In this guide, we’ll break down the new General Data Protection Regulation (GDPR) law that will take place on May 25th 2018. We’ll look at what GDPR actually means, who needs to pay attention to it, what you need to do, how it will affect your email marketing strategies, and what happens if you don’t comply with the new GDPR law. By the end of this guide, you should have a thorough understanding of the new rules and why they are important for your business and the data protection of your clients.
Here’s everything you need to know about GDPR (click on the title to get to the right section of the guide):
- What is GDPR?
- What are the key changes of GDPR?
- What does GDPR mean for email marketing?
- What does GDPR mean for consumers?
- How does the GDPR impact your business?
- What do you need to do before the law takes place?
- What happens if you don’t obey comply with GDPR?
- Is GDPR a good thing?
Don’t forget to read the Mailigen GDPR Q&A where we answered some of our customers’ specific questions!
What is GDPR?
In short, the General Data Protection Regulation (also known as GDPR), is a policy that applies to all businesses that process information of EU-based data subjects. The policy focuses on protecting personal information of consumers and gives people more control of how their data is used within companies. The new GDPR will protect European citizens from companies that frequently use their data and even sell it to third parties without knowing what’s going on behind the scenes. One of the biggest points of this issue being illustrated came from the Cambridge Analytica scandal that used the data of 50 million unsuspecting Facebook users in order to manipulate the 2016 US election. Instead, businesses will need to demonstrate clearly provided consent if they want to use anyone’s data.
Your data and personal information is most likely being used and abused – and it’s time to take back the control.
What are the key changes of GDPR?
The GDPR highlights several key changes that will occur with the law. They include the following:
- Increased Territorial Scope
Regardless of the company’s location, the GDPR will apply to all data subjects residing in the European Union (EU). Non-EU companies will need to appoint a EU representative that will monitor the behavior within the EU, if they are processing data of the subjects residing in the EU.
- The right to consent
The GDPR law strengthens the conditions for consent. As a business, you will have to give consent in an easily-accessible form and provide all motive for data processing. The form must be clear, simple, and understandable to everyone.
- The right to access data
One of the biggest key changes outlined by the GDPR is for data subjects to access data. They will be able to access how their data is processed, as well as where, and for what purpose. This data needs to be available in an electronic format and needs to be free of charge.
- The right to be forgotten
Another important highlight of the GDPR is the right to be forgotten, also known as Data Erasure. The data subject has the right for their data to be completely erased – this also includes the case of the data being used by third parties.
- The right to privacy by design
The GDPR also highlights privacy by design as a legal requirement. The data controllers will need to hold and process only necessary data and limit the personal data access to only those that have to be involved.
- Data Protection Officers
GDPR calls for internal record keeping requirements, in charge by the Data Protection Officer (DPO). The DPO is only appointed in cases of large companies that require regular and systematic monitoring of data subjects. The DPO position must have expert knowledge on data protection law and practices. However, it may also be an external service provider rather than a staff member. The DPO must be provided with all resources necessary that will allow them to carry out their tasks. All findings and questions must be reported to the highest level of management.
What does GDPR mean for consumers?
The GDPR changes the way personal data is handled by organizations – this includes email marketing. One of the biggest differences that can be noticed will be the complete transparency. A consumer will now be able to see exactly how their data is being used – not only by the original company, but also by any third party companies involved.
The consumer’s rights will now be a first priority and they will not be charged for their right to access data (unless this request is unfounded, excessive, or repetitive) and influence the portability of such data when the accounts are closed.
The new consumer rights will be known from the moment they first opt-in – no more complicated language in the terms of service. This language will be simple and easy to understand. In the case that the consumer has concerns, the company, with the appointed DPO, will need to address those concerns as soon as possible.
How does the GDPR impact your business?
With the deadline fast approaching, a business should learn about the GDPR policies as quickly as possible. It has been noted that unless you have already started complying with the GDPR, it might take a year or longer before all the policies are in place and everyone in the company is on the same page about data handling and privacy.
It’s important to note that GDPR also applies to non-EU businesses that handle clients based in the European Union. If your business offers any kinds of services and goods to EU members, it will need to comply to the new GDPR law.
Your data will need to be clearly organized in order to make sure all processes can be easily shown to the customer. This also means that you need to inform your customer about any kind of offer segmentation strategies your business might practice because of the subject’s data. All this information needs to be clearly presented in the opt-in.
If you’ve collected any data without the opt-in before the GDPR deadline, you will need to resend consent in order to comply with the law. If you don’t have sufficient and clearly-displayed consent, the data will not be legally processed.
How to comply to GDPR with Mailigen:
Mailigen allows you to use segmentation strategies, completely customized signup forms, merge tags, re-activation templates, automation strategies, and plenty of other tools that will allow you to easily comply with the GDPR law and make the most out of your new email marketing strategies.
What does GDPR mean for email marketing?
Aside from your business, the strategies that will be affected the most are your marketing and email marketing strategies.
Here’s an example of the GDPR law in action: If someone wants to download a freebie and all they need to do is fill out their email address, you need to make sure that the copy clearly presents the way their data will be used, including whether or not they will be added to an email marketing list and receive future newsletters. If a customer does not agree to opt-in for that newsletter, they have the right to be forgotten instead of being entered into a drip campaign – you are not permitted to use their data further than the download of that freebie if you don’t have their consent to do so.
What you would need to do in this case is create an autoresponder strategy for everyone that opts in through the downloadable freebies. Send them a notification that states they will be added to your email marketing newsletter and clearly address how and for what will you use their data. You also need to state how often will you be using the data and if there are any third parties involved.
Make sure you prepare and define the newsletter opt-in process for all your subscribers.
Of course, gathering detailed data will also have a positive impact on lead generation and inbound marketing. It will allow you to optimize your emails, create better segmentation strategies, and increase conversions.
Are your current email marketing practices GDPR compliant?
- Do you allow your subscribers to be completely removed from the list when they unsubscribe?
- Does your opt-in come with checkboxes that aren’t automatically ticked?
- Can you trace back to the exact date and purpose your subscriber opted-in for your newsletter?
- Do you quickly erase the subscriber’s data upon their request to unsubscribe?
- Do you tell your subscriber exactly how their data will be used, including whether any third parties will be involved?
If you answered ‘yes’ to all of these questions, you’re already GDPR compliant!
Remember: When in doubt, always send a confirmation email with every sign up form and ensure your customer that they can opt-out of your newsletter at any time.
GDPR email marketing FAQ:
Q: Does this include the emails I take from LinkedIn users from the EU and add them to my database?
A: Yes. By taking data from LinkedIn, you become the data controller – the same rules apply.
Q: Do I need to remove contact from non-active EU clients?
A: That depends on the records you have on them – you should always clear your email list and only message active subscribers, so you can send them a re-activation email outlining the new policies, and remove them if you don’t hear from them.
Q: I run worldwide webinars and offer freebies to those that watch. I add their emails to my newsletter. What do I need to do?
A: We recommend running a re-activation campaign for all your subscribers. If you gather the data on the location of your users, you can simply sent a consent campaign to your EU subscribers and inform them how their email address is being used. We encourage all users to practice the GDPR law worldwide.
Q: What if I work with contractors and freelancers that are in charge of my email marketing?
A: In that case, your contractors are the data processers. You need to make sure the freelancer is GDPR-compliant and aware of the practices they need to follow.
Q: If I was extremely careful with getting consent from all of my subscribers, do I still need to send fresh consent forms under the GDPR?
A: If you can track exactly when, where, and why their data was processed, you already comply with the GDPR. However, we always encourage people to send re-engagement campaigns and clean up their list if your subscribers aren’t interacting with your campaigns.
Q: I run a big business, how can I keep my subscribers informed about GDPR without overwhelming them?
For more questions, make sure to check out the Mailigen Q&A on the GDPR law.
What do you need to do before the law takes place?
Companies should start practicing the GDPR rules before they officially take place. You should examine the data collected so far and keep records of the following:
- Records on the name, email, dates of the consent, location, what the data subject was told at the time, and how they consented
- Any CRM-stored data
- Any kind of medical information
- Any bank details, IP addresses, browsing history and cookies
- All documents and emails associated with that data subject
- Any contract and necessary HR data
- Any third parties that have access to the data
You should also start defining all responsibilities for personal data management and have clear definition behind:
- Labeling and organizing data types based on consumer’s rights
- Ways to handle archiving, retaining, and disposal of data
- Data ownership and appointing administrators
Companies should also follow practices to protect and secure all data they receive. Along with system monitoring and storage security, you should implement the following:
- System for data protection, access control, identity management
- Impact calculation
- System for identifying breaches and notifying data subjects
- Prepare copy that will outline clear ways of the subject’s data being used upon opting in
Data gathering solution: We suggest you hold your entire database to the GDPR standard – this way, you won’t need to worry about creating a separate database for subjects from the EU.
What happens if you don’t comply with GDPR?
While many companies have started preparing for the GDPR for the past few months, there will be those that were not fully informed on the law, or they just didn’t have the time to take a full look. It’s been reported that 60% of the European businesses aren’t GDPR-ready.
The GDPR has a penalty structure and fines of up to 4% of global revenue on any kind of breaches.
It’s important to have your records in order, otherwise your company can face a fine of up to 2% of global revenue. The same fine also applies to not notifying the data subject of a breach within 72 hours or not conducting impact assessments.
Is GDPR a good thing?
Of course! The GDPR is absolutely nothing to be afraid of. The regulation simply builds on the Data Protection Directive that’s already in place and most companies are already practicing the existing laws. The GDPR will only strengthen these laws and allow for clear transparency – it will also reshape the way organizations approach data privacy and build stronger security measures in case of any data breaches and external hacking.
High quality data means high quality brand awareness. Companies always strive for clear communications with their customers and guaranteeing high quality data just means that you’re increasing your company’s reputation. In today’s age of data breaches, guaranteeing safe data management produces better leads and higher conversions.
Furthermore, you will now be able to collect more data information, including the location of your customers. This also means that your email segmentation strategies can become much more effective.
Following the GDPR law will create a sense of trust between the customers and the business – and who doesn’t want that?
Do you have any more questions about GDPR? Let us know in the comments below! What is the biggest challenge GDPR will bring to your company?