The ways in which you collect, use, store and manage the personal data of European Union citizens are about to change. On May 25th, 2018 the General Data Protection Regulation (GDPR) comes into effect. This new EU-wide regulation has a direct impact on your email marketing activities. This is not something to be overlooked, as fines for not being compliant can be as high as 20 million euros.
In this blog post, we will give you a quick overview of the GDPR and help you understand the ways in which it will affect your email marketing.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new set of European Union rules that covers the ways in which personal data is handled. As the digital world is continuously changing, the GDPR is meant to bring the previous data protection laws up to date (it replaces the 1995 directive). It is intended to strengthen data protection within the EU by enforcing rules (and penalties!) for the ways in which personal data is processed, acquired and stored.
Does it apply to my business?
If your organization processes, stores or uses the personal data of EU citizens, the GDPR will apply to you. Personal data covers any information you store about your customers, including email addresses, names, phone numbers, behavioural data, etc. It is important to note here that the regulations still apply to personal data that is exported outside of the EU (to the US, for example).
What does it mean for my email marketing?
The GDPR puts stricter regulations on the way in which you seek, record and manage consent for sending marketing communications. In practice, this means that consent has to be given actively and explicitly by the individuals supplying you with their email address before you can send them emails.
This consent has to be actively given. This means that it can't be done via a pre-ticked box. The box has to be actively ticked by the customer themselves. A correct way to record consent would be via a checkbox under the email field:
Aside from that, it is important that consent is explicit. This means that it needs to be clear to the customer what they are signing up to (see the above image).
Note that if called upon, you will have to be able to present proof of the given consent. It is therefore important that you keep a record of all your subscribers' given consent.
Is consent always necessary?
No, it is possible for you to send emails without getting consent. Instead of relying on consent, you can state that you are sending newsletters because you do this to further your business' 'legitimate interests'. However, and this is important, the person you are sending emails to should have a relationship with you; for example, they bought one of your products. It is up to each company to decide which way fits their company best - may it be relying on consent or on legitimate interests - and to make sure that they comply with the GDPR.
Does it apply to previously collected data?
Yes, it does! This means that you have to check the way in which you previously collected data. If this personal data was not acquired following the GDPR's requirement of actively and explicitly given consent, this means that you will have to ask these people if you can keep sending them emails. You could, for example, send them an email to get their consent reconfirmed.
What new rights do EU citizens get?
The GDPR gives EU citizen additional rights to help them take control over their personal data.
Right to be forgotten
If a citizen calls upon this right, it means a company holding his/her data will have to delete all of it.
Right of access
Citizens have the right to ask you for a report, at no cost, what ways you use their data.
In case of a data breach, you have 72 hours from the moment you learned of the breach to notify your customers.
Right of portability
When a customer requests this, you have to supply them with the data you hold about them.
Checklist to make sure your email marketing activities are GDPR compliant
Follow the below checklist to make sure you can continue sending marketing emails to your customers:
Step 1: Get an overview of your current data policy.
- Is it secure?
- Who has access to it?
- Where is data transferred to (third parties)?
- How long is it retained?
Step 2: Make sure you have the details of previously recorded consent.
- Do you have the records for the consent given by your customers? (Consent has to be given for everything you do with the data)
Step 4: Make sure that the third parties you work with are also GDPR compliant.
- Identify all of your third-party vendors and check the way in which they collect and process data
- Understand the security they have in place to protect data
Step 5: Notify your staff about the GDPR and its implications for your business.
Note: We are not lawyers and different companies will need to put different strategies in place to be GDPR compliant. Do not base your compliance strategy solely on this article, instead make sure you understand the new regulations fully and have a clear understanding of what steps your company can take to comply.
For more information, visit the GDPR's official website.