What GDPR Means for the Manufacturing Industry with Tristan Bailey

What GDPR Means for the Manufacturing Industry with Tristan Bailey

 12 Jul 2018


Terry Mallin  :  So on this week’s hot topic, I'm joined by Tristan Bailey who is the owner of Holdingbay. Holdingbay is a development agency. To put that into a alignment Tristan helps manufacturing companies to create a website that is looking to scale your brand awareness and also look to create sales funnels within your website that is looking to convert that unto sales at the end of it. Because a lot of my experience all manufacturing websites is pretty poor, really good web sites out there but there's a lot of poor websites that-- it's just a presence, it’s just a page that's been put up there. So what Tristan focuses on is how do you create a profile that showcases your business in the best way, and that could be to current customers, potential new customers or new employees who are looking to join your business just the first thing that people watch out when researching a new company.

And off the back of that, Holdingbay as a business will work out how do you improve your sales conversions from your web site? So you may have a thousand people coming to your web site every week and every day and every hour, whatever that may be, but if you’re getting zero from that, then what’s the purpose? Unless it's just about the brand awareness.

So what Tristan would specifically look at is how do you convert as many of those leads as possible, and when you are converting those leads what is your doing is you’re gathering some data from a person, and I thought what would be very important today with the GDPR regulation due to come into effect in May, which is only a couple months away, thought  it would be useful to to discuss when we’re gathering data, what do we need to do to protect ourselves as manufacturing companies and to make sure that our processes and procedures are right going forward so hi Tristan, how are you?


Tristan Bailey : I'm good thanks. Thanks for having me.


Terry Mallin  : Pleasure, absolute pleasure. And just to be clear from the start guys me and Tristan are not qualified lawyers, this is not legal advice.  This is just 2 people who are passionate about manufacturing but for an understanding of GDPR, having a discussion and giving you in sort of layman’s terms how it affects you at your business. So Tristan, over to yourself then it could be good to get an intro so what is GDPR?



Tristan Bailey : Yes I’m glad you asked, so with collecting data when that comes from online website forms, collecting data for newsletters or product information or even for employees and collecting CDs or new data for new hires. This data often holds personal data that covers individual people and their movements. So what GDPR covers and that's where the crossover happens, is it covers the collection, storage and processing of that personal data.  And the personal data is things like someone's name, someone's date of birth, someone's personal e-mail address, things that are tie able to the person and not the business.


Terry Mallin : That makes sense.  I'm guessing it's-- you know you’ve touched on new employees that could also be existing customers and potential new customers, so if you’re getting some new leads coming through the website of people who are looking to work with us as a manufacturing organisation, what do we need to do to stay compliant?


Tristan Bailey : So there’s a regulation that covers the capture and processing of the data, so this covers all your past customers and stuff, as well as going forward. So in many cases you have to go through and audit the data that you're collecting and find where there is personal information in that, and if consent was not given to using that data for other purposes or for- it hasn't been given for a long time, you will likely have to collect that again and go back to those customers. The data that therefore we're talking about it's quite all-encompassing, it's not just saying keep one or two of these fields in your CRM, in Air Space system special. It's the right to be informed, so the right to know what this data is and what it's going to be used for and this is granular, so you can't just ask someone to sign up say for a newsletter and then be using that to contact them for other uses too, if you haven't made them aware in advance, the right to access that data.  

So there is some new rules that will come in that people can request the data that you have on them, the personal data you have on them, and you've got a short window of time that you have to be able to provide that in a form say a CSP or just a text file to provide the data you have.  Part of that is therefore also for the right to rectification, they're allowed to ask and be able to update and keep that information up to date which obviously can be useful for you too, you don't want to be storing out of date information on people.



It goes on, they have that the right to erase them, so if someone's decided they don't want to work with you or don't want information from you anymore, they have the right to opt-out at that granular level, so just from marketing, just from sales calls, just from other piece of information, but they also have the right to just say “please delete all personal information for me”. And this for some systems can require a re-assessment of how that system works, because the system may rely on key pieces of information like the person's e-mail address or some other piece of key information and that information now needs to be removed from the system but you don't want your system to fall over.  Just before I do the other points, there is some differentiation between that business use and the rights, and I’ll go unto the rights in a minute. There is-- You have to state what right you have to hold this information because if there is a need for that information for say a business transaction, someone has asked for an order or shipment and you quote, you're perfectly entitled to have that information.  But if the information is just being held on the off chance or for future use, then the use is not the same.   

There's a restrict on processing, so for example some people I see say when we’re using websites or have marketing databases of emails of that information, that can't be copied off and put to a different location or sold on and used by a third party unless the customer is aware of it. So you do have to be aware even if you're buying in-lists or buying in association with new partners to do that your diligence with them too.

There's also the right to—and to data portability that extends from being able to see that information, that for some companies it's going to be less so with manufacturing companies and often more with maybe the software vendors and the people that maybe have that information that the information can be processed. You may have this with some HR functions of being able to import and export that data, the right to portability we see this often more in the energy companies, or different things where you may have a vendor who may be with one gas company, one electric company and you decide to move to another one that your information, your setup and your system installs can moved and passed on where that is that personal information.


Terry Mallin  : And Tristan still on the basis of-- so I think one of the key aspects here is actually you know, if you’ve got existing data at the moment as getting people, how would the manufacturing company go about getting people to opt-in to future communications?


Tristan Bailey : That's the point that they do set out is that it's clarity, it’s written in clear understandable language, so sometimes you will need to re--  visit either your marketing or your privacy policies, terms and conditions to make sure that those bits that refer to opting-in refer to what you're opting in and it's nice and clear. It definitely means that, say for email-marketing and pieces like that, the double opt-in systems where there's definitely a record of that someone has opted-in, because the pieces that you need to both audit your internal systems for where this data is going and where it's going to be stored, but also you need to store when someone authorized you to-- when they gave their consent and where? So you're going to need to be able to store that in your systems of a date and time and where it came from, that consent; was it on an online form, was it in person, was it somewhere else that this information came from? And then just to follow back on it that question of therefore the re-consent, a lot of people going back and looking at their lists again, if those people in your data sets you haven't been in contact with or they haven't been doing business with you for a while, it's definitely worth going back and re-engaging with them.  

This is good for a business case anyway of warming up those leads, seeing whether they've got a new new project on, a new need at this time of year, but also therefore that you can get them to consent-in and record that information again. Otherwise there is grounds that you should be removing and deleting that information from your system.


Terry Mallin  : Some people with whom-- maybe listening may actually be thinking “I don’t even have a system” and pleased that she has that data and what could people do to be able to obtain the existing data that they’ve got and be able to try that as a certain process that can be done if you’ve not got a specific system in place?


Tristan Bailey : You have in-house to start with, following unto that is speaking to a company such as mine or a similar local company that can come in and help you evaluate what’s possible with your current system and definitely going back to vendors.  

The requirement is for you to know how your systems work, but also all of your partners.  You need to make people aware of which partners you're using, where their data is going to be shared, now if you're not sharing this personal information, if you don't have so much of a personalized system then that is not going to have some depth to it, but certainly in the sales and marketing functions, there may be third party vendors that you're using to collect that information and share and integrate to produce your campaigns and collect data on people.  And you need to go back to those vendors and ask them what are they doing? And get copies of their terms and their adherence to GDPR.


Terry Mallin  : So when did they opt-in your come existing custom or data base of data that you can't withhold, make sure that’s systemized and documented of where that person is coming from and when they opted-in to e-mail marketing. So then moving on to the-- we were talking of-- as I mentioned earlier about the various sales funnels that converts from an online website, what you’re doing is gathering a lot of new data from there, you know and you don't touch about updating.

So from a process and procedure point of view people need to update their privacy policies on websites etc.. can you give me a little bit more on that?



Tristan Bailey : Certainly so, speaking through with your legal counsel and the other parties that you need to update your terms and conditions and your privacy policy. Those are standard requirements that you definitely need to make sure that they’re clear and available, both on your website and for requests from other sources and that information then can be used for people to be aware of where that is, going into the sales funnels, you need to be able to when payments signs up for say e-mail marketing or webinars or white papers, those links, and what people are opting into are made clearly available to people.


Terry Mallin  : All makes perfect sense to me I think the reality is but for a couple of months I hope—we don’t have a lot of time and I know your business, Tristan what you offer in addition to you know working out online websites and looking at increasing brand awareness and creating sales funnels that converts the sales from manufactures, what you’re also are able to do is implement GDPR policies and procedures and processes for manufacturing companies.


Tristan Bailey : What we find is partners of... it’s easy to find seminars and workshops and to get aware and certainly you need to roll that across the company, that part of the policy is people's awareness, and the people's awareness of what data is private and how to treat that. So if people are making copies and keeping data locally on their PCs or leaving spreadsheets printed out in their interests, that’s covered and that you need to be private, need to be possibly secure and while people aren't using that, and secure in transit when you're sending it to someone else, to then move that off cross into its use in elsewhere in the business.


Terry Mallin  : And I think one of the important aspects that we discussed was in the basis of you know, a lot of manufacturing companies that will attend conferences and trade fairs et cetera, and the fact that this will also apply to electronics and business cards at these type of events, is that correct?


Tristan Bailey : Yes totally. So I mean being at a conference or a trade show is a big expense and obviously the most value is being able to convert some sales after and following up with people who have visited your booth. But you do again GDPR doesn't just cover digital media, it does cover the consent of that person. So if someone's come and visited your booth, you've got a big goldfish bowl just drop your business cards in to win a prize on the day, that's not giving consent. If they haven't also signed a paper and that they're giving you consent for that data, that's not valid to take away and start sending the marketing or sales calls afterwards. Now, there is a little cover to it is, it is the personal parts of the information, so if someone's giving you a generic business address, generic business details that are around the company and are not around the person, it is valid.

So B-to-B communication where you are talking to that company for a business need and not related to their personal data, then that is possible and the GDPR that's not covering but as soon as you're taking maybe their personal interests or other notes that you may take on a sales call to help improve your relationship to them, that's when you need to take advice as to seeing where you move from that company and business case, use of that data into the private parts the data. So there may be some parts you can keep and some parts that you need to be aware of, that you can only keep around for a certain amount of time and then you need to have a good practice of deleting and clearing that information out.


Terry Mallin  : Moreover and there’s a lot of good information there, and to kind of summarize it, you know with your existing data you need to make sure that these people have opted-in to receiving communication going forward, when is the day actually Tristian for GDPR to come into effect?


Tristan Bailey : This piece of information from the EU parliament was set up in April 2016, so it's been around for a couple of years now but it comes into force on the 25th of May this year, and it's not going to be a one and done piece of information this is a regulation that's going to just keep running, so these are processes that you're going to have to implement and change how you're running in the company. It's not just like a simple down the course finish got the sticker, it's much more like an iso-standard it's a practice and you need to keep enacting it and having it as valid processes.

Once you've registered yourself with the agency for the UK, if the UK is your main office, you need to be able to be audited if you had a data breach, you lost some data; there was a cyber-attack; they tried to take stuff, you've got to be able to make your customers and your data subjects as they're called in GDPR aware of this, but you've also got to report it to your partners and back to the information commissioner's office the ICO, which is the UK’s body.


Terry Mallin  : Looking at the potential consequences, what are the consequences if you breach GPDR?


Tristan Bailey : It's a little bit unknown as to how quick they're going to move when it comes in but as it covers anyone who lives in an EU state, it doesn't matter where the company is, so the company doesn't have to be in the EU, and say like the UK, if we leave the EU,  we will still be covered and for both the UK citizens and for anyone we're doing business within the EU, they have levels that they can work through from a warning, to a reprimand, to a suspension of data processing which would mean you couldn't process any of your information, you couldn't use any of your personal information up to the top level and the one that a lot of people are talking about is 20 million EUR or 4% of your annual  global turnover, whichever’s the greater. So they've got a good hammer to wield if people aren't being careful with the information.


Terry Mallin : Yes not half at all, I mean running a billion pro-business so that could be a massive thing, and even on the other side of the scale as well Tristan don’t forget a small startup, and you maybe you know turning over a 500K plus I think it doesn’t matter what that is, you know this could be an up to-- you know weak point in your business. So you know it’s going to affect all sizes of businesses?


Tristan Bailey : Yes it does cover, there isn’t an exclusion, if you're a very small business or not, there isn’t an exclusion from it. It's just dealing with EU citizens’ data, so there isn't an excuse to say “no I’ve opted-out” there are some regulations for the very large companies or say national bodies or private bodies, but there isn't an opt-out for small companies.


Terry Mallin  : No matter what size the business is, GDPR is going to have an impact.  And Tristan, thank you very much for your time, much appreciated.  And just to kind of summarize, any size of business, your existing data must be up to then, and you must record details on the system and how you’ll gather the data and the details of when they opted-in, and also if someone request to update data, you've got to be able to respond to that request in a time scale set and give that appropriate information required. With regards to the website regeneration, if you gathered new data, it doesn’t matter where this is from, it could be from anywhere, it could be from conferences, exhibitions, business meetings to a website gather on data.  You need to make sure that a specific person has opted-in to receiving communication from you and make sure obviously if you’re using digital website et cetera that that your pauses are all in compliance and updated in accordance with your GDPR.

More importantly I think you know GDPR is a very positive regulation coming in, a lot of people are quite skilled in the basis they know they’re going to have to delete detail that nobody uses it any way, and the reality is, if everybody claims your existing data and get a really good solid list of contacts that actually want to hear from him, now there's a good chance if you are able to send good marketing material, that’ll be more brand awareness any worth services you can offer a company of what products you manufacture, then you should be able to get more business at the back.

Whether it’d be grow through one of them off, whether it’d be a repeat business, it’d be a business mindset than you know different product from you, new products that we weren’t aware of in the past. So at the end of the day, it’s a very positive thing for manufacturing and the UK as a whole.

Tristan if you are at the stage where you are..have any worries have any concerns about how to systemize this and how to implement the right strategies for GDPR within your manufacturing business, please get in touch with Tristan. His website is www.holdingbay.co.uk at its Tristan tristan (at) holdingbay.co.uk.



Interested in recruiting the best people for your manufacturing company? Please arrange a 15 minute business ignition call with us today



Helping Manufacturing Leaders across the UK to attract the best talent for their manufacturing business





Currently there are no comments. Be the first to post one!

Post Comment