Why understanding GDPR is so important
November 19, 2018
By David Fant
The shape of email marketing is changing. The search for privacy and giving customers some form of protection changed in May 2018 with the implement-ation of the European GDPR (General Data Protection Regulation) law. If you do any email marketing, you best know what this law contains.
The GDPR is the most detailed law that defines how you can send commercial emails to residents of the European Union (EU). The geographic area that this law covers is ANY email or website that has access to any EU country. The law is detailed, complex and carries huge penalties if you violate any of its provisions.
Who does this affect?
Any company who has EU residents in ANY database that they own, or if they collect IP addresses or place cookies on computers located in the EU.
What is the effect of the law?
Any company who has EU consumers in their database is open to extreme penalties for non-compliance of GDPR laws and regulations. Penalties can be up to 20 million euros, or four percent of your annual global turnover (whichever is larger). There are smaller penalties for minor infractions, but even those are in the 200,000 euros range.
How can you comply?
Compliance is based on how you capture the name and address. Basically, you can no longer use implied consent. A pre-defined tick box opting-in, or simply “assuming” that they have opted-in by giving you their email address, is no longer valid. You must clearly state what you want their email address for and how it will be used.
And that consent is action specific. If you ask for permission to send an individual emails regarding a specific product or service, you cannot use that list for other products or services that you are selling. If you do, it’s a violation of the law and you will be fined if caught. In the same vein, if you capture information regarding ethnicity, marital or family status for your database, you must disclose all the information you are going to obtain and how it will be used. Members of your database have the right to have information removed.
Customers must have the ability to reject their permission at any time. This is called “the right to be forgotten.” They also have the right to request what data you have in your database regarding their personal information. A request for removal from the database must be completed within 72 hours. Any request from a member of your database to know what data their record contains must be complete within 48 hours and delivered to the requesting party.
If you have a very large database of EU residents, you are required to have a Data Protection Officer who is specifically charged with tracking compliance, responding to requests to be forgotten as well as maintaining file certification and compliance. The law does not define specifically what “large” means.
Keep in mind, this law does not designate that customers have an .eu suffix attached to their email address. If they use Gmail or any other universal email addresses, they still fall under the regulations of GDPR.
What if there is a data breach?
If you have a data breach, you have 72 hours to notify your customers, as well as the governing authorities, of that breach. Failure to comply with this provision of the law will bring serious fines to your company.
There are many more details and regulations associated with the GDPR. This is not a law that you can ignore. The fines are steep, and they have already been imposing fines and penalties to worldwide companies. My recommendation is, if you have EU residents in your database, get help. Make sure you are compliant.
David Fant is the owner of Marketing Mapping plus, LLC, a custom specialty and targeted direct marketing mailing list generator for direct marketing. www.marketmappingplus.com