GDPR And Your Business
by guest blogger Russell Ventura
If you have not heard about GDPR or are unsure of what it is, I will start with a quick introduction of the new regulations that will come into law from May 2018 from the EU across Europe. GDPR or General Data Protection Regulation, to give its full name is an upgrade and replacement of the current EU E-Privacy Directive.
Why did we need a new policy?
It has been created to replace the policy that is currently used by the 28 separate EU member states to resolve issues and apply a standard where each EU member has its own separate email laws.
It will have a DIRECT effect on your marketing strategies where you hold, use or have collected data which is used by the business to contact anyone for commercial purposes, such as newsletters, product or solution updates etc.
Current data collection techniques employ less transparent methods of acceptance, where a visitor must tick boxes or the lack of an “opt-out” button would grant the collector (your business) permission to contact them or use their data for other commercial purposes should they wish to download any articles, pdf or whitepaper from the site they were visiting.
Before your visitor is allowed to download the article they are interested in, they have to provide contact details of which they “kind of” provide permission for the collector to use for commercial purposes, i.e sales or product updates, or subscription to newsletters etc.
What changes does the GDPR involve?
The GDPR policy states that your business has to be 100% transparent for the reasons you are collecting the contact data, and give the user full control over what is collected, how its collected and what it can be used for.
The principle is that the visitor can then make an informed decision about allowing the data they are providing your business in return for the article they want to read, being used for something they understand and they agree to this usage.
The policy also provides the visitor with the right to be forgotten, so that no future contact is permitted. You may feel that we already have this with the “unsubscribe” feature, but many do not enforce this policy, and even after unsubscribing, you still receive sales and offers in your emails that are not wanted.
GDPR effects on email marketers
This will have a direct impact on businesses who use the personal data of any EU citizens and have current or future email subscribers. You may think that post-brexit will allow a exemption from compliance, but if your business deals with anyone in the EU following Brexit, you will still have to comply with the regulations.
When your visitor chooses to subscribe, or tick that all important box, they currently are not 100% sure what they are providing consent for.
The GDPR policy is designed to comply with SPECIFIC, INFORMED and UNAMBIGUOUS consent of the use of your data, and what exactly it will be used for. You will no longer be protected by assumptions that silence from the visitor grants you permission to send emails to this contact.
Permission and the opportunity to say NO or opt-out of using the email address for commercial use MUST also be clearly visible.
What about my current contact database?
This is another area where you must be prepared to provide resources to review and any email databases you have that are used for commercial purposes will have to be contacted to gain written consent for their continued use along with an op-out choice.
You will have to generate a re-permissioning campaign (asking existing subscribers to re-confirm in a way that complies with the new GDPR policy).
What happens If someone makes a compliance complaint?
If you are challenged about GRPR conformance, you firstly must provide evidence that the subscriber granted you permission in compliance with the policy. The burden is on your business to provide and keep evidence to support your claim of permission, and compliance failure could result in penalties of up to 10 million euros.
I understand but I didn’t know about the new policy, what can I do?
I doubt that the claims handler will have little sympathy for this defence, as this policy has been passed through the EU in 2016 with a timeline for businesses to prepare for legal compliance after May 2018, so given a 2 year timeline to make all the arrangements for your business processes to be updated, is felt sufficient time to be compliant before the law will be enforced.