Perhaps you haven’t given the new European privacy legislation that is due to come into effect in May 2018 much thought yet; then again, you may very well be pulling out your hair as we speak. Is your strategy ready for all the changes? Do you know exactly what aspects you need to comply with?
Under this new piece of legislation, aka the General Data Protection Regulation (GDPR), companies and organisations processing personal data of European Union citizens must be able to demonstrate that they have taken every conceivable technical and organisational measure to ensure that their data subjects’ details are protected.
That also means that marketeers will have to consider data in a new light: what type of information do we have access to, and what kinds of consent did we actually obtain?
What is the impact of the GDPR?
The GDPR is applicable to any company that collects personal data on citizens within the EU. If you collect contact details and send e-mails to people within the EU, you will need to be compliant with the GDPR – irrespective of where your registered office is located.
What changes does the GDPR entail for e-mail marketeers?
The GDPR applies to various aspects of e-mail marketing, in particular to the manner in which marketeers ask for, collect and retain consent. This is what you, as marketeer, should know:
-
Stricter rules on how consent is obtained
Thanks to the new GDPR, marketeers will only be allowed to e-mail contacts who unambiguously agreed to receive their communications. This was not any different under the old legislation but the GDPR has subjected that consent to a number of specific criteria. Consent must be given freely, be specific, informed and unambiguous in order to be legally valid.
Given freely means that you could for instance work with a box on your website subscribers must check (it cannot be pre-checked in other words). Tacit consent, pre-checked boxes or inactivity will no longer suffice.
In addition, the opt-in process on your website must clearly tell your contacts how, why and what personal data you collect. That also applies to your cookie policy! For instance, if you analyse your subscribers’ behaviour to personalise content and ads, your subscribers must also have the opportunity to give or withhold their consent.
This means that a number of practices some marketeers resort to these days to boost and enrich their databases will no longer be automatically lawful under the GDPR.
Did someone leave his or her e-mail address to download a white paper or take part in a competition? If you don’t tell them you are going to use their personal data to send them marketing-related e-mails – and they did not specifically agree to their data being used for that purpose – you will be breaking the law if you add their addresses to your mailing list anyhow.
-
New requirements on how to store consent
The GDPR does not only stipulate how consent must be obtained but also compels companies to log and store the consents in question.
Thus, under the GDPR the onus of proof very clearly rests with the corporate sector. This means that you must be in a position to prove and show reasonable proof that you are GDPR compliant when challenged. Keeping screen shots of forms when you change them on your website or in your app are one way of covering yourself even better.
Do you wish to be GDPR compliant, boost commitment and reduce the number of people who unsubscribe from your communications? In that case, a preference centre is not a luxury: while you get to streamline your e-mails, your contacts get the opportunity to subscribe to content they really want and to unsubscribe from what they feel is of no interest to them. In other words, you put your target audience in control.
-
Bringing your existing data in line with the new standards
Before long, you, as a company, will have to change the manner in which you collect and store information. But there’s more to it than that because the GDPR will also apply to your existing data.
If your database contains subscribers whose consent cannot be produced in line with the GDPR standards, or if you are unable to furnish the relevant proof in relation to a number of contacts, you will no longer be permitted to e-mail the contacts in question. So make sure that you bring any data collected so far in line with the new standard. More than likely, we will see a torrent of reactivation campaigns from companies looking for subscribers to renew their consent before the new GDPR becomes a fact of life.
-
Does your entire e-mail program need to be amended?
Stricter privacy and opt-in rules make that marketeers fear that their databases won’t expand as quickly as they used to. What’s more, checking, and were necessary, amending the existing opt-in processes takes time and effort.
Some international brands are contemplating introducing separate processes for European visitors and contacts but it will take considerable time and resources to keep both processes up to date. Applying the GDPR to all contacts across the board would be a far easier option.
It goes without saying that a deceleration in database growth will be a direct short-term consequence, yet it also means that you only need to focus on subscribers who want to receive your e-mails with the result that the overall quality of your lists will actually improve. An active list of contacts is far more productive and fosters greater commitment.
The advantage of implementing GDPR throughout your policy: the new EU privacy legislation is one of the strictest in the world, so once you are compliant with the GDPR, chances are that you are also compliant with the data protection legislation prevailing in other parts of the world.
-
New data protection requirements
A world without information and knowledge sharing has become unthinkable. A privacy and cyber security policy may not be a luxury but it does require great expertise in and a good insight into a complex matter.
Don’t be fooled into thinking that the mere encryption of data will make you GDPR compliant. In fact, data encryption should be seen as the minimum standard, one that almost invariably requires additional measures. Companies must offer additional means to protect personal data such as two-step verification and the permanent deletion of data that are surplus to requirements.
Another common misunderstanding: it is not because your data are stored in the cloud that responsibility for data security suddenly shifts to your cloud and/or security provider!
The GDPR does not only apply to companies that store data but also to companies that process these data. This entails that the GDPR applies to the company itself too, even if it uses external providers to store data for processing purposes.
-
What if you do flout the rules?
Aside from stricter rules on consent and the use of personal data, the fines non-compliant companies stand to incur under the GDPR are heftier than ever. Non-compliance with the legislation can result in a fine of up to € 20 million or 4 % of the overall worldwide turnover of your previous financial year (whichever amount is the greater).
And that’s leaving a potential drop in sales due to the loss of customer confidence, brand and reputational damage and possible legal proceedings aside.
Even though it is not clear yet what fines will actually be imposed, there is no denying that the authorities will be able to pursue any brand that violates the GDPR. They will of course rely heavily on consumers who report abuses and will probably prioritise the most serious violations.
That is what happened once Canada’s Anti-Spam Law (CASL), the legislation prevailing in Canada, was implemented. There we saw some serious cases such as the Compu-Finder one, a Canadian training provider who was fined 1.1 million Canadian dollars in 2015. According to the authorities, Compu-Finder had been sending out unsolicited e-mails, including messages where the unsubscribe functionality didn’t work as it should. To put this in perspective: complaints about Compu-Finder represented 26 % of all CASL complaints in that particular sector.
Subscribe to our GDPR communication!
To help you in the process towards GDPR compliance, we have launched a new biweekly series.
In every issue we will discuss a specific part of the new regulation and of what it means for your e-mail marketing strategy. In addition, we will provide you with useful checklists to allow you to check your own approach and to give you a clear idea of the Flexmail changes afoot so that, come May 2018, you too will be fully prepared for the GDPR! You can subscribe by using the form on the right-hand side of this article.
Already subscribed to the Flexmail newsletter? You can update your preferences using the link in the footer of our newsletters.