If you’re an email marketer, you’ve probably been hearing “GDPR” thrown around a lot lately, it stands for the General Data Protection Regulation. If you haven’t already, you need to start preparing for it, especially if you’re doing any business internationally or collecting personal information from citizens of Europe. This new European legislation can and will affect the way you collect, manage, and send to email contacts in your database. Starting May 25, 2018, this legislation will become enforceable internationally.
*As a general rule of thumb, even if you do not believe that you keep personal data records on European citizens, Europe has been known to set the tone for privacy standards internationally, meaning you’ll likely need to be aware of these regulations at some point.
What is it?
GDPR is a new privacy regulation approved by the European Commission in 2016. The general purpose of this new legislation is to protect the privacy rights of European citizens and grant them additional rights to demand explanation, updates to, and removal of their own personal data from an organization’s database if they see fit. It also extends existing laws requiring increased consent and provides further
Who is affected by it?
I thought this was ‘Murica, this doesn’t affect me, right?
If any part of your contact database contains personal data from European citizens, you’ll want to get acquainted with this new law. If you use that data for marketing your products or services, much of this legislation also requires you to keep updated consent records from individuals, even if you don’t plan to market to them in the near future. You’ll need to ensure that you’re storing and disposing of personal information in a way that’s in-line with the new legislation.
That means you’re required to:
- Update personal data regularly
- Dispose of data in a timely fashion, especially if a person has requested their data to be removed from your systems
- Provide a detailed record of personal data stored in your systems upon request
- Take responsibility if any personal data gets into the wrong hands in the event of a security breach
What does GDPR consider personal data?
GDPR outlines an extremely broad definition:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
So, if you’re planning on collecting personal identifiers such as names, email addresses, phone numbers, or any combination of data that can be used to identify someone, you’re going to want to start paying attention to this.
What’s the Worst that could happen?
Penalties for violations against GDPR can be substantial and in some cases fines can reach up to 4% of a business’s annual global turnover or 20 million Euros. I won’t bother converting that to U.S. dollars for you, but let’s just say you’d have to cash in all of your Bitcoins if you have an unfortunate cybersecurity breach when processing personal data.
What should I do to prepare?
I know your initial instincts are telling you to cut ties with European contacts, shred any evidence and move out to a cabin in the woods, but that would be crazy. Besides, who even keeps a paper shredder anymore? Simmer down. The good news is that you have plenty of time to get your act together. The regulation doesn’t go into effect in Europe until 2018 and could be even longer before it hits stateside. But, just in case you forget, click the link below to be reminded a week before.
GET MY SHIT TOGETHER! – Add to Google Calendar
Step 1. Be sure that everyone on your list is opted-in.
For starters, go ahead and uncheck that pre-checked box that drops everyone into your weekly cat video email newsletter. It won’t hold up in court. Those gatos will cost you a pretty penny if you email the wrong person. Next, be sure that you’re clear and concise about what people on your website are opting into. Do a quick sweep to make sure you’ve removed any people who requested to be unsubscribed from your list, even if they didn’t find the nifty and obvious unsubscribe button at the very bottom of your emails.
Step 2. Start keeping detailed profiles of email recipients.
When and if a subscriber ever requests what personal data you have on file about them, you’ll want to make sure you’ve kept up-to-date contact and consent data to ensure you’ve actually obtained proper consent.
Step 3. Lock-up or destroy any physical files containing personal data.
Even if you’re just holding on to a printed list of attendees from an event you held, that data is valuable to someone — especially if it contains contact or address information. Physical data collection is fine as long as you’re clear on exactly why you’re collecting such data. These files should be destroyed in a timely manner as well. GDPR outlines a storage limitation in which a person’s data should be kept for the shortest amount of time depending on what the data was collected for.
Step 4. Get familiar with the privacy policies of your email software.
Step 5. Hire out
If a large enough portion of your business involves overseas clients, consider hiring a consultant or having an attorney go over your data collection and usage processes with you. The penalties are far too high to take risks here. Hire a professional who can make sure you’re abiding by GDPR regulations. It’ll save you a major headache later.
There is far more to GDPR that couldn’t possibly be covered all in one blog but if you’re interested combing through mountains of legalese, be my guest. The document, in all of its entirety, exists here.