What is GDPR? We’ll tell ya.

For most of you, at the very least you understand General Data Protection Regulation (GDPR) is a game-changer, and the effects and implications are ever-changing. We’ll be updating this blog post with the latest information we have to better inform you on how to optimize your email marketing to stay compliant and effective.

What is GDPR?
General Data Protection Regulation (GDPR) is the new EU privacy regulation related to data protection laws replacing the existing Data Protection Directive (95/46/EC) and adding additional requirements for organizations. GDPR is set to limit the amount of consumer data collected, the length of time it is stored, and how it can be used. The new data protection regimen extends the scope of the existing data protection laws to include all companies, even those outside of the EU if they process the data of EU residents.

When will GDPR be enforced?
GDPR will officially apply on May 25, 2018, after which time companies or organizations not in compliance could be the target of significant fines.

Where does GDPR apply?
GDPR will apply to all 28 EU member states, and to individuals and organizations outside the EU when collecting or processing the data of EU citizens.

To whom who does GDPR apply?
GDPR applies to entities of all sizes that process the personal data of EU residents. These regulations apply to both data controllers and data processors, including third parties such as cloud providers, regardless of their geographical location.

How will GDPR affect email marketing?
To effectively send email marketing communications under GDPR, you will need to collect “a freely given, specific, informed and unambiguous consent” (Article 7). To achieve compliance, you must adopt new practices:

1. Use opt-in permission rules when collecting data;
2. Ensure you have strong proof-of-consent management systems; and
3. Provide tools or contacts through which consumers can request their personal information be removed from your systems.

No longer will you be able to rely on soft opt-in or soft opt-out approaches to collecting data. Some would even recommend using a confirmed opt-in to align with the enhanced permission requirements under GDPR. Third-party data use and user profiling are also within the scope of GDPR, based on its definition to the subjects’ rights (as defined in Articles 15 to 22) that cover but are not limited to; the right to access, be forgotten, correct information, or restrict certain types of processing.

What is the potential fine for violations of GDPR?
The maximum penalty for non-compliant organizations can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines that could result in smaller fines, depending on the type and severity of the violation. Additional information can be found here.

How can I send email marketing communications under GDPR?
Even though GDPR changes the marketing landscape, it is still possible to continue your email marketing program. To help with your email marketing objectives, we created a short checklist for your reference:

• Audit your current database.
• Do you know where your contacts are?
• Do you have an audit trail of consent for your subscribers?
• How did they opt-in: Single Opt-in, Opt-out, Confirmed Opt-in?
• How did they get in your database?
• Do you have enough information on permission types and acquisition source to prove consent if needed?
• Review data practices.
• Do you have a privacy policy detailing items like how you collect, store, transfer and process your data using clear and easy-to-understand language?
• How do you communicate this data privacy policy to your recipients?
• Build compliance into upcoming initiatives.
• Build privacy into all new programs and marketing initiatives. Consider GDPR compliance during the development stages so you don’t have to adjust your processes after launching.

I’m not in the EU. Do I need to worry about GDPR?
Yes. GDPR focuses on the personal data of EU citizens, not the geographical location of the organization. Companies not located in the EU but handle and process the personal data of EU citizens will be expected to comply with the legislation. This could also cover a company that manages or processes the data of a third party operating within the EU.

What constitutes personal data?
Personal data refers to any information that can be used directly or indirectly to identify an individual, commonly referred to as Personally Identifiable Information (PII). This can include information like name, email or social address, photographs, bank or credit card information, a computer IP address, and others. Sensitive Personal Information (SPI) will require additional levels of consent to utilize and include information such as, but not limited to medical conditions, religion, sexual orientation, and genetic data.

What do I need to include in my privacy policy?
Consider the following issues when planning a privacy notice. Answer: When, where, who, what, why, and how?

• Where did the data come from?
  • Did you get the right consent?
• When will you use the data?
  • Marketing, profiling, automation or other?
• Why do you need the data?
  • Completion of an order, facilitate communications, or delivery of a product or service?
• Who is collecting the data?
  • Is it obvious who is requesting the data?
• Who will the data be shared with?
  • Include third parties in your policies.
• What data are you collecting?
  • Limit collection the minimal amount of data you require to complete the requested actions.
• How are you collecting the data?
• • Observed, by tracking people online or by smart devices, derived from combining other (third party) data sets, inferred by using algorithms