What is GDPR (the General Data Protection Regulation)

The safety of personal data is a concern across the world. Recent events such as the alleged data breaches by Cambridge Analytica and Facebook brought it further into the main stream. GDPR or the General Data Protection Act has been introduced by the European Union to safeguard its citizens’ interests through the standardization of mechanisms and data privacy laws across all industries.

The act, which went into effect on May 25, 2018, aims at empowering EU citizens to protect their personal information and to make them aware of what data is held by various institutions. While it protects EU residents, it also protects its citizens, no matter where they reside.

Take a look at our guide, to help you understand how GDPR impacts your business, in any country.

• Effects of GDPR on Email Marketing
• 10 Myths about GDPR
• Email Marketing Considerations
• Re-permissioning for GDPR
• Pepipost Compliance
• Conclusion

Effects of the GDPR Act on Email Marketing

Client consent
All email marketers need to explain to their customers why they are asking for their personal data such as name, address, IP address, social media profiles etc. Moreover, they need special permission from their customers if they desire to share that data with any third party. This ensures the customer’s rights to his or her own data.

Empower email subscribers
GDPR empowers all EU citizens with data privacy rights. This enables them to be “data portable”. This means that they can either access or erase their personal data from any email marketer’s database without any specific authorization – meaning, it must be a simple process.

Personal data breaches
In terms of vendor management, as per the provisions of GDPR, personal data is protected when accessed by external vendors. This is because there is an increased risk in the data’s exposure. This means the external vendors has to accept full responsibility of all data accessed.

Also, any non-EU organization that works with an EU financial institution or bank that serves EU citizens, must be vigilant and take all precautions when sharing data across borders. The GDPR seeks to impose end-to-end accountability that in turn ensures full protection of customer, data not only by banks but all their support functions as well.

Pseudonymization of personal data
Provisions of GDPR are applicable to all potential client data, whether during its development process, in any live production environment or even during testing programs. Data is often masked across non-production environments to hide client data that is sensitive. Under GDPR provisions, all personally identifiable data must be pseudonymized into artificial identifiers in the live production environment. These pseudonymization rules or data-masking aims to ensure that data access stays confined to the realms of the ‘need-to-know’ obligations. Given GDPR’s wide reach, organizations will now have to either create new systems or re-model their existing systems based on ‘Privacy by Design’ principles.

Penalties for non-compliance
The Act is a stringent one and penalties for violations are severe. If the offending party fails to gain the required consent for processing data or deliberately breaches the privacy of an individual, the fine could be more than $20 million, or 4% of the offending party’s global revenue, whichever is more. Lesser violations like improper records maintenance or failure to promptly notify concerned supervisory authorities could lead to fines worth 2% of the offending company’s global revenue.

Fewer subscription losses and spam complaints with improved email deliverability
GDPR takes stringent measures to strongly protect and subsequently make use of subscriber data correctly. In turn, this will encourage email marketers to send targeted, relevant, and permission-based emails to their subscribers. This creates greater trust between the email marketer and his/her subscribers. Ultimately, it will result in fewer unsubscribes and spam complaints and better deliverability. It’s a win-win situation all the way!

10 Myths about GDPR for Email Marketers

#1

Opting In All Over Again

Myth
Re-engagement emails need to be sent to all existing subscribers to reconfirm their consent (opt-in). This means that all your customers must confirm their opt-in so that the brand is GDPR compliant. Another related rumor: GDPR checkboxes need to be added to all signup forms to be GDPR compliant, called GDPR-friendly forms.

Fact
GDPR stipulates that if an email marketer can prove consent from his/her subscribers or has other reasons for data processing, they do not have to reconfirm the consent. If you can’t prove it, that is a different story and you will need to ask for permission again.

Adding checkboxes is purely optional and there is no specific mention in the GDPR for addition of checkboxes to signup forms. Rather, it spells out that you must communicate clearly how you intend to process the personal data of your subscribers, by using descriptive sentences or a checkbox. The choice is entirely yours. Be aware that you cannot check your checkbox by default; the user must click the box.

#2

Grandfather Clause?

Myth
Any personal subscriber data already existing in an e-mail marketer’s database doesn’t come within the purview of the GDPR. In other words, it only applies to new subscribers after May 25th, 2018.

Fact
GDPR applies to any and all personal data even if it’s prior to May 25, 2018. If consent for existing subscribers can’t be proved, the email marketer needs to  obtain their customer's consent again.

#3

Double Trouble

Myth
Double opt-in is mandatory to be GDPR-compliant. A confirmed opt-in, also called double opt-in happens when a subscriber opts-in and is subsequently asked to confirm his/her subscription by clicking a link in a confirmation email or other methods.

Fact
GDPR simply requires proof of opt-in consent. For example, a user enters his/her personal information on a sign-up form and clicks the submit button. That “click” is accepted as an affirmative action, provided they were clearly informed about the messages they were signing up to receive.

#4

Get Out Your Checkbook, Slow Pokes

Myth
Non-compliance with GDPR as of May 25th, 2018 will result in stiff fines.

Fact
Even though there are provisions for imposing fines in the GDPR, the “fine print” indicates that fines will be imposed as a last resort for stubborn non-compliers. First time non-compliers will be served notices, reprimands, and corrective orders first before being fined. This Act isn’t being put into place to make anyone money; it’s about compliance. But it’s also about an individual’s right to their data, so being non-compliant shouldn’t be an option as we move forward.

#5

Passing The Buck

Myth
If the email marketer’s data is stored with their email service provider, it’s the service provider’s responsibility to be GDPR compliant, not the marketer.

Fact
This myth is making the rounds and needs to be busted immediately. GDPR has clearly stated that data controllers and data processors share equal responsibility for GDPR compliance. The email marketer cannot shrug off this responsibility by passing it on to a service provider processing the data on their behalf. You may want to review data processing roles and responsibilities spelled out in all agreements moving forward and amend existing ones.

#6

It’s Them, Not Me

Myth
Only our email marketing teams need to comply with GDPR stipulations.

Fact
GDPR is an all-business encompassing issue that directs everyone to respect personal data and not just the teams that work in email marketing. This implies that even the marketing firm’s CEO will be accountable if he is found guilty of non-compliance. This is more applicable to companies that are publicly traded.

#7

Data Hoarders, You Know Who You Are

Myth
I can keep information that I have on my customer that was collected prior to May 2018.

Fact
You will need to be prepared to disclose all data to your customer. GDPR contains language around what data is relevant, and basically, anything that you are not using for relevant purposes should be deleted. That includes anything you already have in your files. If you are holding on to information provided by a third-party data source, you probably have some data cleaning to do. This does not include anonymous data that you may be using in aggregate for statistical purposes.

#8

What Happens In The EU, Stays In The EU

Myth
Only those companies operating within European Union limits will be affected by the GDPR.

Fact
GDPR affects any business which collects and/or processes any EU citizen’s personal data, regardless of whether the business is based within or outside European Union limits. You should be asking yourself how you will know if your customer is a citizen of the EU.

#9

Taking The Fall For Everyone Else

Myth
When multiple companies use common consumer data, an individual party may be held responsible for a data breach.

Fact
GDPR stipulates that it’s the data controller’s responsibility to ensure that proper contracts are in place with each individual processor involved in personal data processing operations. It is also clearly mentioned in the Act that both the controller and processor must guarantee to implement appropriate organizational and technical measures in a manner that meets GDPR requirements to ensure that the data subject’s rights are protected.

Any breach of the above-mentioned condition could result in the supervisory authority slapping sanctions on each processor involved in the chain. The processor may be directed to cease processing immediately while the controller may also be penalized for not taking necessary steps to guarantee personal data protection which he was entrusted with.

#10

Nah, This Is Just For Big Companies

Myth
Small email marketers are exempt from GDPR rulings.

Fact
The fact is that any business, large or small, charitable or for profit, falls within the purview of GDPR. In other words, any business which collects and/or processes personal data during its day to day operations will need to be GDPR compliant, regardless of its size.

Email Marketing Considerations

Given its clear stipulations and stringent guidelines, it is understood that as an email marketer you must comply with GDPR if you are providing services or products to EU residents and citizens. But how? First, you need to check if the provider of your email service is GDPR compliant.

Then there are two other important factors: Consent language; and ways to ask for consent. Your language must be clear, straightforward, and easily comprehensible. Confusing terminology and legal jargon are best avoided. Be consistent across all channels and places where consent is collected.

An example of a well drafted consent would be a clear message like: “By checking this box, I agree to receive any personalized email marketing offer from [your company’s name] in accordance with [Company's] policy for data protection [give the link to your company’s policy]. I can unsubscribe from said messages by clicking the unsubscribe link at any time.”

You are telling them that by checking the box, you are gathering their information to send a marketing email, and that they are free to unsubscribe at any time. You may also want to use a double opt-in, meaning that the user will receive a confirmation message after signing up. The user’s email address can be validated by asking the user to click, or by the receipt of the message.

Things to do when requesting for consent

• Keep the consent request separate from the general terms and conditions as GDPR stipulates that consent cannot be a precondition for signing up for a service, unless it’s necessary for that service.
• Avoid using pre-checked boxes, or any other method that involves consent by default.
• Specify clearly why you are asking for the data and what it’s going to be used for.
• Give granular options for consent to operations that involve independent processing.
• Provide your organization’s full name and the names of all third parties involved.
• Options to withdraw consent or to allow an individual to refuse consent without detriment
• Seek parental-consent and age-verification when offering services to children directly.

Re-Permissions for GDPR

If your existing permission doesn’t quite meet the standards of GDPR, or is poorly documented, fresh consent that is GDPR-compliant will be required. You may have to adopt a different basis for processing, so you may need to stop adding new customers while deleting all existing data and creating new processes.

Some guidance on re-permission campaigns:

• Don’t send emails that simply ask for a consent or opt-in. Instead, remind customers of the benefits of your emails and for subscribers who haven’t been active recently, consider an offer.
• Send multiple re-permission mails over time containing different content, but at some point, you will need to stop emailing these customers so keep that in mind.
• Keep both “YES” and “NO” buttons in your emails which would allow you to exclude those who said “NO” in re-permission emails in future.
• Use other channels like Facebook to get re-permission by targeting the email list. The information contained in the re-permission ads is clear, concise, and transparent and incentives are offered. School of Life offers a 10% discount on its online store while HubSpot gives context while also asking for an opt-in.

Pepipost’s GDPR Compliance

Is Pepipost GDPR compliant?
Pepipost is prepared for GDPR and has updated its Privacy Policy. Our pledge to data protection and right of Individual data is top priority and we are taking steps to ensure that happens.

Has Pepipost certified under Privacy Shield?
No. But, Pepipost in currently in the process of getting certified under EU-US Privacy Shield. Once certified the information will be updated in our privacy policy.

Does Pepipost retain the content of the email I send? Is this compliant with GDPR?
No, Pepipost does not retain the content of the emails you send. Email packets most of the time remain in a transient state on Pepipost servers except for a few short-term caches which results from internal queues or message delivery failure. These caches are for a defined period while Pepipost retries to send the email. GDPR does not state a rule as to the length of time of retention of information, so this is completely compliant with GDPR.

Does Pepipost transfers/process the data outside of EU? If so where?
Pepipost is a global company and its platform and data is distributed across various data centers to provide high availability to our customers. But, keeping GDPR in mind, we have deployed a dedicated infrastructure in EU (Datacenter: DigitalOcean), to serve the EU customers locally. This infrastructure is completely isolated from the rest of our setup, to increase the privacy and data security level for all our EU customers.

Conclusion—GDPR is good!

We should keep in mind that GDPR is not just about businesses. It’s to protect the personal data of EU citizens! It is expected to reduce stale and/or redundant data, create more relevant prospects, and provide email marketers with a richer database of committed and engaged subscribers.

Disclaimer: The information provided here is only for better understanding of GDPR impact on email marketing and cannot be relied upon for any legal advice. You may consult your own professional advisors before taking, or refraining from taking, any course of conduct. By reading this article you indemnify Pepipost of any legal implications and cannot hold it responsible for any action pertaining to the information shared in this article.