Are you GDPR Ready?

Do you send email newsletters to companies in the EU? Do you know what the General Data Protection Regulation (GDPR) is?

Did you answer yes to the first question, then no to the second? If so then you need to read on and get schooled up on what changes you might have to make to your Email Newsletters in order to comply with the regulations.

D-Day for Enforcement of the GDOR us 25 May 2018, so don’t worry you have time.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organisations across the region approach data privacy.

While this may appear insignificant to your New Zealand based marketing activities, the enactment of the GDPR will, in fact, present challenges for any company doing business in EU countries. You will also have to comply with tight regulations on data collection, privacy and disclosure.

Companies who do not comply with the GDPR can face sanctions of up to 4% of their Global Turnover or up to EUR 20 Million.

There are six general principles of data privacy under the GDPR:

  • Lawfulness, fairness, and transparency of data processing
  • Purpose limitation: personal data should be collected for specific, explicit and legitimate purposes
  • Data minimisation: only personal data relevant to the specific purpose should be saved and processed
  • The accuracy of data: any inaccurate personal data should be corrected or deleted. Where necessary, data must be kept up to date.
  • Retention of data: data must be kept in an identifiable format and no longer than necessary.
  • Integrity and confidentiality: data must be kept secure

What do you need to do for the GDPR?

In order to comply you can prepare by

  • Analysing what, how and why you process data
  • Assess how the new regulation might affect your current business
  • Consult with relevant stakeholders: such as customers, data controllers, data processors
  • Create processes: implement the GDPR into your company and set clear responsibilities
  • Be transparent: be prepared to show how data is transferred and processed if asked. Put consent and privacy notes in plain language.
  • Compliance: ask, how can you show you are compliant?
  • Responsive: requests from individuals and incidents must be dealt with within certain timeframes, for example, a notifiable breach has to be reported to the relevant supervisory authority within 72 hours

A few tips for you

To address these new regulations and ensure your marketing is compliant. Hera are a few tips.

1. Seek Legal Advice

You may need to seek legal and or professional advice on what you need to do to ensure you comply with the new regulations.

2. Make subscribing to your newsletters clear.

You need to assess your current opt-in process. With the new regulation, subscribers must be told, and agree to, how their information will be used and what content they will be receiving — including newsletters, promotions or information about upcoming events.

You will be required to provide two separate boxes, one exclusively reserved for receiving emails and one all-encompassing terms and conditions box.

2. Use clear and concise language

You now have to carefully fine-tune messages to not only grab the attention of potential subscribers but also meet regulations by clearly defining how their information will be used.

If you plan on providing their email list to other brands, they must obtain new permission from subscribers.

If you are sharing information with other companies, you must say so directly. Using language to deceive subscribers will be a violation of the regulations.

3. Keep your email systems secure

Email security is one of the most important mandates that you must take note of. When requested, all personal data must now be entirely removed from computer and company systems, leaving no trace of it.

Also in the event of a security breach, it must be reported to the data protection officer or supervising authority within 72 hours.

To help you should use a system that allows finding, editing and removing email contacts to be done quickly and easily.