What is GDPR? And how it affects email senders?
What is GDPR?
In simple terms…
GDPR is an acronym stands for General Data Protection Regulation. It’s a regulation that largely extends the abilities of the citizen to control what companies do with their personal information.
GDPR is replacing aged data protection directive. Earlier it was just a directive, meaning, member states had a certain amount of leeway on the exact rules to be adopted.
The new one is a regulation, meaning, it’s immediately enforceable as law in all member states simultaneously. GDPR builds on its predecessor and streamlines organization’s approach to data protection by giving control to the user on what data has to be collected, maintained and so on and introduces data controllers and protectors.
General Data Protection Regulation (GDPR) is going live on 25th May 2018.
Reactions from the industry
We spoke to many marketers and email providers on how it’s going to affect their business and weren’t surprised to receive mixed reactions. Few brands opined that GDPR is going to add significant burden while others think that this is a right move to protect citizens.
Whom does GDPR affect?
Anyone who mails to EU citizens. You should be abiding GDPR, even if you or your company are not based out of EU.
Understanding Consent under the GDPR for Email Marketing
Consent is an equivocal term when it comes to Email Marketing, but, GDPR brings in necessary strictness by forcing brands to get a clear and affirmative action from users for the content they are going to receive.
Confirmed opt-in, filling a paper form expressing consent for receiving emails, oral confirmation to receive a mail are few examples of clear consent. Pre-tick boxes in the signup form, cards collected at an event, data appends from various providers etc are not a valid form of consent.
Consent is not permanent. Consent given in the past can change today and brands have to periodically get a “re-consent” from users. Example: Consent from user subscribing for an educational course expires after the course is completed. If the institute wants to send out weekly newsletters post the course, it has to get a re-consent to that user.
E-commerce brands should get re-consent every 2 years, at least.
What is Personal Data in GDPR?
GDPR mainly talks about Personal Data and Sensitive Personal Data (like biometric and genetic data). Personal Data is any data that allows a person to be directly or indirectly identified. Name, Email, location data, online identifiers, identification numbers etc are few examples. If you are collecting/storing any of this data in a direct or encoded format, you need to comply with GDPR.
Individual Rights under GDPR
These are few of the important rights GDPR provides for users (data subjects):
- Right to access: User can get access to his personal data stored on the system. This needs to be provided at no cost.
- Right to be forgotten: User can request to erase all personal data from the system and it has to be honored. This includes production, testing, backup databases, offline storage etc.
- Right to object: User can raise an objection if data is being used for any other activity.
For full list of rights of the data subject, refer this link.
Here’s what you must do as a business sending emails:
- If your business has a case of data breach, users should be notified within 72 hours of the event.
- For businesses working with large-scale user data, you need to employ a “Data Protection Officer”.
5 steps to be GDPR ready
- Thoroughly check your list if you have subscribers from EU.
- Get a re-consent from them before May so that you are GDPR ready. Remove users who do not give consent.
- Maintain transparency with users – Users should know what information you are storing and how you are using it.
- Implement these measures for all new users getting into system going forward.
- Employ a data protection officer to oversee user data is collected, used and maintained as per GDPR.