Maria Wąchal created

If you’re dealing with customers who are european citizens you probably already heard of GDPR. The upcoming legal change will affect how you handle data you collect and how you communicate with your european customers.

This may significantly impact your current digital strategy.

You should prepare your business before the law comes to force.

To help you make sure you’re “GDPR-ready”, we are describing essential elements of the upcoming privacy regulations.

Grab a free ebook now!

Many GDPR aspects are still open to interpretation and it leads to misleading information chaos. Our eBook will help you demystify GDPR! You’ll receive a link to the download at the address you provide below.

What is GDPR?

GDPR, the General Data Protection Regulation (full text here) embarks on the rights of EU citizens with respect to how their personal data is used, processed, and shared, regardless of where processing activities take place.

The law becomes effective on 25th of May 2018 with the aim to strengthen and unify data protection for all individuals within the European Union

From a marketing perspective GDPR is all about obtaining the specific detailed consent for all of the personal data your business is using and being transparent about how you handle your customers data.

What exactly is personal data?

Personal data means any information which allows you to directly or indirectly determine customer’s identity. It can be a name, email address, phone number or a photo or social media post, etc.

Source: http://ec.europa.eu/justice/newsroom/data-protection/infographic/2017/index_en.htm

Why is GDPR so important?

Only 15% of people feel they have complete control over the information they provide online. This causes distrust and frustration which hold back business growth. One set of rules for all companies processing data in the EU aims to prevent it.

How will GDPR impact marketing?

TL;DR: Consent has to be freely given, specific, informed and unambiguous

According to GDPR, consent to marketing communication should be as clear and voluntary as possible. Obtaining consent "as soon as possible, the easiest way, preferably with a single click", is not effective, and in the face of stricter legal regulations, prohibited.

By sending email newsletters while generating leads you aim to speak to people who want to hear from you. This is why the email communication channel is so effective.

To make sure you only collect valuable subscribers and leads who gave consent to join your email list, use the double-opt-in method. All of your subscribers must give their explicit permission to receive commercial email messages from you.

According to GDPR consent must be:

  • Freely given - the person has to make a statement (including ticking a box) or performa a clear affirmative action when agreeing to receive marketing communication from you
  • Specific - consent has to be unbundled from other terms and conditions and you will need separate consents for separate purposes
  • Informed - both the request for consent and consent itself has to be explained in clear language that anyone could understand
  • Unambiguous - the request for consent has to be clear and not open to more than one interpretation

TL;DR: Companies have to take appropriate measures in order to protect personal data

GDPR law is introducing two important standards for digital marketers: privacy by design and privacy by default.

Privacy by Design

This standard means you must put technical and organisational measures to minimise personal data processing. Wherever possible, identifiability of personal information of your customers should be minimized by the encryption of the processed data.

Following “privacy by design’ look at data privacy during every stage of all marketing projects by taking into account the nature, purposes, context, and scope of the data processing and their implications.

Privacy by Default

GDPR introduces the data minimisation principle which means you only process data that are necessary, to an extent that is necessary, and you must only store data as long as necessary.

Also the consent you have obtained is valid only for the purpose of which it was obtained for. In other words you can collect only relevant data for a specific purpose.

TL;DR: The amount of information that you will have to provide when obtaining consent increases significantly

GDPR puts a great emphasis on the fact that the person providing his personal data is fully aware of it and agrees to it voluntarily. Therefore, the process of obtaining consent should be as transparent as possible.

Before someone agrees to receive marketing communication from you they have to be informed about:

  • your identity and your contact details;
  • the contact details of the your data protection officer (just enter their email address);
  • the purposes for which you will process the data obtained;
  • the legal basis of the processing (expressed consent or appropriate law);
  • information on whether you will pass the personal data to another entity;
  • information if you intend to transfer personal data outside the European Union (eg. to the US when you upload data to non-european ESP or Facebook);
  • information about how long the data will be stored;
  • information about the right to request access to personal data, rectification, deletion or limitation of processing;
  • information on the right to transfer the data to third parties (you must check if they are GDPR compliant or not);
  • information that the consumer has the right to file a complaint;
  • information about the possible consequences of not providing the data;
  • information whether you intend to use data for profiling, and if so, what the consequences are for the user.

TL;DR: New and strengthened individual rights requires the honesty and lack of deception from organisations dealing with customer data

GDPR provides consumers with a wide array of rights. The following two consumer rights are the most important for digital marketers:

  • the right to be forgotten - your customers can opt-out at any time and you should delete their data from your database permanently
  • the right to data portability - your customers can demand a copy of the data you’ve gathered on them

Other rights introduced by GDPR are:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to restrict processing;
  • the right to object;
  • the right not to be subject to automated decision-making including profiling.

TL;DR Data breach notification is required

You need and absolutely must have a data protection breach plan in place. Regardless if you have been subject to one or not in the past every company that retains data on EU citizens needs to have an effective plan in place.

Should a breach occur you are legally required to notify the relevant authorities within 72 hours of the breach.

That notification needs to include all the specifics of the breach including the type and nature of the data affected, the categories and numbers involved of that data, possible consequences of the breach and the steps or actions required to fix the problem.

How should marketers prepare?

First of all you should audit your current data and check the sources.

If you are complying with the current rules and using double opt-in already, you don’t need to do much more to comply with GDPR. However there are a few things you have to adjust.

Until now you were allowed to opt-in customers to receive communication from you by using, for example, pre-ticked boxes to obtain consent. GDPR changes this and this way will no longer enable you to contact customers for marketing purposes.

Under GDPR marketers will need to prove how they have obtained consent, so they can demonstrate compliance with the new privacy law.

This requires keeping clear records of what your individual customer has consented to, and when and how this consent was obtained.

The easiest way to do it is to keep a document where you will include how you have obtained consent, the types of data you store, the ways you protect the data and the information about the data administrators.

What if you didn’t acquire compliance before?

You have to ask your subscribers to resubscribe. You can take a look here at how Manchester United Football Club did this. 

Wrap up

GDPR introduces more transparency between organizations who collect and control the data and the individuals whose personal data is being collected. It’s a great opportunity to:

  • follow the permission marketing rule and collect more valuable subscribers which will impact your list quality and boost your email program results;
  • be more transparent about how you handle your customer’s data which will increase your brands trust.

Additional resources

Related entries

Email marketing according to GDPR

Confirmation messages in the double opt-in model

[#infographic] Email Marketing Trends 2017 from Industry Leaders

Safe Harbour ends, so what next?

Follow us