Like in most companies, you probably use email marketing as part of your communication strategy. Therefore, GDPR is familiar to you. And for a good reason, considering that this subject has been under the spotlight since last year.
The need to be in compliance with this European regulation has required a lot of resources in all businesses and has significantly changed the world of marketing and communication. When it became a law in May 25th, 2018, it made people aware that a legal framework on personal data processing was absolutely essential.
In little more than one year, this text has become a standard for data protection internationally. Let’s then analyze the goals and fundamental principles of the GDPR, make a balance of this first year and think of the future developments in data protection and confidentiality in email marketing.
GDPR: Setting goals
«One of the main goals of the GDPR is to give citizens the power to act and to have greater control over one of the most valuable resources of the modern economy: data,» said the European Commission in a press release.
After taking into account the amount of data generated, alongside the most recent technological developments, it appeared to be necessary to create a legislative text to be used as a reference for a general data protection plan in the European Union. The three main goals of the GDPR are the following:
- To reinforce the rights of natural persons: information on the purpose of the data processing, right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object (…);
- To make those who are involved in the processing of personal data accountable and aware of their responsibilities;
- To give credibility to the regulation of data processing;
GDPR fundamental principles
Privacy by design
Privacy by design and by default is the need to systematically integrate all the necessary measures that aim to protect personal data, when creating a product or a service. For example:
- To use personal data only for the purposes for which they were originally collected;
- To reduce the collecting of personal data (only when it is necessary) and to retain them for a defined period of time;
- To ensure data security by limiting access to authorized persons only
- To take into account the respect of people’s rights (information, objection, access, rectification, erasure, restriction…)
Being someone who has been involved in the creation of a product or service means your are subject to this principle, whatever the stage.
Data controllers and subcontractors must at the same time implement processes to safeguard personal data and be able to provide evidence of their compliance with the European regulation in perpetuity. This means that they must be able to continuously monitor the effectiveness of these processes, through documentation and internal measures.
Focus on consent, a key element in email marketing
The GDPR recalls that consent is one of the legal justifications that can underpin the processing of data and underlines the conditions that are applicable when it is based on consent. In practical terms, wherever consent is required or whenever you choose to justify data processing based on consent , you must obtain valid consent. In practice this means that:
- You must obtain a positive, clear and unequivocal statement from the person in question;
- The consent must be informed, free and specific;
- The data subject must be able to withdraw his or her consent at any time, and with ease;
- You must keep proof of the consent that has been obtained;
Balance and news in 2019
Much has been said about the GDPR in 2018, which made people and businesses aware of the notion of personal data protection. This awareness is reflected in a significant increase in the number of complaints. In France alone, for example, more than 11,000 complaints were sent to the CNIL (literally the National Commission on Informatics and Liberty) in 2018, i.e. an increase of 32.5%. The impact of the GDPR goes beyond European borders, as it concerns not only individuals, businesses and organizations within the EU, but also all organizations outside Europe that collect personal data of European citizens.
GDPR and ePrivacy : what are the differences?
Although the GDPR has made many headlines since May 2018, another regulation has appeared on the scene: ePrivacy. Even though it’s often mixed up with the GDPR, the difference between these two regulations lies mainly in their scope of action. The GDPR covers the processing of personal data collected online and offline, while the ePrivacy regulation covers the exchange of information that goes through electronic service providers, which enables all targeted advertising that relies on the behaviour of Internet users.
Advice for complying with the GDPR in 2019
Inform your contacts of the purpose of the data processing
Don’t forget to inform your contacts about the specific purpose for which their data will be collected and used. This purpose must be clear, understandable and compatible with the missions of your organization. And, of course, you must respect this purpose later on. It is also the purpose that determines the relevance of the data that is gathered. Only data that has been collected for this purpose is permitted. And finally, the purpose makes it possible to determine the duration of data retention. Also, you should ensure that you make your data processing policy public. For example, in your general terms and conditions, legal notices, confidentiality policy, etc.
Opt-in, double opt-in, opt-out: what happens to these with the GDPR?
Contrary to a widespread belief, the double opt-in is not a mandatory requirement in all countries to comply with the GDPR. In some countries, consent rules may differ according to the type of prospecting (BtoC or BtoB), making simple opt-ins possible in certain particular cases. In other countries, the rules may vary according to other current legislation.
In any case, if the legal basis for processing is consent, do not hesitate to use the double opt-in. The double opt-in procedure has a dual purpose. On one hand, it aims to protect the user against spam. On the other hand, it aims to provide a legal assurance to senders, by providing them with real and timely evidence of the user’s active consent. In practice, this is a two-step registration process. Firstly, the interested party subscribes to a newsletter by filling in a form. Once the form has been validated, he receives an email confirming the registration. Your registration will only be validated after you have clicked on the confirmation link.
Do not forget to clearly inform the reader of the purpose of their data processing and their rights . You should only send emails to contacts that have given their explicit consent – and from whom you have proof of that consent. Do not use pre-selected fields to obtain the consent of your future subscribers. And last but not least, keep evidence of the consent of your contacts.
Make sure your email provider complies with the GDPR rules
You send your campaigns via a professional email solution. You must ensure that your service provider meets the standards imposed by the GDPR. To make sure your subcontractor complies with the GDPR, you should request a subcontracting or data processing contract.
By reviewing its content, and by obtaining a list of other subcontractors and the technical/organizational measures in place to ensure that personal data are adequately protected, you will be able to ensure that your subcontractors are in compliance. You can find all this information about Mailify here.
Make cancellation easier
The right to object is one of GDPR’s key points. Make sure you include a link to unsubscribe in all of your messages, making it visible enough to your readers. An unsubscribe link that you try to hide in your message may cause your contacts to report your email campaign as SPAM, or a complaint may be made against your organization to the authorities. To be able to withdraw consent simply and free of charge is an absolute requisite. In addition to the unsubscribe link, there are other ways to withdraw consent, such as asking the controller (the sender) to take the request into account by email. In any case, a simple way of raising objections must be made available.
Update your contact list regularly
If you regularly update your database, it will be easier for you to meet the obligations regarding the duration of data retention. If a retention period is specified in the processing policy or in the information provided in the collection forms, it is absolutely essential that this period be respected.
One last piece of advice: stay informed!
The directives on the processing of personal data and privacy protection are likely to evolve. It is strongly recommended that you keep up to date with the latest procedures.