In early December, the EU agreed upon new regulations for the General Data Protection Regulation (GDPR). The new Regulations will create a uniform and consistent set of rules across all 28 countries in the EU. Once the regulations are formally adopted by the European Parliament and Council and printed in the Official Journal of the European Union sometime this spring, there will be a two year period for everyone to get ready and come into compliance. The new laws will replace the EU’s current data protection laws which date from 1995, when the internet was still in its infancy.
Following the lead of countries like Canada (CASL), these new regulations have significant obligations for any business handling their citizen’s data subjects and come with large fines for non-compliant data controllers and processors. This will affect all marketers sending emails to anywhere in the EU. Marketers will need to assess, plan and implement a compliance strategy to satisfy the obligations of the GDPR.
The regulations are robust and have many requirements. The full text of the GDPR can be found here, however, we have outlined some highlights of the regulations that marketers must pay attention to now.
The regulations require explicit consent for the use of data (opt-in, not opt-out model). Personal data will have to be collected and used for a specific purpose and consent must be given for each purpose and not bundled together. Marketers cannot contact email users who do not wish to be contacted.
The Right to be Forgotten
Marketers must ensure that they are able to delete data upon request.
Data subjects will have more control of their own data in deciding what happens to their data making third party data more difficult to obtain and use.
Accuracy and Security
Data must be kept up to date and accurate, and kept for no longer than is necessary. Marketers must keep audit trail of their collection and use of data.
Hefty fines and legal action against companies that do not comply with regulations will be substantial.
B2B vs B2C
The law makes no distinction between B2B or B2C data such as email addresses.
As you can see the new Regulations will affect many aspects of your marketing and these Regulations will be here soon. Start looking at how this will affect you now. Don’t wait until the clock starts ticking this spring to see if your current database permission levels and acquisition methods levels are in compliance with the Regulations.
Here are a few tips to get you started:
- Take an audit of your current database.
- Do you know geographically where your contacts are? Do you capture an audit trail of consent?
- Know your contacts and how you acquired them.
- Do you keep track of where your contact’ information is coming from? How did they end up in your database? Do you have enough information on permission and source to hold up in court if needed?
- Review and disclose your data practices.
- Look at your upcoming initiatives to ensure compliance now.
- All new initiatives should take into consideration compliance so you don’t have to retroactively go back to adjust your processes.
These are general tips for marketers, however, you should consult your legal counsel for guidance on the GDPR. There is substantial work to be done for many marketers, but starting now will get you in good shape for when you legally are required to do so.