The main objective of the new General Data Protection Regulation (GDPR) is to strengthen and combine the handling of personal data from various member countries and adapt them under one European Union (EU) regulation.

Currently, the 28 member countries of the EU each have their own data protection regulations and apply those laws to their international commerce, which makes exercising the rights of personal data protection quite difficult.

The new GDPR comes with a wide range of rules that impact all companies, regardless of size or sector, and will quite often need to be prepared to focus on different areas of their business.

The new regulation concerning the protection of natural persons with regards to the processing and free circulation of personal data goes into effect on May 25th, 2018, two years after Regulation 2016/679 was passed by both the European Parliament and the Council. In this article, we want to help you understand what you can and cannot do in order to meet the requirements of this new regulation and reassure you that Benchmark, your email marketing tool, is also meeting the requirements of this new regulation.

The new GDPR does not eliminate each of the member countries own Data Protection legislations currently in place. Instead it helps to sync all the member countries of the EU. Some of the decisions will still be made at a national level for each of the member countries, but be mindful that the responsible parties must now reference the GDPR as the norm and not its own countries Data Protection regulations.

If you currently meet the requirements for Data Protection for your country, then you already have a good foundation. However, you will still need to revise and change some aspects to comply with the new regulations.

There are three main points you need to keep in mind with your email marketing strategy, they are: consent, access and data collection.

Consent

According to article 4 (11), ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

As stated in the definition, the consent of the user must be unequivocal and also explicit. These two words eliminate any doubt or ambiguity.

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Example:

I recently took part in a tradeshow and throughout the day I amassed quite a few business cards, which I will use to create a database that I will then upload to my Benchmark account with the goal of sending newsletters.

With the new Regulations, is this legal?

No. The networking achieved between you and the individuals at the tradeshow does not give you the right to use their personal data, even with verbal confirmation from the individual. The GDPR now requires that evidence of this agreement between both parties exist.

The GDPR states that there must be unequivocal and explicit consent from the individual that can be backed up with evidence in case of an audit. There needs to be evidence that the individual is giving their consent for their personal data to be used.

RECOMMENDATION:

  • Review your methods for data collection and eliminate any ambiguity that may exist.
  • Analyze your database and only the data for which you can provide proof that consent was given to you by the individual.

Access

The party responsible for handling personal data must provide each user with simple and straightforward access to modify their own personal details. The party responsible must also provide an outlet in which the individual can confirm that they are giving their consent via electronic means, be it through their own website, sign-up forms or email confirmation.

The party responsible will have one month to provide the client with an answer, with the possibility of extending it to two months in the event that it be a complex request, in which the necessary steps are being taken to complete the individuals request.

In the case of our Email Marketing tool, the Manage Subscriptions option allows the individual to access their personal data and modify the data if needed or cancel the subscription outright.

Within this point, there is a new right, which is the RIGHT TO ERASURE (Article 17), the user can exercise their “right to be forgotten” and have their personal data removed from the database permanently. We have selected two of the six reasons that are included in sub-point 1, which provide the individual the ability to exercise their right:

a) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;

d) the personal data has been unlawfully processed;

Compilation:

The GDPR advocates for simplicity in the collection of personal data. As marketers we tend to ask for more details than necessary when all we are doing is sending out a weekly newsletter. For that reason, these new regulations encourage that only a minimum of personal data is collected and compiled for our current strategy and not the collection of additional data that you think might be useful in the future.

If your goal is to inform your database of upcoming promotions, the compilation of an individual’s name and email address is more than sufficient to meet your goal.

Brexit

The UK will officially leave and will no longer be a part of the EU in 2019. With this exit, the regulations will not be applicable to them. We currently do not know how the UK, or companies within the UK, will handle data protection but we believe that they will pass similar regulations that will be comparable with the EU.

What happens if I do not meet the new GDPR requirements?

The General Data Protection Regulation establishes a set of tools in order to comply with the new regulation, including sanctions and fines. A number of factors will be taken into consideration and carefully evaluated when a fine is imposed due to noncompliance with the new GDPR such as:

  • the gravity/duration of the violation;
  • the number of data subjects affected and level of damage suffered by them;
  • the intentional character of the infringement;
  • any actions taken to mitigate the damage;
  • the degree of co-operation with the supervisory authority.

The regulations set two ceilings for fines if the rules are not respected. The first ceiling sets fines up to a maximum of €10 million or, in case of an undertaking, up to 2% of worldwide annual turnover. This first category of fine would be applied for instance if a controllers does not conduct impact assessments, as required by the Regulation. The higher ceiling of fines reaches up to a maximum of €20 million or 4% of worldwide annual turnover. An example would be an infringement of the data subjects’ rights under the Regulation. Fines are adjusted according to the circumstances of each individual case.

You will need to keep the above main points (Consent, Access and Compilation) in mind when the time comes to plan your email marketing strategy.

Benchmark

At Benchmark, we are working hard to update our Privacy Policy in order to comply with the requirements of the regulations. In the case of the GDPR there is no certification given to us that states that we are in compliance with the new regulations as with the Privacy Shield Framework.

We at Benchmark, want to reassure you that your personal data is being handled in compliance with the new GDPR.

For the very first time, the EU shows leadership and unity in how personal data needs to be treated and forces the rest of the world without exception for any country to follow these regulations if they want to handle European personal data.

Do not forget to share this article with your audience and leave your comments. Thanks for reading!

Watch our Webinar