The clock is ticking on the impending update of the EU’s data protection laws, set to change May 25th, 2018, and there’s no time like the present to begin making the necessary adjustments to avoid the stress in the future. The GDPR’s updates will directly impact your email marketing efforts in more ways than one so, in order to bring you fully up to speed, here is a concise list of everything to look out for and how you can avoid steep penalties.
Arguably the most meaningful aspect of the GDPR for digital marketers is the new regulation on consumer opt-in permissions. Essentially what these new regulations boil down to is a demand for an increased level of data transparency when it comes to a consumer’s expressed consent to receiving your marketing materials. The updated definition of consent under the GDPR is it must be freely given, informed, specific and unambiguous.
The real pain point for marketers in this regard will be proving this expressed consent, which will be necessary in most cases. So even if you have built up an email list of somewhat engaged followers, you will need to reach out and receive additional consent if you don’t have their initial consent on record.
This will also spur the need to create more comprehensive consent forms and record keeping systems, as well as an easy way for users to not only unsubscribe from your messaging, but also have their prior info completely removed from your system.
Unlike the current EU data regulations, the GDPR will now apply to anyone handling an EU citizens data, even if its a firm operating outside of the EU. Those who fall into the expanding net of the GDPR are vulnerable if they use the language or currency of one or more of the EU member states on their site with the possibility of purchasing goods or services there, or if you simply place cookies on EU members’ browsers.
This means wherever you are, if you’re marketing to EU member countries you are left with no choice but to conform to the new regulations or you could be tagged with the GDPR’s hefty fines. The maximum penalties for data violations will increase 5x from a maximum of €4m to €20m, and 4% of your annual worldwide turnover. Certainly nothing to take lightly.
Data Breach Notifications
Once the GDPR is put into effect, you are henceforth held responsible for notifying the Information Commissioner’s Office (ICO) within 72 hours of learning a data breach has taken place. If it is discovered you knew of a data breach and failed to notify the ICO within that window, you are liable for fines and penalties.
There is a difference between “serious” breaches and minor breaches and they will be dealt with differently. Its also important to not that notification does not need to be made if the breach will most likely not result in risking the rights and freedoms of your recipients.
Not only are you expected to implement these various data protection procedures under GDPR, you also need to make them clear to your users by including them in your privacy statements. You’re to be required to include your name and contact details, your intention to use the data for marketing purposes, how it will be stored, the details on their right to opt out, their right to access or move their data, and their right to have their data completely removed. Of course, in able to include these details in your privacy statements, you will need to ensure you have processes in place which can achieve all of these goals.
Now that you’re caught up on the key points of the upcoming change in the EU’s data protection laws, you may be wondering what they next steps should be. Here are a few things you may need to get moving on so you can be sure that you don’t wake up in a cold sweat the night of May 24th, remembering you haven’t made any changes.