The General Data Protection Regulation was adopted in April 2016, and it will come into effect on May 25, 2018. Ever since it’s adoption in 2016 it has been a hot topic in business circles and as we’re moving closer to May 25 everybody is talking about it even more.
And rightfully so, as the GDPR will set a high bar for global privacy rights and compliance.
The GDPR is a privacy law approved by the European Commission. It is a binding act, which means that it must be followed throughout the EU. The GDPR is an attempt strengthen, modernize, and harmonize EU data protection law. Also, it’s goal is to enhance individual rights and freedoms consistent with the European understanding of privacy as a human right.
Not complying with the regulations will result in huge fines. The fines can go as high as 20 million euros or up to 4% of the total worldwide annual turnover of the previous financial year, whichever is higher. As you can see, not complying is not an option.
As its name would suggest, the main focus of the GDPR is to regulate how individuals and organizations may acquire, use, store, and erase personal data. No doubt it will have a major impact on how businesses operate worldwide.
At Automizy, we’re excited about the changes it brings to provide more protection for personal data. We’re developing new features to help you fulfill every requirement and we’re here to help if you have any questions.
In this article, we’ll take a look at the most important GDPR requirements for email marketers, which companies are affected by it, and what changes are coming to Automizy that will help you fulfill these.
Which Companies Are Affected by GDPR?
Any company that handles the data of citizens of the European Union. So, even if you have 1 subscriber from the EU, you’ll have to comply.
This also applies to your partners and subscontractrators who have access to the data of your subscribers. They must be compliant, too.
The Most Important GDPR Requirements for Email Marketers
The General Data Protection Regulation is a complicated law consisting of many principles. Here you can access the final version of the Regulation that was released on April 6, 2016.
In the following, I highlighted the most important points from an email marketing perspective.
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
You’ll need to obtain explicit consent from your subscribers and contacts for every usage of their personal data. Separate consent must be obtained for different processing activities, so you must be clear about how the data will be used when you get consent.
For example, you have a lead magnet people can download after giving you their name and email. You’ll have to clearly define what you’ll use this data is for and handle the data accordingly. If they didn’t agree to receive newsletters you can’t send them any newsletters.
We released our GDPR-friendly forms. These forms let you get and document subscribers’ consent entirely in accordance with the regulation.
In Automizy, we already store all the consent related data about your subscribers on their profile page, like IP address, timestamp, and types of newsletters allowed.
Right to be Forgotten / Right to Erasure
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”
Individuals will be able to request the removal of personal data unless there is no compelling reason for that data to remain and be processed. This request can also be made when data wasn’t processed in compliance with the GDPR requirements or when a subscriber withdraws their consent.
You can delete any subscriber from your Automizy account when you click on delete button Automizy will erase all data related to that particular subscriber.
Right to Rectification
“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
An individual may request that incomplete data be completed or that incorrect data be corrected.
This means that if you have incomplete data about your subscribers, they have the right to ask and complete their data.
Or if you have incorrect data about your subscribers, they have the right to ask for that data to be corrected.
We’re developing GDPR-friendly data modification forms. You can send these out to your subscribers, and they can complete or correct their own personal data.
Right to Object
“The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”
Individuals may prohibit specific uses of their personal data. This means that your subscribers have the right to forbid the use of their data for particular purposes.
We developed subscribers Preference Pages. You can put a link to these preference pages next to your unsubscribe link. Your subscribers can opt out of your specific lists on these Preference Pages.
Right of Portability and Access
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”
After GDPR comes into effect, your subscribers will have the right to request to see which of their personal data is used. The reason behind this right is to let your subscribers “verify the lawfulness” of particular data uses.
The “in a structured, commonly used and machine-readable format” part means that you have to be able to provide this data in a format that is easily accessible by the subscriber, like .txt, .doc, etc.
We’re developing a special Export function for this regulation. You’ll be able to export all the data you have on a subscriber from the subscriber’s profile page. You can use this feature to download all data about one particular subscriber, to a text file in machine-readable format and send it to them if they request access.
“Personal data shall be: …(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)…”
The problem with this regulation is that the GDPR doesn’t go into more detail about the definition of “relevant”. The goal of this principle is that all data stored should directly serve the purpose of the data processing you were given consent to carry out.
Complying with this principle is the data controller’s responsibility. Apply common sense and don’t collect and store data that doesn’t serve a clear purpose for your business. If you’re selling shoes, you don’t need your customer’s social security number.
As we’re closing in on May 25, when GDPR comes into effect you’ll have to do everything you can to comply with these regulations. Otherwise, you’re subject to massive fines.
At Automizy, we’re doing everything to help make this transition smoother for you. Both in terms of features and support. Feel free to ping us either on chat or via email.
Disclaimer: This is a summary of the most important GDPR requirements for email marketers. I’m not a legal professional. So I recommend that you consult with a lawyer who specializes in data privacy and protection.
Register a free Automizy account and we’ll help you fulfill these GDPR requirements!
I’m a Growth Marketer & Community Specialist @ Automizy.
I started out in the startup world right after graduation and since that it’s been a blast to navigate in these waters.
After work, I love playing basketball and traveling.