With just five weeks to go until the General Data Protection Regulation comes into effect, there’s a lot that marketers need to consider. Validating email contacts to updating privacy notice and opt-in forms remain a part of the new EU law. This is aimed to protect data and privacy for all individuals within the European Union.
In this first part of a series on interactive content and GDPR, see how the GDPR changes will affect marketers. Also, learn what tips marketers need to prepare themselves for what may be one of the most significant changes to the regulatory landscape of data privacy.
Why is the GDPR presented now?
It’s no secret that personal data has become one of the most valuable commodities in the world.
In a changing digital landscape, companies don’t just collect data directly from a form. Instead, they are increasingly collecting it through other means. This could be tracking people’s behavior online or by combining data from various locations. It could also be through algorithms to analyze a variety of data such as social media, location data, and records of purchases.
Users are therefore vulnerable to misuse, while others demand to know what happens to their data in the hands of companies.
Where do companies store data? Who has access to it, and what’s the purpose of keeping it? These are all factors included in the new and substantial EU legislation. Now companies must ensure transparency and honesty when handling personal data. If companies fail to comply, they’ll be held accountable through hefty fines.
The purpose of the legislation is to give users the power to control the digital footprints they leave behind.
What is the GDPR?
The GDPR’s primary aim is to give control back to Internet users over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Data Protection Directive
The current regulation, The 1995 Data Protection Directive, is only a directive. This means companies can opt out. Whereas the GDPR is a legally binding, meaning companies can’t opt out and face fines if failing to comply.
But what exactly counts as personal data? The European Commission defines personal data as the following:
“..any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
The extensive legislation comprises of eight primary areas: increased territorial scope, penalties, consent, right to access, breach notification, right to be forgotten, data portability, privacy by design, and data protection officers.
The increased territorial scope is what makes the legislation unique. The GDPR applies to the processing of personal data from within the EU, regardless of whether the processing takes place in EU or not. Meaning, companies outside of EU processing the data of EU citizens will have to comply with the law. Failing to comply with the law, can result in severe penalties, up to ‘4% of annual global turnover’.
How GDPR impacts marketers
GDPR is a complex and drastic change for the online sphere and will affect how companies gather and process personal data. For marketers, it’s important to keep in mind that the overall message through the legislation is transparency and honesty in handling personal data.
Below, we focus on three key areas marketers should put their attention to: data permission, data access and breach notification. You can take our 5-question quiz below as well to test your knowledge.
1. Data permission
Consent is now something you must master as a marketer. From the 25th of May, 2018, companies can no longer send promotional material to contacts who did not specifically request to receive marketing materials.
GDPR Email Opt-Ins
That’s right. Data permission includes strict rules on how you manage e-mail opt-ins.
The biggest change is how you obtain your consent. Companies must inform contacts in plain language that is clear and easy to understand what they are opting in for. Not through legal ‘jabber’ that no one understands.
Further, you need to ensure that contacts provide an unambiguous consent through a ‘clear affirmative action’.
That means that companies can no longer use pre-ticket opt-in boxes, and consent must be separate from other terms and conditions.
You must also make sure your customers who opt-in can withdraw their consent at any time. You will need to make sure you inform people about this right, as well.
In addition, it’s important to explain which organizations and third-party controllers will have access to information. (See how Dot.vu is working to comply with GDPR standards.)
Finally, you must keep clear records of the consent given and be able to demonstrate it. This includes who/when/how/what you informed people.
To meet these demands, many companies have resulted in offering multiple opt-in options. People can choose what type of content companies will receive.
Check out this checklist to make sure that you comply with the new GDPR standards!
- Use a positive opt-in, not pre-ticked boxes or any other method of default consent
- Make sure to include an explicit consent, meaning a clear and specific statement of consent
- Inform that people can withdraw their consent and explain how
- Keep evidence of consent: who, when, how, and what you told people
- Use clear, plain language that is easy to understand
- Mention the organization and any third parties who will be relying on the consent
Now that you got this, let’s move on.
What to do with current contacts?
The reason many marketers are frustrated is that they need to review existing email contacts. They have to check if the consent mechanism used to obtain these contacts meets the GDPR standard.
Take a moment and sob.
This means you must make sure that all of your current email contacts were obtained with an “unambiguous consent”. Did contacts sign up through a “clear affirmative action”? Did they know exactly what they were signing up for? Companies also explained in plain English what the data would be used for, and how to opt-out. Yikes!
If all your email contacts were obtained through an opt-in without pre-ticked boxes and it was clear what people were opting into (like opt-in to our weekly newsletter), you don’t have to panic.
But if you’re not sure, you should take action.
Try to find out which of your contact you obtained through ways that meet the new GDPR standards, and which you didn’t. The contacts you’re in doubt about you should categorize into your ‘do not have GDPR permission’ category as the fines for failing to meet the rules are expensive.
For the email contacts in ‘do not have GDPR permission’ category, you can send emails until the 25th of May and try to refresh their consent by offering them to opt-in again through the new standards.
2. Right to be forgotten
The right to be forgotten is also known as Data Erasure. It entitles the contact to require the company holding their personal data to erase it, cease further dissemination of it, and potentially have third parties halt processing of the data.
After receiving a request, the company needs to provide information on the action it will take within 30-days. Under special circumstances, the deadline can be extended up to 60 days, depending on the complexity of the request.
As a marketer, it will be your responsibility to make sure that your users can easily ask to see what data your company holds and to remove their consent.
This can be as easy as including an unsubscribe link in your email marketing newsletters, allowing users to manage their email preferences. It can also mean navigating through piles of data in your systems, searching for consent, and deleting information from multiple locations.
The best solution is to have a single platform or CRM system that hosts the consent record for all users and its personal information. It makes it easier for you to keep track of all your permission data and stay GDPR compliant.
Step by step: What to do when receiving data erasure request:
- Confirm you have received the request and explain what will happen next.
- Locate the personal data and identify all processors and third parties that may hold that data as well.
- Notify all identified third parties that have access to the personal data to remove the data completely from their records and confirm the erasure.
- Remove the personal data from your records.
- Inform your contact of the data erasure.
3. Access request
The GDPR includes the right for contacts to receive confirmation as to whether or not a company is processing personal data concerning them, including information on where and for what purpose. The company should also provide a digital copy of the personal data, free of charge. Companies should process these requests within 30 days.
4. Right to data portability
Data portability is the right for a contact to receive the personal data, which they have previously provided to a company, in a digital format, and the right to forward that data to another company.
5. Breach notification
The GDPR includes a requirement that companies holding data must notify their country’s supervisory authority and customers of a personal data breach ‘without undue delay’ and within 72 hours of learning of it.
As a marketer, it’s your responsibility to ensure there is a breach plan in place and/or familiarize yourself with it.
Disclaimer: This website does not include legal advice for your company to use in complying with EU data privacy laws like General Data Protection Regulation. Instead, it provides information to help you better understand what can be done on the Dot.vu platform to comply with the law. This information isn’t legal advice and we encourage you to seek a professional lawyer’s opinion when referring to this. To be clear, this information is in no way a recommendation or any expression of legal understanding. This page does neither enlist all the regulation within the GDPR, and it’s important that you make sure your company meets all the legal requirements of the GPDR.