The General Data Protection Regulation (GDPR) will come into legal force in May 2018 and must become a focus of your operation if it isn’t already.
In broad terms, a lot of what this regulation does is bring together, clarify and extend already existing data privacy laws and directives. Currently there are many different regulations and bodies throughout EU member states. Bringing all of them together relieves the need for individual country legislation, as well as creating a common standard. UK data laws are not superseded by GDPR, so where a local directive or regulation has a higher level of control it is still valid and cannot be ignored.
There are some new additions to previous laws, the biggest of which is the inclusion and real demand for accountability from data processors. The heart of GDPR is to protect each one of us and the data held about us by any individual, any company and any government. Who can argue with the sensibility of that? It is not purely about restriction, but more about balancing the interests of business with the freedoms of individuals.
What does it say?
In layman’s words, GDPR says: if you hold or process any data that allows personal identification of an individual you must have just cause (lawful right, consent, legitimate interest), be accountable, be transparent in the use of it, protect the data properly and only use it for its given purpose.
Think widely about the data you hold in your business, as the regulation covers all of it. This includes customer data, contracts, personnel files, indeed any data that is personal information. Whilst we are used to a certain understanding of what personal data is; name, email address etc., there is an additional specification that reflects changes in technology and data gathering to include biometric, genetic and online data that can be used to identify an individual.
What does GDPR mean?
For our purposes, this will focus on what it means to Email Marketers.
Consent is the best and all encompassing proof of a legitimate use of personal data, particularly where marketing is concerned. Proof is important and consent must be properly documented to provide that proof.
Gaining consent should already be top of your priority for interactions with your customers, the Data Protection Act (DPA) already specifies the necessary parameters for obtaining consent.
The more defined consent that GDPR requires is:
- A freely given, ‘clear affirmative act’1. Pre-ticked boxes on forms, options to opt-out only, non-response or inactivity are not acceptable.
- Fully informed. You must clearly and simply explain to the person giving consent that they are agreeing for you to use their data and what you will be using it for.
- Easily withdrawn. Where consent is given, there are a lot of individuals rights that need to be observed. Withdrawal of consent cannot be detrimental to the subject.
Should you read the regulation, don’t get hung up on the sentence “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”2 This is not a global permission to use personal data for direct marketing. The existing e-Privacy Directive requires an opt-in for collecting data. As long as that is adhered to correctly then you have a legitimate reason to process that data. The benefit is that any data already properly opted in is acceptable to process under GDPR. Remember that opt-in must be proven, so make sure there is documented evidence of how/when it was given. For surety that your data storage and processing meets GDPR standards, I would recommend having an audit of your data use and digital marketing practice. Emailcenter offer services to help with getting your data and practices ready. Contact us for more information.
As a business you may have legitimate interest for other reasons – legal obligation, public interest, contractual need and official authority are discussed. Whilst processing and communication could be email related, in a transactional manner for example, these are outside of the marketing arena.
This is a principle running through every aspect of the regulation. Accountability promotes good practice, a responsible attitude and an interest in the rights of individuals.
Record and document data processes. Not only does this satisfy the demands of the GDPR, but it also forms a useful route to understanding exactly how you are using data, how well it is protected and how good your practice around data gathering really is. I expect (hope!) for most it will be a case of formalising or correlating what you already do.
Consent, discussed above, has a greater transparency under GDPR than before. The term ‘informed consent’3 requires that the subject must at least be told who the controller (data owner) is, and the purpose for processing their data. If the data will be used for more than one purpose, then all intentions must be made plain, consent given for each purpose and processing restricted to those purposes.
Privacy notices must be easy for everyone to understand. When collecting data, they must explain who you are, why you are collecting data and the rights of an individual to control that data. A multi-part notice where each section is separate and in plain english – or other appropriate language – is the best way to structure something this complex.
Records must be kept of privacy notices, consent information and all processing activities in order to prove you are adhering to the legislation.
Protecting your data, be it customer, staff, contract or any other business information should always be a priority in any business. There are long existing standards, like ISO/IEC 27001 or PCI-DSS, that focus on system and process wide protection. These go a long way in demonstrating appropriate security and control of data.
GDPR also calls for a Data Protection Officer (DPO) to be employed in certain circumstances:
- Where the organisation is a public body or authority;
- Where Data processing requires regular monitoring of data subjects on a large scale; or
- Where the core activities or the processing involves large amounts of special (sensitive) data or data relating to criminal convictions or offences
The DPO can be a part-time worker or additional role to an existing employee, but importantly must have independence in reporting to board level without interference, and have expert knowledge of data protection law and practice. Again, if this scope is out of in-house reach then services to supply such an officer are available.
Should something go wrong in your protection of personal data then you have an obligation to report any breach as soon as you become aware of it to a Supervisory Authority, where feasible no later than 72 hours of becoming aware. You must also report the breach to the individual concerned, where it is ‘likely to result in a high risk to the rights and freedoms of the natural person, in order to allow him or her to take the necessary precautions’.4
How does Emailcenter help?
Maxemail is engineered with security as a fundamental design principle. We have ISO 27001 accreditation that underlines the security practice we put around our operation, from network and infrastructure, through platform design and support, to our staff. Over the coming weeks we will expand on how you can use the Maxemail platform to assist and promote the tight control you should have to meet the GDPR requirements.
We are putting together programmes and insight to help you get the best out of your preparations for May 2018. Our Maxservices team will be on hand to advise and to help implement recommended practice in your email marketing.