March 27, 2018

What is GDPR? We’ll tell ya.

For most of you, at the very least you understand General Data Protection Regulation (GDPR) is a game-changer, and the effects and implications are ever-changing. We’ll be updating this blog post with the latest information we have to better inform you on how to optimize your email marketing to stay compliant and effective.

What is GDPR?
General Data Protection Regulation (GDPR) is the new EU privacy regulation related to data protection laws replacing the existing Data Protection Directive (95/46/EC) and adding additional requirements for organizations. GDPR is set to limit the amount of consumer data collected, the length of time it is stored, and how it can be used. The new data protection regimen extends the scope of the existing data protection laws to include all companies, even those outside of the EU if they process the data of EU residents.

When will GDPR be enforced?
GDPR will officially apply on May 25, 2018, after which time companies or organizations not in compliance could be the target of significant fines.

Where does GDPR apply?
GDPR will apply to all 28 EU member states, and to individuals and organizations outside the EU when collecting or processing the data of EU citizens.

To whom who does GDPR apply?
GDPR applies to entities of all sizes that process the personal data of EU residents. These regulations apply to both data controllers and data processors, including third parties such as cloud providers, regardless of their geographical location.

How will GDPR affect email marketing?
To effectively send email marketing communications under GDPR, you will need to collect “a freely given, specific, informed and unambiguous consent” (Article 7). To achieve compliance, you must adopt new practices:

  1. Use opt-in permission rules when collecting data;
  2. Ensure you have strong proof-of-consent management systems; and
  3. Provide tools or contacts through which consumers can request their personal information be removed from your systems.

No longer will you be able to rely on soft opt-in or soft opt-out approaches to collecting data. Some would even recommend using a confirmed opt-in to align with the enhanced permission requirements under GDPR. Third-party data use and user profiling are also within the scope of GDPR, based on its definition to the subjects’ rights (as defined in Articles 15 to 22) that cover but are not limited to; the right to access, be forgotten, correct information, or restrict certain types of processing.

What is the potential fine for violations of GDPR?
The maximum penalty for non-compliant organizations can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines that could result in smaller fines, depending on the type and severity of the violation. Additional information can be found here.

How can I send email marketing communications under GDPR?
Even though GDPR changes the marketing landscape, it is still possible to continue your email marketing program. To help with your email marketing objectives, we created a short checklist for your reference:

  • Audit your current database.
  • Do you know where your contacts are?
  • Do you have an audit trail of consent for your subscribers?
  • How did they opt-in: Single Opt-in, Opt-out, Confirmed Opt-in?
  • How did they get in your database?
  • Do you have enough information on permission types and acquisition source to prove consent if needed?
  • Review data practices.
  • Do you have a privacy policy detailing items like how you collect, store, transfer and process your data using clear and easy-to-understand language?
  • How do you communicate this data privacy policy to your recipients?
  • Build compliance into upcoming initiatives.
  • Build privacy into all new programs and marketing initiatives. Consider GDPR compliance during the development stages so you don’t have to adjust your processes after launching.

I’m not in the EU. Do I need to worry about GDPR?
Yes. GDPR focuses on the personal data of EU citizens, not the geographical location of the organization. Companies not located in the EU but handle and process the personal data of EU citizens will be expected to comply with the legislation. This could also cover a company that manages or processes the data of a third party operating within the EU.

What constitutes personal data?
Personal data refers to any information that can be used directly or indirectly to identify an individual, commonly referred to as Personally Identifiable Information (PII). This can include information like name, email or social address, photographs, bank or credit card information, a computer IP address, and others. Sensitive Personal Information (SPI) will require additional levels of consent to utilize and include information such as, but not limited to medical conditions, religion, sexual orientation, and genetic data.

What do I need to include in my privacy policy?
Consider the following issues when planning a privacy notice. Answer: When, where, who, what, why, and how?

  • Where did the data come from?
    • Did you get the right consent?
  • When will you use the data?
    • Marketing, profiling, automation or other?
  • Why do you need the data?
    • Completion of an order, facilitate communications, or delivery of a product or service?
  • Who is collecting the data?
    • Is it obvious who is requesting the data?
  • Who will the data be shared with?
    • Include third parties in your policies.
  • What data are you collecting?
    • Limit collection the minimal amount of data you require to complete the requested actions.
  • How are you collecting the data?
    • Observed, by tracking people online or by smart devices, derived from combining other (third party) data sets, inferred by using algorithms

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2019

It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Ready to get started?