General Data Protection Regulation: What Europe’s New Privacy Law Means for Email Marketers
As well as going ahead with the UK’s withdrawal from the European Union, on June 21, 2017 the Government has re-affirmed its intention to bring the EU General Data Protection Regulation (GDPR) into UK law, ensuring the country’s data protection framework is, “suitable for our new digital age, allowing citizens to better control their data.”
The General Data Protection Regulation (GDPR), the European Union’s (EU) newest online privacy law, is designed to bring order to a fragmentary set of privacy rules across the whole of the EU. As GDPR is a regulation, (can be legally enforced) and not a directive, it will become enforceable in EU member states on May 25, 2018. While more uniformity across European countries should be good news for email marketers, GDPR brings with it a number of changes that will have an effect on the email industry.
Within the European Union at present, with the Directive on Privacy and Electronic Communication (E-Privacy Directive), spam conventions differ notably from state to state. While the E-Privacy Directive sketches overall objectives, every member is permitted to interpret these objectives into their own law. The consequence of this is radically differing email laws for each EU member state.
So, what does this new regulation mean for email marketers?
Who does this effect?
Because GDPR will affect every business that uses any personal data from EU citizens it will, therefore, impact upon numerous aspects of email marketing, particularly how marketers pursue, gather, and record consent, so if you’re collecting email addresses or send email to subscribers in the EU, you will have to conform to GDPR—irrespective of where you are located.
Will there be stricter regulations for collecting consent?
When GDPR is in place, marketers will only be permitted to send email to people who have chosen to ‘opt-in’ to receive messages. While this is already the case in most EU countries, GDPR goes on to specify the nature of the consent that will be required for commercial communications. Beginning in May 2018, businesses will have to collect confirmatory consent that is; “freely given, specific, informed and unambiguous”, for your company to be GDPR compliant.
The signup process must also notify subscribers about the brand that is collecting consent as well as give information about the purposes of personal data collection.
Basically, this means that methods used previously by marketers to grow their database, will not be GDPR compliant. For example, if someone entered their email address to download a form or gave their contact information to enter a competition, and you didn’t tell them you would use their personal information to mail marketing messages, and if they didn’t agree for that very reason, it will become be unlawful to include those email addresses in your mailing directory.
Consent record keeping; new requirements.
The GDPR not only sets the rules for how to collect consent but also requires companies to keep a record of these consents.
Moving forward, email marketers will also be required to change how they collect and store consent but that’s not the whole story, GDPR will apply to all existing data. If your databank has subscribers whose consent hasn’t been collected in line with GDPR’s standards, or if you are not able to provide adequate proof of consent, you may not be allowed to send those subscribers email any longer.
What will happen if you are non-compliant?
The new regulation not only comes with tighter rules around consent and the use of personal data but also greater penalties for businesses that don’t abide by the rules. Nonconformity with GDPR coms with fines of up to €20 Million or 4% of a business’s annual turnover (whichever is greater).
If you want to know more about GDPR and the effect it will have on your business, contact a member of our team today. Remember to like us on Facebook to stay up-to-date with all the latest GDPR information.