Sign-up for our e-newsletter
Sign up to receive useful tips on one-on-one marketing AND receive a free Excel email marketing ROI "calculator." I never share or rent my liist, and you can unsubscribe at any time with one click.
By Mark Vogel
President, Vogel Marketing Solutions LLC
March 28, 2018
GDPR stands for General Data Protection Regulation. It is a regulation in European Union law on data protection and privacy for all individuals within the EU, and takes effect May 25, 2018.
WAIT! Before you click out of this article – because your business isn’t located in the EU – read on!
This law affects ANY business ANYWHERE in the world that stores data on an EU consumer. Can an EU resident make a purchase or download on your e-commerce site? Can they sign up for your e-newsletter? If your organization violates GDPR and does not comply you could be fined up to $22 million, or 4 percent of your annual revenue (whichever is greater).
Most marketers in the US are familiar with this country’s CAN-SPAM Act, and most legit and ethical businesses follow the guidelines – easy unsubscribe process, no deceptive subject lines, street address in the footer of all messages, etc.
What many US-based marketers may not realize is that the laws in other countries are far stricter than in the US, and with far higher penalties for violations.
Canada's Anti-Spam Law (CASL) is one of the toughest laws of its kind in the world and requires that you receive consent before sending a commercial email. If you don’t comply, you are at risk for serious penalties, such as criminal charges, civil charges, personal liability for company officers and directors, and penalties up to $10 million.
In Australia, the Spam Act gives the Australian Communications and Media Authority powers to search premises and seize equipment where the Act is breached, and to impose and enforce penalties. The Act also allows for forfeiture of profits derived from spam, and payment of compensation to spam victims. Penalties for breaching the Act include fines of up to $1.7 million per day. There are also provisions for spammers to forfeit profits and pay compensation to spam victims.
While both of these laws, and others, may provide some “loopholes” for business-to-business email marketing, GDPR extends the same level of protection for business in-boxes as it does for personal accounts.
There has been a great deal of media coverage lately about privacy, and who owns your personal data. Facebook is the highest-profile entity embroiled in this debate, but businesses of all sizes often utilize data to send relevant messaging to their target audiences. If you sell products online, it’s easy to follow-up with an email that says “Since you bought Product X, you might like Product Y…”
Advanced technology like cloud computing has intensified the focus on data protection. GDPR helps ensure continued, stringent protection and enforcement – and to simplify the regulatory environment for global organizations.
What Type of Data is Affected?
GDPR is not an anti-spam law, specifically. It covers a wide range of data points. “Personal Data” is broadly defined by the GDPR as any data that allows for the identification of an individual, directly or indirectly. Obvious data points include name, address, birthdate, gender or government identification number, as well as IP address, location data, financial and purchase histories, genetic and biometric data, and much more.
What if you have an opt-in e-newsletter, with little or none of the above data? Is a simple email address affected by GDPR regulations? Yes. Email addresses, as well as engagement-tracking data such as open and click history, is included in the definition of personal data.
What Should You Do?
It’s all about documentation. You must have policies on how you are handling personal data: where it resides, how it’s used and who can access it. Your company must have a clear definition of personal data and must know exactly where that data is located. Many businesses store duplicate data in various systems, which means that erasing data in one system doesn’t guarantee that all data is erased in other systems or databases. Without full traceability, you may find it impossible to accommodate the rights of the consumer asking for usage information or asking to have their personal data completely erased.
With regards to email marketing specifically, here are some key points to consider:
Never rent or buy lists! I shouldn’t have to waste space even bringing this up, but many companies still try to grow their email marketing databases by purchasing through list brokers. Those days are over. Finished. Don’t even THINK about going there.
Consent is required. The new regulation requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant. “Pre-checked” boxes are not allowed.
Consent must be freely given. Your visitors must truly have a choice of whether they’d want to subscribe to marketing messages. If subscribing to your newsletter is required to download a whitepaper, then that consent is not freely given.
Consent must be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service.
Opt-out must be easy. Use an email marketing platform that provides a one-click opt-out.
Maintain evidence of consent. Under GDPR, you must be able to provide proof of who consented, when they consented, what they were told at the time of consent, how they consented (e.g., during checkout, via Facebook form, etc.), and whether they have withdrawn consent.
Clearly, you need to review your current data collection practices as it pertains to email marketing. But what about your existing databases? If your lists include recipients whose permissions haven’t been collected in accordance with GDPR, or if you can’t prove consent, you can no longer send email to those subscribers.
For many marketers, this is going to be a major blow. But this is the new normal. Lists will shrink, and list growth will be slower and costlier.
Audit your lists and identify any recipients for whom you have no GDPR-compliant consent records. Run a “re-permission” campaign to refresh that consent. This involves emails that ask for updated interest, such as “Still want to hear from us?” or “Let’s stay in touch” and so on. Include a clear opt-in process to re-subscribe the recipient. Silence isn’t consent. If they don’t clearly opt-in to your messages, then remove the subscriber from your mailing list.
Bring your entire email marketing efforts up to GDPR standards and ensure that your opt-in processes meet the requirements. Unfortunately, changes to opt-in processes and re-permission campaigns will slow down list growth. The good news is that this will help ensure that you only send email to subscribers who really want to hear from you. List quality will improve.
Find and Control Your Data
Now is the time to launch a review of your current data handling practices—not just email, but all data that passes through your company’s networks. With regards to email marketing, here are the questions to ask to help ensure GDPR compliance:
Where did your existing databases come from? Did a previous marketing manager or ad agency acquire a purchased list? Did your sales team “scrape” email addresses from prospects’ websites? Did you ask for an email address to download an e-book – but didn’t overtly ask them if it’s OK to send marketing messages? If you can’t prove where an email came from, and that the acquisition meets GDPR standards, then you must either launch a re-permission campaign, or delete them immediately.
What data do you hold for each email address? Do you have data points on name, company, title, phone, or other personally identifiable information? What about purchase history through your e-commerce platform? Nearly all email marketing programs can provide a myriad of details about each email – when they were last mailed, how often, if they opened a message, if they clicked on a specific call-to-action, and so on.
Who has access to that data? How many people know the passwords to the servers where the data is stored? Can they be trusted? Does your system record access logs, to show who accessed the data and when?
Where is the data stored? Do you perform back-ups to remote servers, and who has access? What about desktops, laptops, and tablets? Is anyone likely to download data to their own equipment, and what did they do with it? How many duplications of data exist, and where?
This is a Company-Wide Effort
GDPR compliance must be an ongoing effort within your company, and you must plan and budget for its maintenance throughout the year and into the future. Personal data could be copied over to new servers without being indexed. Employees and vendors can come and go. New campaigns and software programs can be implemented in various parts of your company. It’s vital that you constantly update your company’s policies to govern all this data, so you can stay on top of things.
GDPR places equal liability on your company as it does on third-party processors. If your sub-contractors are not in compliance, then your organization is not in compliance. There are stringent rules for reporting breaches that everyone in the chain must understand and comply with.
Existing contracts with processors, such email marketing consultants and agencies, need to spell out responsibilities – including how data is managed and protected, and how breaches are reported.
Top management must buy-in to this process 100%, and they must create a sense of urgency and ownership throughout your organization. Be sure to involve all stakeholders – not just IT. This includes customer service, marketing, sales, human resources, legal and more. Create a written plan on data protection that every employee reads and signs and appoint a data protection officer if you are with a larger company. Test your systems and incident response efforts and create a process for ongoing assessment and review.
What Are the Roles of Those Involved in Compliance?
GDPR defines several roles for individuals or teams responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO).
Your data controller will define how will process the data and the purposes for which it is processed. The controller will also be responsible for ensuring that your outside vendors are in compliance.
Data processors are the individuals or internal groups within your organization that maintain and process personal data records. Processors can also be any external firm that performs all or some of those functions. Processors are liable for breaches or non-compliance. However, both your company and your external processing partner such as an email marketing firm or cloud provider will be liable for penalties even if the non-compliance is completely the fault of the outside firm.
GDPR requires you to designate a data protection officer to oversee security strategy and GDPR compliance, especially if you process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.
What Must You “Prove” if Contacted by GDPR Authorities?
GDPR can levy significant fines on data controllers and processors for non-compliance. The size of the penalty can vary, based on a variety of factors: nature of the infringement, intention, mitigation, preventative measures, history, cooperation and more.
Here are some questions to ask your team to see if your organization is prepared to prove GDPR compliance:
Do you have proper policies and procedures in place at the initial data entry point, and can you prove that you followed GDPR guidelines regarding consent?
How quickly and accurately can you provide a comprehensive list of where data resides?
What is the risk level for each data source for misuse, and can you prove that you have appropriate security measures in place?
Do you have easy access to all the necessary documentation and audit trails?
If a recipient withdraws their consent to receive emails, how quickly and reliably will their data be erased from all locations?
How will you know if your data had been breached, and can you notify GDPR authorities within 24 hours?
The clock is ticking, and compliance not an option. If your company is smaller, hire consultants to help you audit your systems, implement controls, train staff and review your efforts on a regular basis. I can help in the area of marketing data (sales data, email marketing data, and so on.)