Marketers, the GDPR Impacts You Too

Mailjet logo This is a guest post from the team at Mailjet. Read more on the Mailjet blog.

Consumers are growing more concerned about their personal data and privacy. According to a Gigya survey, 68% of consumers don’t trust brands to handle their personal information appropriately. To strengthen the rights of European Union residents, EU lawmakers passed the General Data Protection Regulation (GDPR).

As a data protection regulation, the GDPR affects organizations that process any personal data of EU residents, which has a strong impact on marketers. While the GDPR will become effective May 25, 2018, only 54% of businesses expect to meet that deadline, according to Econsultancy.

We’ll cover the main steps email marketers must take to ensure the GDPR compliance.

Quick Facts About the GDPR

The GDPR is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for EU residents. This legal framework replaces the current EU Data Protection Directive with additional requirements that companies need to satisfy.

While the GDPR may seem overwhelming, here are a few quick facts to get you up to speed:

When does it become enforceable? The text was adopted in April 2016 and will come into effect on May 25, 2018. It’s imperative that companies take immediate action to ensure compliance.

Who must comply? The GDPR concerns the process of European citizens’ data but has an extraterritorial application. All individuals and companies, regardless of their country of origin, who collect and/or process data from European Internet users must comply. The GDPR is also applicable to third parties such as subcontractors or hosting companies.

What happens if organizations don’t comply with the GDPR? Several levels of fines are stipulated by the European Parliament. The maximum penalty for organizations in non-compliance with the GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater.

Is your company compliant? Take this short quiz and assess your company according to the new General Data Protection Regulation. You will be provided with a detailed overview of your company’s readiness.

How Will the GDPR Affect Email Marketing?

As an email marketer, you need to collect freely given, specific, informed and unambiguous consent to comply with the GDPR. That means, you’ll have to adopt new practices like:

  • Consumer opt-in permission rules;

  • Proof of consent storing systems; and

  • A method for consumers to request removal of their personal information.

Opt-in Permission Rules

Since the GDPR requires explicit consent, practices like obtaining consent by default using a pre-ticked box at the bottom of a form (passive opt-in) are not acceptable.

Instead, using a double opt-in is recommended. This method consists of obtaining consent twice before adding users to your marketing lists:

  • First, when they fill in a form on your site;
  • Second, by sending users a confirmation email where they will have the opportunity to affirm or deny their consent (by clicking on a confirmation link or by re-entering their email address for example).

(Click here for larger image)

Also, consent messages need to be easily understandable. Confusing or vague language (double negatives or inconsistent language) is not allowed.

An example of a clear and concise consent message is:

“You agree that [your organisation name] may collect, use and disclose your personal data which you have provided in this form, for providing marketing material that you have agreed to receive, in accordance with our data protection policy [available at link]. Please tick the relevant boxes below if you agree to receive: [boxes].”

Proof of Consent Storing Systems

Under the GDPR, you need to keep a record of how you obtained the express consent of the data subject. That includes: the data subject who gave the consent, when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given.

The record of the IP address, location, and time at which someone submitted a consent form is insufficient without a screen capture of the form itself. The confirmation email containing this information is recommended.

Keep in mind that the GDPR will apply to all of your data, not just the one collected after the effective date of May 25, 2018. For email marketers, you must provide evidence of explicit consent from current contacts. You will have to sort through your contact base and launch opt-in campaigns to obtain the explicit permission of your existing contacts.

Consumers Rights

Check your current procedures to ensure you are able to deliver on all data subjects’ rights, including:

  • Right of access: provide full access to personal data upon request by a user;
  • Right of information: clearly inform the user about how his/her personal data is collected and used;

  • Right to rectify: modify or delete a user’s personal data upon request;

  • Right of portability: offer users the possibility to retrieve their data in a readable and open format so that they can reuse it for their own personal use.

Profiling Under the GDPR

Profiling is a marketing automation technique. It is the practice of attempting to understand a person or group based on general characteristics or on past behaviors.

Data such as browsing history, education information, or buying habits can be used for profiling. The purpose is to predict the individual’s behavior to provide a more relevant marketing experience. For example, your team may send promotional emails on maternity products to women who searched for maternity items on Google.

The GDPR allows profiling, but you must comply with its requirements. Upon the data subject’s request to halt profiling, the processing must cease unless the controller demonstrates that the objection overrides the interests, rights, and freedoms of the data subject. Moreover, profiling and automated decision-making are not allowed on minors.

Prepare for the GDPR

Email marketers still have a few months left to prepare for the GDPR . Take actions to be compliant, including defining new consumer opt-in permission rules, creating consent storing systems, and developing methods for consumers to request removal of their personal information.

For the marketing industry, the GDPR is a turning point that can actually be positive for companies. While organizations need to rethink how they approach marketing, it’s an opportunity to improve how you interact with consumers and increase brand confidence.

Learn more about Customer.io’s commitment to the GDPR here.