GDPR Compliance for Food and Wine Brands

You’re likely familiar with the European Union law called GDPR (General Data Protection Regulation) which took effect in late May 2018. And you may have seen a bunch of communications flooding your inboxes confirming email list opt-ins… and asked yourself… am I supposed to be doing this too? Well, yes and no. There has been a TON of confusion about GDPR compliance and some businesses went overboard just in case. But getting compliant isn’t as extreme or challenging as you might think. Likely, you’re already in the clear since most involves doing the ethical thing with your customers’ data.

At the moment, GDPR regulations legally apply only to those doing business in the European Union, but, rest assured, this will be flowing to the United States soon. So you might as well start your compliance efforts now. The point of GDPR is to protect personally identifiable information (PII) like credit card number, age, gender, birth date, social security number and health conditions. But it also extends to less “essential” personal data such as email addresses and phone numbers — collecting and sending communications to customers.

The EU’s Information Commissioner’s Office (ICO), responsible for upholding GDPR compliance in the UK, offers up a lengthy (39-page) guide on all the rules but here are the cliff notes.

GDPR compliance for wine and food brands

GDPR Compliance Made Simple

​Starting at the 20,000-foot perch: Is your customers’ PII safe? Jason Mancebo, owner of TechCon who offers technical marketing services, said these are the questions to ask yourself and/or your Customer Relationship Management software or database company to see if their processes and data protection are GDPR compliant:

  1. What is your process for keeping data safe? Is the data encrypted?
  2. Can it be transported easily or stolen by hackers?
  3. Where do the data backups live and are those also encrypted?
  4. What about the process for data destruction – if someone wants their PII eliminated from the system, can that be achieved?

The process for the last one, Mancebo states, can be as simple as a customer sending an email to your company to request their data be erased.

​​In essence, GDPR compliance means that customers own their personally identifiable information, not the business who collected the data.

So how do you easily communicate all of this to the customer? A Privacy Statement or Notice on your website is the best way. Go look… do you have one? If not, you should have this whether or not you’re preparing for GDPR. It’s a friendly practice to let your customers know what you do with the data they trust you with. Will this web page receive a ton of traffic? Likely not but when GDPR-type regulations come to the U.S., people might be paying more attention, so CYA, you know? For guidance on creating a Privacy Policy, take a look at this Better Business Bureau’s Sample Privacy Policy.

Email marketing as well as live sales calls have some splainin’ to do too — there are some pretty stringent requirements within GDPR compliance. Most are straightforward but you’ll need to consider all the places you’re collecting email addresses and phone numbers for marketing purposes. Are all of these flows 100% consent-based? Furthermore, do you make it easy to unsubscribe once you’ve reached out to this person? To make sure you’re following the right path, take a look at this email and phone marketing checklist we put together. Read it and, hopefully, not weep.

If you have questions on your GDPR compliance, send us a note and we can talk. ​