For most of you, at the very least you understand General Data Protection Regulation (GDPR) is a game-changer, and the effects and implications are ever-changing. We’ll be updating this blog post with the latest information we have to better inform you on how to optimize your email marketing to stay compliant and effective.
What is GDPR?
General Data Protection Regulation (GDPR) is the new EU privacy regulation related to data protection laws replacing the existing Data Protection Directive (95/46/EC) and adding additional requirements for organizations. GDPR is set to limit the amount of consumer data collected, the length of time it is stored, and how it can be used. The new data protection regimen extends the scope of the existing data protection laws to include all companies, even those outside of the EU if they process the data of EU residents.
When will GDPR be enforced?
GDPR will officially apply on May 25, 2018, after which time companies or organizations not in compliance could be the target of significant fines.
Where does GDPR apply?
GDPR will apply to all 28 EU member states, and to individuals and organizations outside the EU when collecting or processing the data of EU citizens.
To whom who does GDPR apply?
GDPR applies to entities of all sizes that process the personal data of EU residents. These regulations apply to both data controllers and data processors, including third parties such as cloud providers, regardless of their geographical location.
How will GDPR affect email marketing?
To effectively send email marketing communications under GDPR, you will need to collect “a freely given, specific, informed and unambiguous consent” (Article 7). To achieve compliance, you must adopt new practices:
No longer will you be able to rely on soft opt-in or soft opt-out approaches to collecting data. Some would even recommend using a confirmed opt-in to align with the enhanced permission requirements under GDPR. Third-party data use and user profiling are also within the scope of GDPR, based on its definition to the subjects’ rights (as defined in Articles 15 to 22) that cover but are not limited to; the right to access, be forgotten, correct information, or restrict certain types of processing.
What is the potential fine for violations of GDPR?
The maximum penalty for non-compliant organizations can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines that could result in smaller fines, depending on the type and severity of the violation. Additional information can be found here.
How can I send email marketing communications under GDPR?
Even though GDPR changes the marketing landscape, it is still possible to continue your email marketing program. To help with your email marketing objectives, we created a short checklist for your reference:
I’m not in the EU. Do I need to worry about GDPR?
Yes. GDPR focuses on the personal data of EU citizens, not the geographical location of the organization. Companies not located in the EU but handle and process the personal data of EU citizens will be expected to comply with the legislation. This could also cover a company that manages or processes the data of a third party operating within the EU.
What constitutes personal data?
Personal data refers to any information that can be used directly or indirectly to identify an individual, commonly referred to as Personally Identifiable Information (PII). This can include information like name, email or social address, photographs, bank or credit card information, a computer IP address, and others. Sensitive Personal Information (SPI) will require additional levels of consent to utilize and include information such as, but not limited to medical conditions, religion, sexual orientation, and genetic data.
Consider the following issues when planning a privacy notice. Answer: When, where, who, what, why, and how?