The European Union's General Data Protection Regulation touches on several crucial aspects of email marketing, especially regarding how marketers seek, collect and record consent.
One of the things we really strive to do in the Enabler team is keep our clients up to date with the latest goings on in the world of email. Sometimes this is a really fun job, and we get to send around well designed emails or provide updates on the latest coding techniques. Sometimes however, we need to make sure everything we and our clients are doing is in line with the current laws and regulations - *cue sirens*.
In March 2018, the General Data Protection Regulation (GDPR) will come into effect, and I’m here to tell you what it is, why it affects you, and if there’s anything you need to be doing before GDPR comes into effect.
What is GDPR?
GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulations within the EU.
When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995, and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
When is it happening?
The regulation was adopted on 27 April 2016 and becomes enforceable from 25 May 2018 after a two-year transition period.
Who decided it should be a thing?
The European Parliament, the Council of the European Union and the European Commission.
Why does it affect you?
GDPR will affect every company that uses personal data from any citizen within the EU. If you are collecting email addresses and sending emails to subscribers in the EU, you’ll have to comply with GDPR—no matter where you’re based.
The UK, Germany, France, and other European countries represent valuable markets for many brands. But it’s not just the strategic importance of the market that makes GDPR important for all marketers, it’s also the large number of citizens that the new privacy law will protect.
Information on the specifics of GDPR
I’m going to be upfront with you here, a lot of what the GDPR states is pretty much identical to the current Data Protection Act (DPA). Just like the DPA, GDPR refers to two types of data: ‘Personal Data’ and ‘Sensitive Personal Data’. The main difference being that the GDPR’s definition is more detailed and makes it clear that information such as an online identifier, for example an IP address, can be personal data. By expanding on this definition, it means that GDPR can identify a much wider range of personal identifiers that constitute as personal data.
The main reasoning for this change was that it reflects changes in technology and the way organizations collect information about people.
For most organizations who keep HR records, customer lists or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
Unlike the DPA’s definition, the GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised, for example coded, can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
The main overall difference is that the GDPR requires that personal data should be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
It also requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
What do I actually need to do from an Email Marketing perspective?
GDPR touches on several crucial aspects of email marketing, especially regarding how marketers seek, collect and record consent. So without further ado, here’s what you need to know:
Collecting consent will work differently
You will only be allowed to send emails to people who’ve opted-in to receive messages. While this has already been the case in most European countries under the EU Privacy Directive, GDPR takes this one step further and specifies the nature of consent that’s required for commercial communication. Starting in May 2018, brands have to collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant with GDPR.
The signup process must inform subscribers about the brand that’s collecting the consent and provide information about the purposes of collecting personal data.
Some of the processes previously used to collect data will not be compliant anymore, for example if someone entered their email address to download a whitepaper or provided their contact information to enter a contest? If you didn’t tell them you’d use their personal data to send marketing messages, and if they didn’t actively agree that it is okay to use their data for that very reason, it won’t be legal to add those email addresses to your mailing list.
Recording consent will work differently
Under GDPR, you will need to prove and show reasonable evidence that you have complied with the GDPR if challenged. This means GDPR places the burden of proof around consent being given with the company itself.
This means you will need to be storing consent forms.
If your database includes subscribers whose permissions haven’t been collected according to the GDPR’s standards, or even if they have but you can’t provide sufficient proof of consent for any contacts, you might not be allowed to send email to those subscribers anymore.
If you can’t provide this, I would highly recommend running re-permissioning campaigns before March 2018.
Changing existing email programs
Sadly, unless you want to stop engaging with the European market (which we in no way recommend) then you will need to review some of your current email programs. Here are a few ways you can tackle the issue:
Set up separate signup processes for subscribers coming from different parts of the world. Customers coming from the EU would have to go through a GDPR-compliant sign-up process, while for United States citizens, everything could remain the same. This is a highly complex and costly solution but would definitely do the trick.
Bring your entire database up to GDPR standards and adapt all of your opt-in processes to match the EU requirements. (This is in bold because it’s what we recommend.)
Whether we like it or not, changes to opt-in processes and re-permission campaigns will likely slow down list growth in the short term, however they will help you to make sure that you are only sending emails to subscribers who really want to hear from them, which really will improve your overall list quality.
Umm...what about Brexit?
Yeah I thought you might want to know about that. Just incase you’ve been living under a rock recently, on 23 June 2016 the UK held a referendum to decide whether or not to remain in the EU and the majority voted to leave it.
After the negotiations around how exactly the UK will leave the EU have finished, we will (hopefully) be left with a clearer idea about the extent to which the UK continues to comply with and/or keep up with EU laws and requirements and remains within or outside the European Economic Area.
Either way, it’s most likely that the UK will still be in the EU by March 2018, however, there are some ways you can prepare from a Brexit standpoint:
Start to consider which parts of your business operations are established in the UK and may be affected by GDPR.
Identify any of the personal data flows from the European Economic Area to the UK. (If the UK also leaves the European Economic Area at the time of leaving the EU, the flow of personal data from the European Economic Area countries to the UK will become prohibited without new adequate safeguard measures being adopted).
Monitor the UK data protection authority’s statements on Brexit, GDPR and how to remain compliant – current ICO guidance is to continue to prepare for GDPR.
What if I just do...nothing?
In short, don’t do nothing… which I know is a double negative, but hopefully you get the idea. With the introduction of GDPR, also comes some hefty fines for not being compliant. Fines come in the form of up to €20 Million or 4% of a brand’s total global annual turnover (whichever is higher).
I mean sure, the authorities probably have more on their hands than going after every company who breaks the law, but they will rely on customers to report any breaches as well. Basically it’s best to comply and not put yourself and your company at risk.
Resources on GDPR:
Full law text: General Data Protection Regulation (GDPR), as of April 27th 2016
DMA UK: Webinars, facts, and updates about GDPR
European Commission Fact Sheet: Questions and Answers on Europe’s Data Protection Reform
European Commission: Protection of Personal Data
ICO (Information Commissioner’s Office, UK): Preparing for the General Data Protection Regulation (GDPR) - '12 Steps to Take Now.'
Any legislation change can be daunting, but fear not, we’re here to help! If you need any help with sorting out email practices before March 2018, get in touch and we’ll get one of our email consultants to help you out - www.enablermail.com