GDPR, European Union’s new set of data regulations, came into effect on May 25, 2018. It’s a significant update to international data protection. Businesses are scrambling to update their privacy policies by flooding their subscribers’ inbox because non-compliance brings massive penalties. With our quick guide, complying your business with GDPR should be a straightforward process.
Does GDPR Apply to Your Business?
If you’re processing the data of EU residents, GDPR applies to you whether you’re an EU-based business or not. The legislation defines data controllers and data processors as different entities that are held accountable for data management. Controllers determine how data is used and processed (government bodies, hospitals, voluntary organizations, etc.), while processors process and manage personal data on behalf of the controller (accountants, market research companies, etc.). GDPR will mostly affect the marketing activity of your business.
Transparency and Monitoring
Your first step should be to inform subscribers (your company’s newsletter subscribers, in most cases) how you’re going to be using their information. Be transparent about how your company collects, processes and shares subject data information. You’ll have to take some steps to protect the data, as well. Companies are required to enlist the services of a Data Protection Officer to monitor the company’s GDPR compliance and make sure everything is in order.
Under the GDPR, not only will your business be required to obtain explicit consent from the user to process data, but you’ll have to be able to demonstrate that you sought explicit permission for every data processing activity. It means the days of buying email lists from third parties to use for marketing are over, and soft opt-ins won’t cut it anymore. Also, if you gain consent for cookie tracking, that doesn’t necessarily apply for all marketing communication, so if you want to communicate to the user through email, you have to obtain separate consent for that.
Ease of Opting In and Opting Out
Other than data subjects having to take some form of explicit affirmative action to give consent, you also have to make it possible for them to opt-out of receiving communication from you. Essentially, automated emails without an unsubscribe button are forbidden by GDPR, as well as other similar shady practices.
Data Subject Rights
Data subjects have the right to access their data, and you must provide it upon request. There’s also the right to be forgotten, which enables data subjects to request removal of their data if said data has no real use to the business or company. Try to keep all information that you’re processing in a complete record that makes it easy for you to share it in case of data subjects request it.
Overall, GDPR is meant to improve data protection and make businesses transparent about how they’re using people’s data. As such, it might limit some marketing communications and practices that used to be commonplace, but smart businesses will adapt and take advantage of GDPR benefits.