GDPR and Marketing
Author: James Koons → Chief Privacy Officer
The General Data Protection Regulation (GDPR) is a new privacy regulation which will come into effect on May 25, 2018. This new regulation, which will supersede the Data Protection, is intended to strengthen and unify data protection for all individuals within the European Union (EU). It introduces harsher fines for non-compliance and breaches and gives EU citizens more control over what companies may do with their data. It also standardizes data protection rules throughout the EU member states.
This new approach to online data privacy puts data subjects first, believing they should be adequately protected and empowered, rather than exploited for the financial gain of others. With the introduction of the GDPR, regulators now have a way to hold organizations accountable for their actions. EU regulators believe that most companies have been exploiting personal data for their own gain and have not been transparent about their practices.
Organizations will now be required to incorporate privacy settings into their digital products and websites, and these will need to be enabled by default. Companies also need to regularly conduct data privacy impact assessments, strengthen the way they seek permission to use the data, document the ways they use personal data and improve the way they communicate data breaches.
As the GDPR is a regulation, it is legally binding. It may not be opted out of or simply ignored. It does not have many exceptions and needs to be taken seriously by any organization processing the data of EU citizens. Failure to comply with the GDPR could result in fines up to €20 million or 4% of an organization’s global turnover.
The GDPR & Email Marketing
At a glance, the GDPR certainly seems daunting with its 173 recitals and 99 articles, especially for smaller organizations. Depending on the size and scope of a company’s marketing program, GDPR compliance could be a simple task or it could be an absolute nightmare. To get organizations started off, Inbox Pros points out three key areas email marketers should focus on now: data permissions, data access and data collection.
Data permissions refer to how an organization manages opt-ins. These are email recipients who have requested to receive promotional material. An organization should never assume a recipient wants to be contacted. The recipient needs to express their consent in a ‘freely given, specific, informed, and unambiguous’ manner, which is reinforced with a ‘clear affirmative action’.
This means any leads, prospects, customers, partners, etc. need to physically confirm they wish to be contacted. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted. Pre-checked boxes that automatically opt recipients in are no longer allowed – opt-ins need to be an affirmative action on behalf of the recipient.
The ‘right to be forgotten’ is one of the most talked about rulings in EU Justice Court history. It gives data subjects the right to have outdated or inaccurate personal data removed and has, in some instances, already been implemented by companies such as Google, who were actually forced by the ruling to remove pages from its search engine in order to comply.
The introduction of the GDPR gives individuals a method to gain more control over how their data is collected and used – including the ability to access or remove it – in line with their right to be forgotten.
As a marketer, you need to ensure your users can easily access their data and remove consent for its use. This can be as straightforward as including an unsubscribe link in your marketing communications and linking to a preference center which would allow a user to manage their email preferences.
In general, marketers tend to collect more data from a person than actually needed to carry out the intended processing. Organizations should evaluate what data they are collecting and determine if it is necessary. If you are just sending an email newsletter, what other information about a recipient would you really need outside of their email address and maybe their name?
The GDPR requires organizations to legally justify the processing of the personal data you collect (legal basis for processing). This means email marketers should be focused on collecting the minimum data they need rather than asking for data that may be “nice to have” or “just in case we need it later.” If there is information you need to know from a person, and you are able to justify why you need it, it is most likely you may continue to collect it. Otherwise, organizations should avoid collecting any unnecessary data and stick with the basics.
Inbox Pros Can Help
Time is running out, and the months leading up to May 2018 could be challenging for businesses across Europe as well as international businesses who process the personal data of EU citizens. The GDPR is a game-changer in terms of how organizations handle personal data. It is important to become informed and have a GDPR game plan. At Inbox Pros, we’ve successfully helped email marketers, marketing agencies and vendors with GDPR assessments and risk analysis. Clients within the EU as well as many US based organizations who do business in the EU have benefited from our GDPR planning and analysis offerings.