As you may already know, the EU’s General Data Protection Regulation comes into force in May 25, 2018.
It doubly enforces the importance of ensuring consent when collecting people’s personal data (such as email addresses), and updates some best practices that you may or may not be doing already.
Here at Phoenix Content Solutions, we try our utmost to keep our clients updated with the latest updates in terms of email and content marketing. However, it’s also part of our job to ensure everything our clients (and ourselves) are doing falls under current laws and regulations.
Which is why I felt the need to write this article and explain more about what GDPR means for you, and how it’s going to affect email marketing practices going forward.
NOTE: Using MailChimp? You may or may not also be aware that as of October 31st 2017, MailChimp has also just disabled their auto double opt-in feature – which may catch some people off-guard. However, this feature won’t really cut the mustard anymore in terms of GDPR, so I have some tips below on what you should be doing instead.
Wait… what exactly is GDPR?
To put it simply, it’s a regulation that’s about to come into force with the intention of strengthening and unifying data protection for anyone within the EU.
The primary aim of this is to give control back to citizens and residents over their personal data, along with simplifying the regulatory environment for international businesses by way of unifying the regulations that exist within the EU.
GDPR is set to replace the data protection directive (AKA Directive 95/46/EC) of 1995. The key difference being that it won’t require any legislation to come into effect – so, from next May, it’s going to be “directly binding and applicable”.
How will GDPR affect you?
Basically, every company currently using personal data from any citizen within the EU will be affected. So, most UK businesses, for a start! If you’re collecting email addresses and sending emails to subscribers in the EU – wherever you’re located – you must comply with GDPR.
Think of this new privacy law as a large umbrella of protection covering a vast number of individuals, in key markets such as the UK, France, Germany, Belgium, Finland and other European countries. GDPR covers a lot of what’s already in the Data Protection Act (DPA).
And very similarly to the DPA, GDPR refers to two types of data; ‘personal data’ and ‘sensitive personal data’. The GDPR goes into a lot more detail about exactly how this is defined. So, for instance, something as simple as an IP address can be personal data. This helps to pinpoint a much wider range of personal identifiers that fall under the definition of ‘personal data’.
This is to reflect the change in technology and how people and organisations use it to collect data. If you’re currently a business or organisation that keeps HR records, contact details or customer lists, then any information you hold that falls under the DPA will also apply to the GDPR.
However, unlike the DPA, the GDPR applies to both automated and personal data – along with manual filing systems. This may include things like manual records or anything that contains personal data.
How will GDPR impact on email marketing?
If you’ve been happily email marketing away, testing and engaging with your email list, I’m sorry to burst your bubble, but you should really listen up to this next bit.
To summarise, what GDPR means in terms of email marketing is as follows:
- Right now it’s okay to collect data and email market to visitors without specifically telling them you’re going to use that data to send marketing messages. This will stop being legal in May 2018 – for those visitors coming to your site within the EU.
- You’ll only be able to send emails to those who have opted-in to receive them. This has been the case for some time in a few EU countires, however now GDPR also specifies the nature of consent that’s required. It must be “freely given, specific, informed and unambiguous” to be compliant with GDPR.
- Your signup process must inform subscribers about your brand, and provide information about the purposes of collecting personal data.
- From May 2018, you must be able to show and provide evidence that you’ve complied with GDPR if challenged. This means the burden of proof around consent falls to you.
- You will need to begin storing consent forms (I’m hoping this is something that platforms like MailChimp and LeadPages will begin addressing soon)
So, what about the contacts you already have? Well…
- If you have subscribers in your database whose permissions haven’t been collected according to the new GDPR’s standards, or even if you don’t have sufficient proof of this consent, you may have to stop sending emails to these subscribers.
- It’s highly recommended that you begin running re-permissioning campaigns to these existing subscribers before May 2018.
What to do right now
My advice for now is that it may be more effective to introduce a couple of small tick-boxes on any landing pages you have, so that visitors will know they’re signing up to emails, the purpose of these emails, and that their contact details will be safe in your hands. I’d also recommend you begin recording all opt-ins as early as possible.
We’d highly recommend keeping an eye on the UK data protection authority’s statements on Brexit, GDPR, and how you can stay compliant.
What happens if you don’t comply?
This is really not advisable. You might have to pay quite a painful fine for ignoring GDPR or just not being compliant – as much as £20 million (or 4% of your total global turnover – whichever is the highest).
If you’re a relatively small business, you could argue that taking a gamble on the basis that it “won’t happen to you” might be okay – after all the relevant authorities probably have better things to do than go around chasing every company who breaks the law – but your customers will be able to report any breaches. Trust us, it’s not worth the risk.
Official resources on the EU’s GDPR:
- The Full law text: General Data Protection Regulation (GDPR), as of April 27th 2016
- European Commission Fact Sheet: Q&As on Europe’s Data Protection Reform
- DMA UK: Access to updates, facts and webinars about GDPR
- Protection of Personal Data (European Commission)
- ICO (Information Commissioner’s Office, UK): Preparing for the General Data Protection Regulation (GDPR) – ’12 Steps to Take Now.
Need help? Get in touch with us today
Are you concerned about the new legislation and whether you’ll be ready in time? We’re right here to provide free, impartial advice to get you up to speed with your email practices before May 2018.
Simply get in touch ASAP, and one of our friendly team will be able to advise.