The New GDPR: Are you ready?
The laws on data protection are changing – and all email marketers need to be prepared. Whether you’re operating within the European Union or handling data belonging to EU residents, it’s absolutely crucial to know what these changes mean. In this article, we shed some light on the new GDPR and what it means for email marketing.
- What is the GDPR?
- When does it come into effect?
- What will happen to the existing laws?
- Why has the GDPR been introduced?
- To whom does it apply?
- What counts as personal data under the GDPR?
- Is it mandatory to appoint a Data Protection Officer?
- Processing personal data
- The GDPR in a nutshell: key changes
- GDPR-compliant email marketing
The General Data Protection Regulation is a legal framework that applies to the European Union. Up until now, each EU member state has observed the data protection regulation from 1995, together with their own individual national regulations. The GDPR will replace these, serving as a central law that applies throughout the European Union. The GDPR consists of 99 articles in total.
The GDPR was published in May 2016, but businesses have until 25th May 2018 to make sure they are compliant. As of this date, the GDPR will be applicable immediately.
The GDPR supersedes all existing data protection acts, so compliance is absolutely essential.
The aim of the GDPR is to harmonize and simplify the legal framework within the European Union. This benefits both consumers and businesses. Under the GDPR, consumers – or “data subjects” – will have more rights regarding their personal data and how it is used. At the same time, companies that operate internationally will benefit from a uniform legal framework throughout the EU, rather than having to know and observe the individual guidelines of each member state.
Essentially, the GDPR applies if the data subject (person whose data it is) is based within the EU. It therefore affects:
- Companies and organizations who are collecting data from EU residents (even if the company itself is based outside of the EU)
- Companies and organizations processing data belonging to EU residents (even if the company itself is based outside of the EU).
So, if you collect, save, transmit or process data belonging to anyone based within the EU, the rules of the GDPR apply. The GDPR may therefore be applicable to both Cloud and non-Cloud providers.
According to article 4 of the GDPR, personal data means “any information relating to an identified or identifiable natural person”. This includes things like name, date of birth and address. Under the GDPR, IP addresses will also count as personal data.
From May 2018, it will not be mandatory for companies to appoint a data protection officer – unless the collection and processing of data is considered one of the company’s core activities. Organizations will no longer be required to notify local DPAs of their data processing activities; instead, internal record-keeping requirements will apply.
According to the GDPR, a person’s data may only be processed if there is at least one lawful basis for doing so – or if the data subject has given their consent. Consent must be active and explicit, and you must be able to prove that the user’s permission has been obtained. The data subject may withdraw their consent at any time.
- Greater scope: The GDPR will apply to all companies handling data belonging to EU residents – regardless of where the company itself is located.
- Clearer guidelines regarding consent: Consent must be explicit – the user must “opt in” – and companies obtaining consent must make it absolutely clear as to what the user is consenting to. Organizations must also make it easy for the user to withdraw their consent at any time.
- Stricter regulations in the event of a breach: In the event of a data breach that may put individual rights and freedoms at risk, the relevant authority must be informed within 72 hours. In certain situations, it may also be mandatory to notify the individuals concerned.
- The right to be forgotten: Under certain conditions, data subjects may request that their personal data be erased. The data subject also has the right to obtain a copy of their data (free of charge).
- Penalties and sanctions: The GDPR seeks to ensure greater accountability, and therefore brings with it stricter penalties for non-compliance. Repercussions may range from a written warning to a fine of up to 20 million euros, or 4% of the company’s annual worldwide turnover from the preceding financial year – whichever is greater.
Under the new GDPR framework, email marketers must be especially diligent when it comes to consent. The user must actively opt in, and you must be able to prove that they have done so. Pre-checked opt-in boxes are no longer allowed.
Even if you collected your email addresses prior to May 2018, you may not be able to legally use them once the GDPR comes into force. If you are not 100% sure on the opt-in status of your contacts – or are unable to provide proof of consent – you may need to run a re-opt-in campaign.
There will also be new rules regarding profiling, which is especially relevant to marketing automation. The GDPR stipulates that the user must be notified of any automatic decisions based on personal data (for example, in your confidentiality agreement) and that the user is able to opt out of such profiling if they so wish.