General Data Protection Regulation (GDPR)
If you plan to use email to market your businessin the European Union, you need to know the guidelines of the newly implemented the European Union (EU) General Data Protection Regulation (GDPR). The new data privacy and security law became effectiveon May 25, 2018 and applies to anyone sending commercial email messages to anyone in the EU. Along with stricter regulations, GDPR comes with hefty fines for businesses that don’t comply. Should US-based companies be concerned? Here’s what you need to know.
What Is GDPR and Who Must Comply?
GDPR is a new set of regulations designed to protect the personal data of EU citizens, including how the data are collected, stored, processed, and destroyed. The EU Parliament approved GDPR in April 2016 and gave companies 2 years to comply. And unlike its predecessor, the 1995 EU Data Protection Directive, GDPR expands the geographic scope of the law beyond businesses based inside the EU.
GDPR impacts all organizations that collect and process personal data or behavioral information from individuals who reside in the EU at the time the data are accessed. According to GDPR, personal data are defined as any information that can be used to identify a person. So, in addition to names, location, and identification numbers, personal data also include Internet protocol addresses, social media posts, online contacts, and cookie strings.
This means that your US-based company may still have to comply with the GDPR, even if no financial transactions occur. In addition to businesses that are based in the EU, GDPR applies to companies that:
- Offer goods and services to EU residents
- Monitor EU residents’ behavior (e.g., track and collect EU residents’ information to predict their online behavior)
- Have a website that pursues EU residents (e.g., accepts EU currency, markets in the language of an EU country or provides language translation, offers shipping to an EU country, has an EU domain suffix).
Does Your US-based Company Need to Prepare for GDPR Compliance?
All US-based companies in industries that do business in the EU (e.g., e-commerce, travel, hospitality, and software services) should be in the process of ensuring GDPR compliance. In addition, all US-based companies—especially those with an extensive Internet presence—should be assessing whether any of their business activities and/or database subscribers fall within the scope of GDPR.
But what if you’re 100% positive that the scope of GDPR does not apply to your company? You should still consider meeting the stricter data privacy rules. Data protection is a hot topic these days, and it’s likely that more countries worldwide, including the United States, will adopt more-stringent personal-data protection laws similar to GDPR in the near future.
New, Stricter GDPR Standards
Here, we highlight some of the new GDPR requirements that will have the biggest impact on marketers:
- Standards for Getting Consent — You can send emails only to people who explicitly give you permission to do so. Although this regulation was already in place in most EU countries, the GDPR is much more specific about consent. To be GDPR compliant, companies must now get affirmative consent that is “freely given, specific, informed and unambiguous.” Companies must also provide information about themselves at the time of consent, as well as the way they are intending to use the personal data that they collect. For example, using pre-checked boxes or sending emails to addresses that users provided to download a white paper don’t meet the new standards for consent.
- Rules for Consent Record Keeping — The burden of proof that you have an individual’s permission to send him or her emails is on your company. In other words, if you’re challenged about an individual’s consent, you must provide records that show that you complied with GDPR. Not only does this regulation apply to new subscribers, but it also applies to your existing consent data. That means that you’ll need to bring your database up to date to be sure that you have documented proof that the consent you collected from all subscribers meets GDPR standards.
- Right to Be Forgotten — This new GDPR regulation means that subscribers have the right to have their personal data totally erased from your systems. So, in addition to still having an opt-out function that allows subscribers to easily withdraw consent, you’ll also have to be able to delete all of a subscriber’s personal data upon request.
- Right of Access — Your company must be ready to respond in a timely manner to a subscriber’s request for personal data that you’ve collected, processed, or transferred. According to GDPR, an electronic copy of the personal data must be provided free of charge and within at least 1 month of receiving the request.
- Right to Data Portability — In addition to having the right to get their personal data from you in a portable or “structured, commonly used and machine-readable format,” subscribers also have the right to have those data transmitted directly to another organization.
For additional information about GDPR, check out these resources: