What is General Data Protection Regulation (GDPR): An Introduction

The alleged data breaches by Cambridge Analytica and Facebook recently has increased an ongoing concern about the safety of personal data from identity theft, hacking, cyber-attacks and even unethical usage. The GDPR or General Data Protection Act has been introduced by the European Union to safeguard its citizens’ interests through the standardization of mechanisms and data privacy laws across all industries. The act, which comes into being from 25th May aims at empowering EU citizens to protect their personal information and also to make them aware of what data is held by various institutions.

8 Individual Rights under GDPR

Right to Be Informed

Right to
Be Informed

Individuals have the right to fully understand how personal data are collected, stored, managed, protected and processed.

Personal Data

Right to
Access Personal Data

Individuals have the right to review their data and any supplemental data and understand how their data are stored and used.

Automated Decision Making

Right to Reject
Automated Decision Making

Individuals have the right to request manual processing for any decisions made with their data.

Correct Personal Data

Right to
Correct Personal Data

Individuals have the right to update, supplement or correct incomplete or inaccurate data.

Personal Data Deleted

Right to have
Personal Data Deleted

When no compelling reason exists to retain such data, individuals may request the deletion of personal and supplemental data.

Restrict Processing

Right to
Restrict Processing

Individuals may request that their data not be used for specific purposes.

Stop Processing

Right to
Stop Processing

Where data retention is required individuals may request that their data not be processed in any manner.

Data Portability

Right to
Data Portability

Individuals may request transfer of their data to another organisation or person for storage or processing.

Source: https://www.dlp.org.uk/gdpr/

Effects of the GDPR Act on Email Marketing

How is email marketing likely to be affected by the GDPR?

Empower Email Subscribers

Empower email subscribers

The GDPR would empower all EU citizens with data privacy rights. This would enable them to be data portable. This in other words means that they can either access or erase their personal data from any email marketer’s data base without any specific authorization.

Personal Data Breaches

Personal data breaches

In terms of vendor management also, as per the provisions of the GDPR, if person- al data of an email marketer’s clients are accessed by external vendors, thereby substantially increasing the data’s exposure, such vendors shall accept full respon- sibility of all data accessed. Also, any non-EU organisation that works with an EU financial institution or bank that serves EU citizens, compulsorily needs to ensure vigilance when sharing data across borders. The GDPR seeks to impose end-to-end accountability that in turn would ensure full protection of client data not only by banks but all their support functions as well.

Pseudonymization of Personal Data

Pseudonymization of personal data

Provisions of the GDPR are also applicable to all potential client data, be it during its development process, in any live production environment or even in the midst of testing programmes. Data is often masked across non-production environ- ments to hide client data that is sensitive. Under GDPR provisions, all data must be pseudonymised into artificial identifiers in the live production environment.

These pseudonymisation rules or data-masking aims to ensure that data access stays confined to the realms of the ‘need-to-know’ obligations. Thus, given GDPR’s wide reach, financial organizations will now have to either create new systems or re-model their existing systems based on ‘Privacy by Design’ principles.

Penalties for Non-Compliance

Penalties for non-compliance

The Act it seems, is a stringent one and penalties for violations rather severe. If the offending party fails to gain the required consent for processing data or deliber- ately breaches the privacy of an individual, the fine could go up to €20 million, or 4 per cent of the offending party’s global turnover, whichever is more. Lesser vio- lations like improper records maintenance or failure to promptly notify concerned supervisory authorities could lead to fines worth 2% of the offending financial in- stitution’s global turnover.

Email Deliverability

Fewer subscription losses and spam complaints with improved email deliverability

As the GDPR takes stringent measures to strongly protect and subsequently make use of subscriber data correctly, it will guide the email marketer to transmit more targeted, relevant and permission-based emails to his subscribers. And that would inevitably translate into the development of greater trust between the email mar- keter and his subscribers, fewer subscription losses and spam complaints as also more efficient email deliverability. So it’s a win-win situation all the way!

10 Myths about GDPR for
Email Marketers

With the EU passing the GDPR, certain misconceptions and myths,too have arisen. This is more so as a segment of email marketers are un-aware of its nuances or are still confused by certain stipulation that it has put forward. These are as follows:

Myth #1

Re-engagement emails need to be sent to all existing subscribers for reconfirming consent:

The general idea is that all your customers must recon-firm their consent so that they are GDPR compliant. The fact is that the GDPR stipulates whether the email marketer can prove consent from his subscribers or has other legal reasons for data processing. GDPR checkboxes need to be added to all signup forms: An- other rumour is that checkboxes need to be added to your signup forms if you want to be GDPR compliant. These are also being called GDPR-friendly forms.

The fact is adding checkboxes is purely optional and there is no specific mention in the GDPR for addition of checkboxes to signup forms. Rather, it spells out that you have to communicate clearly how you intend pro- cessing the personal data of your subscribers, either by way of using descriptive sentences or a checkbox. The choice is entirely yours.

Myth #2

Any personal subscriber data already exiting in an e-mail marketer’s database doesn’t come within the purview of the GDPR:

Be it clearly known that the GDPR applies to all and any personal data even if it’s prior to 25th May, 2018. If consent for all of existing subscribers can’t be proved, the email marketer needs to send re-engagement emails to obtain their consent.

Myth #3

Double opt-in is mandatory to be GDPR-compliant:

A confirmed opt-in, also called double opt-in happens when a subscriber signs up for a newsletter, say, and is subsequently asked to confirm his subscription also. There is a perception that the GDPR is stipulating that double opt-in will be compulsorily required to prove consent, which is surely incorrect. The GDPR on the contrary, simply requires proof of compliant consent. As a person enters his personal information on a signup form and clicks submit. It will be accepted as an affirmative action, provided he was clearly informed of the information that is being accepted.

Myth #4

Non-compliance with the GDPR by 25th May will result in stiff fines:

Even though there are provisions for imposing fines in the GDPR, its fine print indicates that fines will be imposed as a last resort for stubborn non-compliers. Rather, initial non-compliers will be served notices, reprimands and corrective orders first before being fined. This may tarnish their image but won’t burn holes in their pockets immediately. Thus those email marketers who are following ethical practices already stand to remain protected.

Myth #5

It’s the service provider’s responsibility to be GDPR compliant if the email marketer’s data is stored with him:

This is one major myth doing the rounds and needs to be busted immediately. The GDPR has clearly stated that data controllers and data processors share equal responsibility for GDPR compliance. Thus, the email marketer cannot shrug off this responsibility by passing it on to a service provider processing the data on his behalf and this again calls for a clear demarcation and understanding between the two to work out their roles and relationship with regard to the processed data.

Myth #6

Only data/tech teams need to comply with GDPR stipulations:

The GDPR is an all business encompassing issue that directs everyone to respect personal data and just not data/tech teams that work in email marketing. This implies that even the email marketing firm’s CEO will be accountable if he is found guilty of non-compliance. This is more applicable to companies that are publicly listed and where every member of their Board of Directors is equally responsible.

Myth #7

Any information classified as personaldata needs the same treatment:

This yet another misconception doing the rounds as proper classification of personal data takes place ac-cording to privacy levels as also threats that exist or may arise to the basic freedom and rights of an individual. For instance, personal data may be classified under “private, public or restricted” categories while also associating appropriate privileges with the organization’s hierarchy.

Myth #8

Only those companies operating within European Union limits will be affected by the GDPR:

Yet another myth that needs immediate correction.The GDPR shall affect any business which collects and/or processes any EU citizen’s personal data, re- gardless of whether he is based within or outside Euro- pean Union limits.

Myth #9

When multiple companies use common consumer data, an individual member may be held responsible for a data breach:

The GDPR stipulates that it’s the data controller’s re- sponsibility to ensure that proper contracts are in place with each individual processor, involved in personal data processing operations. It is also clearly mentioned in the Act that both the controller and processor shall guarantee to implement appropriate organisational and technical measures in a manner that meet GDPR requirements to ensure that the data subject’s rights are protected.

Any breach of the above mentioned condition could result in the supervisory authority slapping sanctions on each processor involved in the chain. The processor may be directed to cease processing immediately while the controller may also be penalized for not taking nec- essary steps to guarantee personal data protection which he was entrusted with.

Myth #10

Small email marketers are exempt from GDPR rulings:

The fact is that any business, be it in the private or public sectors or be it an NGO or charitable organization, falls within the purview of the GDPR. In other words, any busi- ness which collects and/or processes personal data during the course f its day to day operations will compul- sorily need to be GDPR compliant, regardless of its size.

In sum, ever since it has come to public notice that the GDPR is to be implemented with effect from 25th May 2018, a certain segment of businesses have expressed some sort of scepticism about it. These business owners feel that it would be more of a hindrance to businesses as it smacks of red tape and also implies that email marketers can’t contact their subscribers as and when they want to.

How to be ready for the GDPR?

Given its clear stipulations and stringent guidelines, it goes without saying that as an email marketer you have to be ready for the GDPR. But how? First and foremost, you need to check if the provider of your email service is GDPR compliant.

Then there are two other important factors that need to be borne in mind: Consent language; and ways to ask for consent. Here it may be mentioned that first, your language has to be clear, straightforward and easily comprehensible. Confusing terminology and legal jargon are best avoided while using consistent methods and language across numerous consent options is advisable. Specific and concise consent requests are more in order and blanket or vague wording is a no-no.

An example of a well drafted consent would be a clear message like: “If I check this box, I hereby agree to receive any personalized email marketing offer from [your company’s name] in accordance with your policy for data protection [give the link to your company’s policy]. I can also unsubscribe from such communications by clicking the unsubscribe link at any time.”

When asking for consent, clearly mention by way of an opt-in consent box clearly explaining that you are gathering their information to send a marketing email and which the client is free to unsubscribe at any moment. You could also go for a double opt-in which implies that the user will receive a confirmation message after signing up. This will subsequently allow him to validate his email address to complete his subscription procedure.

Things to do when requesting for consent

Things to Do
Checkbox

Keep the consent request separate from the general terms and conditions as the GDPR stipulates that consent cannot be a precondition for signing up for a service, unless it’s absolutely necessary for that particular service.

Checkbox

Avoid using pre-ticked boxes, or any other method that involves consent by default.

Checkbox

Specify clearly why you are asking for the data and what it’s going to be used for.

Checkbox

Give granular options for consent to operations that involve independent processing.

Checkbox

Your organisation’s full name as also the names of all third parties involved.

Checkbox

Options to withdraw consent or to allow an individual to refuse consent without detriment

Checkbox

Seek parental-consent and age-verification when offering services to children directly.

Re-permissioning for GDPR

If your existing permission doesn’t quite meet the high standards of the GDPR, or is poorly documented, fresh consent that is GDPR-compliant will be required. Alternately, you may have to adopt a different basis for processing, or even stop it while deleting all existing data.

Post GDPR, re-permission campaigns will need to be based on the following:

Bullet

No mails to be sent that simply asks for a consent or opt-in. Rather, mails reminding customers of your newsletter’s benefits with a request to confirm if they desire to receive such valuable information are to be transmitted. Selfridges for example has sent out a mail emphasizing the importance of its newsletter that reminds you of special occasions to make purchases.

Bullet

Send multiple re-permission mails over time containing different content.

Bullet

Keep both “YES” and “NO” buttons in your emails which would allow you to exclude those who said “NO” in re-permission emails in future. Nordstrom has given multiple options for opt-in by giving customers the choice to keep receiving regular mails, receiving fewer mails and even unsubscribing.

Bullet

Use other channels like Facebook to get re-permission to target the newsletter list. The information contained in the re-permission campaign is clear, concise and transparent and incentives are offered. School of Life for example, offers a 10% discount on its online store while Hubspot gives context while also asking for an opt-in.

Pepipost's GDPR Compliance

Will Pepipost be GDPR compliant on May 25, 2018?

Pepipost is preparing for GDPR and will be updating its Privacy Policy soon, hence its in process. In fact, Pepipost is undergoing a comprehensive service review by an industry-leading privacy consulting firm (RSM Ireland) to ensure it will meet GDPR requirements. Our pledge to data protection and right of Individual data is top priority and we are taking steps to ensure that happens.

Has Pepipost certified under Privacy Shield?

No. But, Pepipost in currently in the process of getting certified under EU-US Privacy Shield. Once ceritified the information will be updated in our privacy policy.

Does Pepipost retain the content of the email I send? Is this compliant with GDPR?

No, Pepipost does not retain the content of the emails you send. Email packets most of the time remains in the transient state on Pepipost servers except for few short-term cache which was a result of internal queues or message delivery failure. This cache is also for a defined period of time while it retries the sending of the email. GDPR does not state a rule as to the length of time of retention of information, and hence, this is completely compliant with GDPR.

Does Pepipost transfers/process the data outside of EU? If so where too?

Pepipost is a global company and hence it's platform and data is distributed across various data centers to provide high availability to our customers. But, keeping the GDPR in mind, we have deployed a dedicated infrastructure in EU (Datacenter: DigitalOcean), to serve the EU customers locally. This infrastructure is completely isolated from the rest of our setup, to increase the privacy and data security level for all our EU customers.

In the meanwhile we have created a dedicated set up in EU to help our EU customers. This set up will be available to customers from 25th May'2018.
If you want to shift your email volume to our EU setup please write us an email on support@pepipost.com

Conclusion

Conclusion - GDPR is actually good!

It needs to be borne in mind that the GDPR is just not about businesses only. Rather, it’s more about protecting the personal data of EU citizens for their own good. Moreover, it is also expected to reduce dead and/or redundant data, create more interested potentials and provide email marketers with a richer database of committed and engaged subscribers. In the long run, therefore, email marketers will stand to thank the GDPR for the protection it offers to them.

Disclaimer: The information provided here is only for better understanding of GDPR impact on email marketing and cannot be relied upon for any legal advice. You may consult your own professional advisors before taking, or refraining from taking, any particular course of conduct. By reading this article you indemnify Pepipost of any legal implications and cannot hold it responsible for any action pertaining to the information shared in this article.