Email marketing after GDPR is a tricky problem. If you’re a business owner or working for any type of company that has something to do with the internet, chances are you’re writing at least some emails daily. To make your Digital Marketing, email marketing in particular GDPR compliant, there are a couple of things you need to know regarding the implementation of the new general data protection regulation OR GDPR by the European Union.
First adopted in 2016, the set of regulations will fully go into effect in all of the 28 of the countries of the Union on the 25th of May, 2018. The GDPR’s main role is to offer the European citizens a better way of controlling their data privacy. The new set of rules is about to affect most businesses, regardless if they’re set in Europe or anywhere else in the world, but is using or handling personal data of European customers.
While many things are changing regarding the use of personal data by marketers, e-commerce platforms or even bloggers or freelancers, all of them are at risk of being penalized with substantial fines if they’re found to be violating what the new law is stipulating. Even the people that are already familiar with the law and the risks might still be completely baffled on what they can do to make sure they are on the same line with the GDPR.
If you’re one of the people who is working with emails, is an email marketer or something in those lines, this article is here to state the key points in the new data protection law pack, including the terms and values of the regulation, it’s clear consequences on emails and email marketing, and also what do you need to do in order to be ready for its effectiveness in May.
Simply put, the new GDPR is a European law for protecting personal data of the EU citizens that use the internet on a day-to-day basis. According to the document released by the European Parliament, the definition of “personal data” is the following:
“By personal data, we are referring to data that a natural person, or a person who is identifiable, identifies with, directly, or indirectly, by the aforementioned data. This includes age, profession, email address and gender, which are all falling under the description of the term “personal data” as used in the GDPR law” – GDPR of the EU.
Basically, the whole point of the new regulation is the layout of the rights that the data subjects, as in, the people who have their personal data handled by companies, have along with the new set of responsibilities that the companies or organizations who work with the data have.
We’ve structured the whole principal point of the new GDPR into 8 points, which will help you clearly understand what the new regulation law is all about.
1. The previous definition of what personal data is was extended in order to cover everything that can enable companies or individual to identify a person;
2. If you’re a service provider, or even a subcontractor, like a web hosting firm or a cloud management software, you might be held accountable if something goes wrong;
3. The main power of the new law is to reinforce the protection that an individual has, but also his rights, involving access and consent for his personal data;
4. The businesses that handle sensitive information must allow for complete transparency when it comes to the rights of the customers, especially when they choose to ask for restriction of access, modification or deleting of their personal data.
5. Besides complying, businesses need to keep a good level of communication between them and their customers about how they plan on using the personal data that they provide;
6. Without much difficulty, individuals will be able to cancel their deal with a certain company and ask for the complete deletion of their personal data as soon as possible;
7. Major businesses that are operating large databases, but also the smaller ones need to inform the clients if they experience any kind of data leakage, breach or hack attack;
8. Finally, in order to avoid any problems, companies are obligated to install preventive measures in order to better protect the personal data of their customers.
In the event your company is found to be violating the new rules of the GDPR, you might be charged with a fine between 2 and 4 percent of the total revenue of your company or up to $20 million Euros if you’re found guilty of a more serious violation. Here’s the whole text of the regulation, take your time and read it at least once, as it might save you from a lot of troubles!
As an email marketer or an email marketing firm, the main thing that you need to be aware of in order to comply with the laws of the newly installed GDPR is that there’s this new definition for consent, or what we call “opting in”. After you’ve asked for consent from the individual in order to process his personal data, the latter must give it back to you freely, in the shape of a clearly stated “affirmative action”, as stipulated in the law.
Put in different words, you need opting in to be a part of the process, not just a minor step that you sometimes ask for in regard to people’s personal data, as implied by the GDPR. As a business, if asked, you’ll be required to show proof about the client affirmatively opting in about your ability to use or process his personal information.
In the past, you were able to do everything described above with a simple passive opt-in, which meant that everytime you were asking an individual for personal data, him or her complying with the regulation and therefore the use of the data by your firm was already agreed upon by default. For example, a checkbox would be installed at the end of the form and the user would just uncheck it if he or she was not in agreement with the terms.
Also, the GDPR is installing the disappearance of the opt-out. Think about all of the email marketing offers that you get in your Inbox even if you never signed up for some of them. That’s what the opt-out is, the addition of clients to a list of contacts to be used as desired by the firm without asking for consent on their part, but just because they signed up to something on your website. That’s also gone beginning in May of 2018.
If you’ve collected addresses from people without asking them first about it, you will not be allowed to further use those emails, collected by the opt-in/opt-out system. If the customer is not presented with a consent form and he or she denies in providing an affirmative action on their part, you are simply breaking the law if you were to send them any emails, or use their emails for promotional campaigns and whatnot.
To summarise, you will only be permitted to use 100% opt-in lists of emails for your email marketing to be in accordance with the GDPR rules. Even a pre-checked list of opt-in emails might be unusable starting May 25th, because the law requires that affirmative action proof to be at the disposal of the customers, and the law, should any of them ask for it.
Are your contacts lists GDPR-friendly? If yes, then all you have to do is ask for the consent, and you’re really set. If not, you should really do your homework and see if you can put the lists that you have into law, as well as the tools you’re using in your everyday operations. If you respect your customer’s rights and don’t try to violate them on purpose, you will generally be fine and stay out of troubles.
The rules are simple: if you or your company is handling personal data of a European Union citizen, you are automatically the subject of the regulation, no matter where on Earth is your business located. This makes freelancers, bloggers, and especially email marketers stand out as some of the first people who this GDPR law is designed for.
Emails from your company’s database can let you identify certain customers, which in translation means that you are able to individualise and localise certain people, which in return means that the data you possess is considered to be personal data. In order to protect the customer, the new GDPR ask some of the organisations and companies to come up with a “data privacy offer”, or DPO.
- Private companies that solely work with daily and systematic data processing;
- Private companies that are handling data that is considered sensitive, for example, the ones that have to do with criminal conviction, charges or lawsuits;
- All public companies.