Marketers, the GDPR Impacts You Too
This is a guest post from the team at Mailjet. Read more on the Mailjet blog.
Quick Facts About the GDPRThe GDPR is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for EU residents. This legal framework replaces the current EU Data Protection Directive with additional requirements that companies need to satisfy. While the GDPR may seem overwhelming, here are a few quick facts to get you up to speed: When does it become enforceable? The text was adopted in April 2016 and will come into effect on May 25, 2018. It’s imperative that companies take immediate action to ensure compliance. Who must comply? The GDPR concerns the process of European citizens’ data but has an extraterritorial application. All individuals and companies, regardless of their country of origin, who collect and/or process data from European Internet users must comply. The GDPR is also applicable to third parties such as subcontractors or hosting companies. What happens if organizations don’t comply with the GDPR? Several levels of fines are stipulated by the European Parliament. The maximum penalty for organizations in non-compliance with the GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater.
Is your company compliant? Take this short quiz and assess your company according to the new General Data Protection Regulation. You will be provided with a detailed overview of your company’s readiness.
How Will the GDPR Affect Email Marketing?As an email marketer, you need to collect freely given, specific, informed and unambiguous consent to comply with the GDPR. That means, you’ll have to adopt new practices like:
- Consumer opt-in permission rules;
- Proof of consent storing systems; and
- A method for consumers to request removal of their personal information.
Opt-in Permission RulesSince the GDPR requires explicit consent, practices like obtaining consent by default using a pre-ticked box at the bottom of a form (passive opt-in) are not acceptable. Instead, using a double opt-in is recommended. This method consists of obtaining consent twice before adding users to your marketing lists:
- First, when they fill in a form on your site;
- Second, by sending users a confirmation email where they will have the opportunity to affirm or deny their consent (by clicking on a confirmation link or by re-entering their email address for example).
(Click here for larger image)
“You agree that [your organisation name] may collect, use and disclose your personal data which you have provided in this form, for providing marketing material that you have agreed to receive, in accordance with our data protection policy [available at link]. Please tick the relevant boxes below if you agree to receive: [boxes].”
Proof of Consent Storing SystemsUnder the GDPR, you need to keep a record of how you obtained the express consent of the data subject. That includes: the data subject who gave the consent, when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given. The record of the IP address, location, and time at which someone submitted a consent form is insufficient without a screen capture of the form itself. The confirmation email containing this information is recommended. Keep in mind that the GDPR will apply to all of your data, not just the one collected after the effective date of May 25, 2018. For email marketers, you must provide evidence of explicit consent from current contacts. You will have to sort through your contact base and launch opt-in campaigns to obtain the explicit permission of your existing contacts.
Consumers RightsCheck your current procedures to ensure you are able to deliver on all data subjects’ rights, including:
- Right of access: provide full access to personal data upon request by a user;
- Right of information: clearly inform the user about how his/her personal data is collected and used;
- Right to rectify: modify or delete a user’s personal data upon request;
- Right of portability: offer users the possibility to retrieve their data in a readable and open format so that they can reuse it for their own personal use.