In May 2018, the General Data Protection Regulation (GDPR) will come into effect. The new legislation will impact any business or organisation that uses personal data belonging to EU citizens.
If you conduct any form of email marketing for your business that includes you!
But what is the GDPR and how will it impact your marketing effort?
What is the GDPR, and is it bad news for email marketing?
Let’s answer that second question, first. No – the GDPR is not bad news for email marketers, nor should it be seen as an inconvenience. On the contrary, it is designed to protect both data owners and users of such data.
The GDPR has taken four years to draft and will replace the outgoing Data Protection Act 1998. It brings data protection legislation up-to-date and aims to be a worthy companion for the new and previously unforeseen ways data is used in the digital age.
A great deal of the Data Protection act remains in the GDPR, but the new legislation introduces tougher non-compliance fines and gives people a far greater say over what organisations can do with their data.
Once the GDPR comes into effect, businesses should be clearer about what they can and can’t do with personal data, and there’s a good chance that people will be more inclined to offer their data to businesses if they’re confident it’s less likely to be misused.
Perhaps most importantly, the new regulations should result in cleaner, more relevant data. From an email marketing perspective, that’s fantastic news, because it will encourage us all to judge our subscriber lists by their quality as opposed to the quantity of sign-ups.
How will GDPR impact my business?
In a draft guidance article published by the Information Commissioner’s Office (IOC), seven changes to the way businesses must collect, handle and store data under the GDPR have been listed. They are as follows:
- Unbundled. Consent should be sought separately from other terms and conditions, in order for individuals to see clearly what they’re signing up to.
- Active opt-in. Under GDPR legislation, pre-ticked opt-in boxes are not a valid form of consent (finally!).
- Granular. If personal data is to be used in a number of ways, the ICO recommends that organisations ask for separate consent to each, to give the data owner as much control as possible over how their data is used.
- Named. Data owners should always be informed of who the organisation is and, likewise, the names of any third parties with whom the data will be shared.
- Documented. Consent must be fully recorded and contain what the individual has consented to, the method of consent and what they were told at the time.
- Easy to withdraw. Data owners should always be able to withdraw their consent and be able to do so via a simple, fast method.
- Freely given. Consent must be freely given (not forced) by individuals.
What happens if I don’t comply?
Failure to comply with GDPR legislation will likely result in a fairly hefty fine. The GDPR states that companies in breach of the rules will be fined 4% of turnover, or €20 million – whichever is greater.
Individuals can also bring about their own lawsuits and make compensations claims in the event of a data breach.
If that isn’t enough to convince you that the GDPR is something your business must abide by, it’s worth considering the potential brand damage that could result from non-compliance, too. Data security is high on most people’s agenda, and one slip can land you in very hot PR water.
We’re a little way off the GDPR legislation coming into effect, but there’s no time like the present to start readying your company for its arrival.
According to experts, businesses need to demonstrate ‘privacy by design’, which simply means storing data in a pseudo-anonymised way and building protection directly into processes and policies.
Thankfully, the good folk at the Direct Marketing Association have prepared a fantastic series of guides and webinars that teach organisations how to prepare effectively for the GDPR. Check them out and start your own preparations today.
This post is for information purposes and is not legal advice, we advise you speak to your own legal advisors to find out what impact the GDPR will have on your business and what action you need to take.