biggest cause of business failures. Whatever the scale of your funds, as a business owner it is essential you understand them. If finances confuse you, don’t cut corners or ignore potential problems. Always seek professional advice, a good financial planner or accountant can be the difference between the success and failure of your business.  Advice should always be sought if you are investing in new products or services or borrowing for expansion.

Monitor your competitors

We all want to stay ahead of our competitors, so it is important that you view them not as enemies but as an essential resource for your own business planning and investment. You can learn a great deal from the successes and failures of your competition, as well as being able to tailor your own services to fill gaps which are left open by competitors.

Have a great marketing strategy

You can spend thousands on marketing with little or no results! Know your target demographic, engage and communicate with them effectively. Your website must have lively and engaging content, which captures the audience’s attention. One crucial point with your website is make sure it is up to date because there is nothing worse than out of date content! What message does that send to existing and potential customers? Social Media has a place but needs to be tailored to your type of business and audience. One of the best forms of marketing is face to face interaction, go networking! People buy from people! Not only are you promoting your business but you build up a great network of business contacts.

Conduct regular reviews

The world of business is ever changing and here in the UK we face unknown and potentially uncertain times in 2019. As well as changes to the market, competitor strategies also change. The only way to ensure that your company is always moving in the right direction and staying on track is to conduct regular reviews. Think of it like a regular dental check-up or an annual car service – problems can be fixed once they are identified – left to fester they can become expensive and painful!  

 

GDPR and Consent

There are 6 lawful basis for processing data which will apply in different scenarios.

When to use it?

Consent is about controllers getting permission to communicate with individuals they want to send promotional messages to directly, including by email, phone or in the post.

Controllers can no longer assume individuals want to be contacted. They need to give express consent for these communications.

This means that when a company representative meets others at event, they visit a website or purchase, separate consent for marketing and other further communications must be obtained (unless another basis is used for processing).

The detail

Consent must be:

Freely given. There should be no coercion, undue incentives or a penalty for refusal.  The controller cannot make it a condition for using a service or website.
Specific. This is to the type of communication requested and the organisation sending it. Thus, buying data is not valid, if recipients have not actively opted in to receive data from other organisations.
Informed and Unambiguous. Make sure the consent is displayed clearly and easy to understand so the individuals know what they are agreeing to.
Reinforced by a ‘clear affirmative action’. Recipients must make a deliberate action to agree to consent. Opting in cannot be inferred by silence, pre-ticked boxes or inactivity.
In practice this means that prospects, customers and partners all need to physically confirm that they want to be contacted by an organisation (the data controller) and do this with an affirmative action.

A pre-ticked box that automatically opts them in is no longer an option.

How to collect it?

The easiest method is to ask customers and other individuals to tick an opt-in box to confirm they wish to receive marketing messages and specify the channels to be used, with separate opt-in for each (post, email, phone calls etc.). Variations such as icons, sliding buttons, a confirmation email or oral confirmation are ok so long as:

The recipient understands what they have consented to, without any important details hidden with ‘small print’.
Recipients can easily opt out in every communication
You have not broken the law in asking for their consent
Do I need to prove it?

It is the controllers responsibility to demonstrate valid consent. They need to document the date of consent, what has been consented to, the method of consent and who obtained it. These may be needed as records of evidence in the event of a complaint.

The right to be forgotten

What is it?

Individuals have the right to have their data ‘erased’ in certain specified situations – essentially where the processing does not satisfy the requirements of the GDPR

When does it apply?

When data is no longer necessary for the purpose for which it was collected or processed.

If the individual withdraws consent to processing (and if there is no other justification for processing). If processing children’s data there is an additional trigger related to consent previously given by a child w.r.t online service.
An objection to processing based on legitimate interests – if the controller cannot demonstrate that there are overriding legitimate grounds for the processing.
When data was otherwise unlawfully processed
If the data has to be erased to comply with Union or Member State law which applies to the controller.

 

How long do controllers have to comply?

Controllers must respond without undue delay (and in any event within one month, although this can be extended in difficult cases).

What if the data has been shared?

If the controller has made personal data public, and a request has been received to erase the data, they must also inform other controllers who are processing the data that the data subject has requested it be erased.

The obligation is to take reasonable steps and account must be taken of available technology and the cost of implementation.

However, this could potentially be extremely difficult to implement: e.g. if it is now public domain data

Exemptions

The obligation does not apply if processing is necessary:

for the exercise of the right of freedom of expression and information;
for compliance with a Union or Member State legal obligation;
for performance of a public interest task or exercise of official authority;
for public health reasons;
for archival, research or statistical purposes (if any relevant conditions for this type of processing are met); or
if required for the establishment, exercise or defence of legal claims.

 

LEGITIMATE INTEREST

What is it?

One of 6 lawful grounds for processing data under GDPR. This has helped many organisations breathe a sigh of relief as conditions are less stringent, but you must still consider the detail carefully.

When can I use it and what for?

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

The existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

Note that Legitimate interests isn’t a lawful justification for processing special or sensitive categories of data or for processing carried out by public authorities.

Controllers that rely on “legitimate interests” should maintain a record of the assessment they have made, so that they can demonstrate that they have given proper consideration to the rights and freedoms of data subjects.

Data processed on the basis of legitimate interests is subject to a right to object – which can only be rejected where there are “compelling” reasons.

 

So what would be included?

The recitals give examples of processing that could be necessary for the legitimate interest of a data controller. These include:

Recital 47: processing for direct marketing purposes or preventing fraud; (This also states that controllers should consider the expectations of data subjects when assessing whether their legitimate interests are outweighed by the interests of data subjects. The interests and fundamental rights of data subjects “could in particular override” that of the controller where data subjects “do not reasonably expect further processing.”)

Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data (note international transfer requirements will still apply – (see section on transfers of personal data);

Recital 49: processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems; and

Recital 50: reporting possible criminal acts or threats to public security to a competent authority.

How is legitimate interest limited?

There must be “a relevant and appropriate relationship between the individual and controller”. This means you cannot use it to send marketing out to anyone you meet!

Legitimate interests can only be relied on when the organisation’s interests override the individuals’ interests. It is for the organisation to demonstrate that their interests override the fundamental rights and freedoms of the  individual, and that they’re acting in line with the rest of the GDPR.

When relying on legitimate interests an individual is still entitled to object to the processing. That right to object must be “explicitly brought to the attention of the individual and shall be presented clearly and separately from any other information”.

Transparency in communication

You need to demonstrate reasonable expectation and so it is important that you ensure individuals are aware up front how you will use their data and are given the right to object (and if using it for retrospective processing on data collected under previous law, that they same processes were followed at that time).

You cannot therefore hide details re profiling and data use in a privacy policy or small print. On the other hand you cannot put everything out there and expect people to read it.

A layered notice is best where you provide a summary of how you will use the data, how long you will store it, any profiling and what they can expect from you (with a chance to object) and include links to more detail, for example in privacy policy.

You can’t put something important in the privacy notice which would be unexpected and then try to argue

that the individuals should have read it all!

A great example is this privacy policy from Microsoft with expandable sections and summarized content in an easy to read format.