If you send email or maintain a user database and have any members, customers, or prospects in the European Union, you’ve probably heard about the Global Data Protection Regulation (GDPR). Going far beyond email and electronic communication, this new law covers all aspects of data privacy and has been hailed as the most important such regulation in 20 years.
Today we’ll talk briefly about the key provisions of GDPR and how it may affect you as an email marketer.
First, a little history
Data privacy regulation is nothing new in the EU, whose member nations consider privacy a vital right of all citizens. In 1995, the EU adopted the Data Protection Directive (DPD), which required all member states to adhere to general privacy guidelines, but allowed each nation to create independent legislation to meet this goal. As a result, 27 different data protection regulations currently exist, each with somewhat different provisions and requirements.
In addition, the DPD only required senders outside the EU to comply if they were using infrastructure inside the EU (database, web, or mail servers, among others).
To help unify these regulations and strengthen their reach to senders outside the EU, the GDPR was born. Beginning in early 2012, the European Commission debated the law until its final approval in April 2016, with a compliance date of May 25, 2018. On this date GDPR will become law throughout the EU, affecting any organization that manages data for contacts within the Union.
GDPR’s Privacy Protections
GDPR provides specific privacy protections for both permanent and temporary residents of the EU. Let’s take a look at some of the key tenets of the law that are likely to affect email marketers.
Any organization that processes or stores data about a person must have “provable consent” provided by that person. The data collected could include personal details such as name and birthdate, demographic details like location, and even records of that person’s activities (opening or clicking an email, for example).
Access to Data
Each person whose data is being stored or processed has the right to request every piece of data held by an organization about them, as well as information describing how that data is used and whether it has been shared with any third party for any purpose. Upon request, organizations must also provide proof of the subject’s consent to store or process their data.
Right to be Forgotten
Each data subject also has the right to request an organization completely erase all records pertaining to them. In addition, each person can request data be corrected if it is invalid or incomplete.
Notification of Data Breach
Any organization that experiences a data breach of personal information must inform both appropriate authorities and affected data subjects, and they are subject to fines and penalties as a result of the breach.
The costs for violation of GDPR are very high: as much as €20 million or 4% of the organization’s global annual revenue (whichever is greater).
Updating Your Contacts and Consent for GDPR
If your organization is located within the EU, or if you have contacts in your database that are located in the EU, you are subject to the requirements of GDPR.
As an email marketer, you will now be required to use double opt-in (or confirmed opt-in) to meet the “provable consent” requirements. Whenever someone requests to receive email from your organization, you should send a confirmation request that requires the recipient to take an action (i.e. click a link) to confirm their consent. Only those records that confirm consent via this message should receive any further emails from your organization.
In addition to new records, you must also be able to show consent for any existing records in your database at the time GDPR takes effect. If you don’t have this record of consent for any EU residents, you’ll need to get that confirmation prior to May 2018 to remain compliant. The key takeaway for marketers is this: if you haven’t started preparing for GDPR, now’s the time! Determine what portion of your database is located in the EU, then ensure you have mechanisms in place to track and provide their data upon request. Be sure you have the ability to completely remove records from your database (often a challenge in itself), and start sending those confirmation requests ASAP to gain consent prior to the deadline.
If you’d like a more comprehensive overview of the GDPR, the UK Information Commissioner’s Office (ICO) provides a great resource at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/.
We’ll also be providing additional resources and content over the coming weeks to help ensure you’re ready when the effective date rolls around.