(This is an update of an article I previously published on My Marketing Skills)
It’s 25th May 2018 and you just received a €20 million fine for data protection infringement.
Do I have your attention?
I assume you this is something you would rather avoid and to be fair heavy fines are likely to be a last resort but there are big changes coming around data protection and you need to be ready – no matter how big or small your business is.
On 25th May 2018, the EU General Data Protection Regulations (GDPR) come into force and they considerably strengthen some of the existing data protection regulations. Critically, the GDPR will apply to any business that processes information for EU citizens.
Simply put if you have EU residents on your mailing list, as clients, customers or members of your membership site, the GDPR applies to you. The fines for non-compliance are big – up to €20 million or 4% of international turnover, whichever is the greater.
The GDPR has many requirements that build on existing good practice and I will cover some of the main ones here. However, as with all laws, this is a complex area and I am no lawyer. Consider this your prompt to look into this in more depth and establish what you need to do to be compliant.
The GDPR covers data processing for personal information, which is anything that either directly or indirectly identifies a person – names, email addresses, dates of birth, addresses all come under this heading. If you are email marketing or running membership sites, this affects you.
Previously B2B communications were held to different standards than B2C communications. This will no longer be the case. Business emails will have the same rights in the future.
Consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
This means no more adding your clients or customers to your mailing list without their specific consent. If you need to email them to deliver a service, consent is not required for this but to add them to your newsletter without consent is definitely a no-no.
For email list building, a default tick on a checkbox that has to be unticked to not subscribe will NOT be permissible. Consent has to be explicit for all the purposes you will use it for at the outset. If you want to change the purposes then you will need to regain consent. Wherever possible consent should also be “granular” allowing people to consent or not to different activities.
The use of the double opt-in is not explicitly mentioned in the GDPR, however, the Privacy & Electronic Communications Regulations (PECR) are a specific marketing extension of the GDPR that are being updated now. They are likely to specify double opt-in requirements. As double opt-in is a legal requirement in countries such as Canada and Australia using the double opt-in is a sensible way to go if you aren’t already using it.
Maintaining records of consent will be critical. Email service providers (ESP) will keep these records but should you delete a list or segment, keep the records of consent. Remember that if you are taking these from a secure server and putting them onto another platform, you will need to put additional measures in place to protect the sensitive data. Data security is imperative.
You could consider linking your ESP to your CRM, if you use one, to record the consent. This may be a feature of your CRM or it may need modification to record this.
If you decide to move ESP and will lose the consent data in the process, back this up and save it before your move so that you do not lose critical information.
Consent also extends to remarketing activity. For example, if you upload your mailing list to Facebook to create a custom audience and then serve targeted ads, you need to say so. If you use this information to create lookalike audiences, you need to say so. If you have Google Analytics and other tracking and you use this for statistical purposes, you need to make this clear.
Consent is not indefinite (important if you are not regularly emailing your list), it is a rolling process and the right to withdraw consent must be as easy as giving consent.
Consent cannot be bundled up in your terms and conditions. It needs to be separate and specific. Your privacy notices will need updating to reflect the right to be forgotten and the right to data portability.
If you share information with any other parties this also needs to be explicit – there can be no generic statements of third parties who cover x, y or z. You will need to name them. If you pass information to them, the rights of your data subjects extend to these partners as do your responsibilities. Auditing where your information goes to and how it is managed is essential.
Privacy notices must be written in easily accessible language not legalese.
The GDPR specifies that consent can only be obtained from children if they are between 13 and 16 (with parental consent). Each country in the EU can set its own limit within this range. If you need to collect data on children, you need to review your systems and what you collect. Otherwise, you may need to consider verifying the age of your customers and sign ups and adjusting your terms.
Subject Access Requests
The right to receive copies of all data and confirmation of how it is processed is written into the GDPR and you cannot charge for this. Want to know what you might be asked? Here’s a good example from a LinkedIn article by Constantine Karbaliotis
A Final Word
These are some of the headlines. It is a complex area that you need to be looking into. For many small businesses the changes will be easy to implement and manage, for some it will be more complex. But knowing what you need to do is the first step in being prepared and ready.
Check what the situation is in your country and what guidance is being produced for businesses. There is a website dedicated to the EU GDPR and if you are in the UK, the Information Commissioners Office (ICO) is the place to start