The New GDPR: Are You Ready?

The new GDPR 2018

Europe’s New Data Protection Laws: All You Need to Know

The laws on data protection are changing – and all email marketers need to be prepared. Whether you’re operating within the European Union or handling data belonging to EU residents, it’s absolutely crucial to know what these changes mean. In this article, we shed some light on the new GDPR and what it means for email marketing.

What is the GDPR?

The General Data Protection Regulation is a legal framework that applies to the European Union. Up until now, each EU member state has observed the data protection regulation from 1995, together with their own individual national regulations. The GDPR will replace these, serving as a central law that applies throughout the European Union. The GDPR consists of 99 articles in total.

When does the GDPR come into effect?

The GDPR was published in May 2016, but businesses have until 25th May 2018 to make sure they are compliant. As of this date, the GDPR will be applicable immediately.

What will happen to the existing laws?

The GDPR supersedes all existing data protection acts, so compliance is absolutely essential.

Why has the GDPR been introduced?

The aim of the GDPR is to harmonize and simplify the legal framework within the European Union. This benefits both consumers and businesses. Under the GDPR, consumers – or “data subjects” – will have more rights regarding their personal data and how it is used. At the same time, companies that operate internationally will benefit from a uniform legal framework throughout the EU, rather than having to know and observe the individual guidelines of each member state.

To whom does the GDPR apply?

Essentially, the GDPR applies if the data subject (person whose data it is) is based within the EU. It therefore affects:

  • Companies and organizations who are collecting data from EU residents (even if the company itself is based outside of the EU)
  • Companies and organizations processing data belonging to EU residents (even if the company itself is based outside of the EU).

So, if you collect, save, transmit or process data belonging to anyone based within the EU, the rules of the GDPR apply. The GDPR may therefore be applicable to both Cloud and non-Cloud providers.

What counts as personal data?

According to article 4 of the GDPR, personal data means “any information relating to an identified or identifiable natural person”. This includes things like name, date of birth and address. Under the GDPR, IP addresses will also count as personal data.

Within the GDPR framework, are companies obliged to appoint a data protection officer?

From May 2018, it will not be mandatory for companies to appoint a data protection officer – unless the collection and processing of data is considered one of the company’s core activities. Organizations will no longer be required to notify local DPAs of their data processing activities; instead, internal record-keeping requirements will apply.

Processing personal data

According to the GDPR, a person’s data may only be processed if there is at least one lawful basis for doing so – or if the data subject has given their consent. Consent must be active and explicit, and you must be able to prove that the user’s permission has been obtained. The data subject may withdraw their consent at any time.

The GDPR in a nutshell: What’s changed?

  • Greater scope: The GDPR will apply to all companies handling data belonging to EU residents – regardless of where the company itself is located.
  • Clearer guidelines regarding consent: Consent must be explicit – the user must “opt in” – and companies obtaining consent must make it absolutely clear as to what the user is consenting to. Organizations must also make it easy for the user to withdraw their consent at any time.
  • Stricter regulations in the event of a breach: In the event of a data breach that may put individual rights and freedoms at risk, the relevant authority must be informed within 72 hours. In certain situations, it may also be mandatory to notify the individuals concerned.
  • The right to be forgotten: Under certain conditions, data subjects may request that their personal data be erased. The data subject also has the right to obtain a copy of their data (free of charge).
  • Penalties and sanctions: The GDPR seeks to ensure greater accountability, and therefore brings with it stricter penalties for non-compliance. Repercussions may range from a written warning to a fine of up to 20 million euros, or 4% of the company’s annual worldwide turnover from the preceding financial year – whichever is greater.

What does the GDPR mean for email marketing?

Under the new GDPR framework, marketers must be especially diligent when it comes to consent. GDPR-compliant email marketing means the user must actively opt in, and you must be able to prove that they have done so. Pre-checked opt-in boxes are no longer allowed.

Even if you collected your email addresses prior to May 2018, you may not be able to legally use them once the GDPR comes into force. If you are not 100% sure on the opt-in status of your contacts – or are unable to provide proof of consent – you may need to run a re-opt-in campaign.

There will also be new rules regarding profiling, which is especially relevant to marketing automation. The GDPR stipulates that the user must be notified of any automatic decisions based on personal data (for example, in your confidentiality agreement) and that the user is able to opt out of such profiling if they so wish.

About the author

Emily Stevens

Was this post helpful?

Thank You!

    GDPR Summary is not the same old wine in a new bottle. It is a revolutionary new law that requires organisations to do more than just tick and untick some boxes. It requires them to make enterprise-wide changes and completely transform their business operations.

Leave a Reply

Newsletter2go verwendet Cookies, um Ihnen den bestmöglichen Service zu gewährleisten. Wenn Sie auf der Seite weitersurfen stimmen Sie der Cookie-Nutzung zu. Ich stimme zu.