GDPR: What It Means For Your Business
Each member state of the EU currently has differing rules on spam, meaning 28 email laws for 28 different countries under the European Union’s E-Privacy Directive – but that’s all going to change next year.
GDPR – What is it?
The General Data Protection Regulation (GDPR) is the new and legally binding Europe-wide privacy law which pulls all the different rules into a single regulation from May 25, 2018, making things more consistent.
If you use personal data from EU citizens, you’re affected. And if you gather email addresses and write electronically to EU-based subscribers, GDPR compliance is mandatory, wherever you’re based.
Similar regulations have been brought in outside the EU, including in Australia and Canada.
What does it mean?
- Stricter rules on consent mean marketers will only be able to email those who’ve actively opted in to receive messages. Most EU nations actually do this already, but, under GDPR, consent must be freely given, specific, informed and unambiguous. Under the new rules, ticking a box is acceptable as an affirmative action, a pre-ticked box is not – and silence doesn’t necessarily mean consent.
- You have to tell subscribers exactly how their information will be used and why it’s being collected at the point of collection. So for example, if you take someone’s email address so they can download a whitepaper, and haven’t explained that you’d then be sending them marketing messages, this would no longer be acceptable under the new regulations.
- You also have to keep records of the consents you receive, something many data owners have never had to do before, but you will have to keep all forms, and show them if requested.
- The new rules also apply to existing data. So if you can’t prove evidence of consent for all your contacts, you may not be able to email those subscribers any more.
- Public authorities, and some others, must appoint a Data Protection Officer as well as a Data Controller and Data Processor, responsible for compliance, monitoring and training, and act as a first point of contact.
- Data subjects have a right to request their information is erased completely.
What are the penalties for non-compliance?
Fines of up to €20mn or 4% of a brand’s total global annual turnover (whichever is higher). There’s likely to be a high dependence on citizens reporting breaches rather than any form of ‘policing’ the new law.
Even after the UK leaves the EU, you may well still want to contact EU citizens, meaning you must either bring your whole database up to scratch as far as the new standards go, or have different sign-up processes for subscribers in different parts of the world.
The good news is that, given how stringent EU standards are, if you’re GDPR-compliant, you’re probably complaint with other global email regulations as well.
Take GDPR Seriously
Our best advice is to take GDPR seriously and to act – but without panicking. We all still have several months in hand to get our houses in order. The new rules are being billed as a long overdue evolution rather than a revolution of the existing legislation, including the 1998 Data Protection Act and the 2003 Privacy and Electronic Communications Regulations.
A complete data-handling overhaul isn’t needed for everyone – for some a few small tweaks to current processes may be all that’s needed to achieve compliance.
Understand what is meant by personal data, and what it includes, and appreciate that publicly available email addresses, consent isn’t needed, although people must still be given the chance to unsubscribe. And both direct and indirect identification of personal information is covered in the legislation.
You may need to consider who has access to data, and create multi-level user permissions. While this may sound a headache, technology including marketing automation platforms can make life a lot easier.
Additionally, think about having a single, central source of secure data storage, perhaps via a reliable CRM, one that’s in sync with your third-party email marketing platform.
GDPR is about giving people more control over how their data is used and the information they receive. With a little preparation, and some clever use of technology, it doesn’t have to be a nightmare. Contact us today if you’d like to learn more about what GDPR could mean for you.