What is GDPR? On May 25, 2018, the European Union’s new privacy law, the General Data Protection Regulation (GDPR) comes into effect and will apply to the data of EU individuals no matter where their data may reside. This regulation is a broad effort to ensure consistent and enforceable legal requirements across all Member States to protect the right of any EU individual to the privacy and security of their personal data.

You may be wondering, does GDPR apply to me?

The answer is most likely yes. The GDPR applies to you if you collect, record, organize, store, or perform any operations on data relating to an individual in the European Union — even if you are located outside of the EU.

How does GDPR affect your email marketing program?

Among its goals, the GDPR seeks to add accountability to the practices of data controllers and processors.

  • A controller is the one who “determines the purposes and means of the processing of personal data” (that’s you, and maybe us).
  • A processor is one who “processes personal data on behalf of the controller” (that’s us when you send emails via our application).

While there are other options for lawful data collection and processing, for marketers, consent will be the strongest and the most familiar.

So, what does that mean for your current email marketing strategy? More of the same, and then some.

While we recommend you consult with a legal and/or privacy professional to understand the full scope of your obligations under the GDPR, below we are sharing some tips we believe will be helpful in thinking through your compliance obligations.

Check out our Trust Center, which provides quite a bit of detail about consent as it’s defined under the GDPR. The regulation’s text clearly defines how consent can (and cannot) be given.

Rather than using the term “explicit” which many of us are used to, the GDPR lays out a set of conditions for informed consent that reinforce the data subject’s rights and places specific obligations on the shoulders of the data controller.

Leading up to the May 25, 2018 GDPR effective date, now is a great time to review the consent you’ve received prior, and how you’ll obtain consent in the future under the GDPR’s requirements.

Practically speaking, this means adding a few tasks to your to-do list:

  1. Review consent for existing subscribers (no need to re-obtain consent if it was originally obtained in a manner that is in line with the GDPR).
  2. Review your consent forms (signup forms) to ensure any new information obtained about an individual is in compliance with the GDPR.
  3. Review public-facing policies around data collection (eg. your online Privacy Policy) to ensure you are transparent about your data collection, sharing, and usage practices and ensure these policies are provided when collecting information via your consent forms.

Review and update privacy notices

Building upon point 3 above, your subscribers have the right to know how their personal data is being processed by you, so you should make your privacy policy easy to find and easy to understand.

You could do this by:

  • Clearly defining all processing activities related to personal data processed by you and any third parties processing on your behalf.
  • Providing all information regarding processing activities in a concise, transparent, intelligible and easily accessible form using clear and plain language.
  • Ensuring that your online privacy notices are not hidden, lengthy, or difficult to understand.

Operationalize Ways to Respond to Your Subscribers Requests

Data subjects — your subscribers (as they relate to your use of our email marketing application) — have the right to:

  • Transparent information about your processing of their data.
  • Deletion, correction, portability of their data.

So, you’ll need to operationalize ways to respond to and address these subscriber’s requests to exercise their rights under the GDPR.

When operationalizing, consider the following:

  • The process for the subscriber to exercise their rights as a data subject should be clear. Make sure instructions for the process are where they’re expected to be and that the mechanism to make the request is easy to use and does not require special knowledge beyond that needed to verify the request.
  • Requests for information may not always be legitimate. As the data controller, you’ll want a way to confirm the identity of the requester so that you’re not disseminating personal data to the wrong person.
  • Responses should be timely and accurate.
  • There may be lawful grounds that prevent you from modifying or deleting, in part or whole, the record. Consider these carefully and fully document your reasoning.
  • Keep your responses to data subjects clear and unambiguous.
  • Make sure a subscriber’s data is in a common readable and portable file format in case they want to store that data elsewhere for their own purposes.
  • You’ll generally have one month to fulfill the request (though there are allowances for additional time under certain circumstances).
  • All steps in the above process should be documented.

Record Keeping

Keep a record of your signup forms, data collection mechanisms, and processing activities. This could be saving the underlying code, a screenshot, PDF, and/or use-case description of any data collection mechanism you’re currently using or use in the future — and it can help you prove the nature of consent between you and your subscribers.

As an added bonus, you’ll also be able to take a more critical look at your successes and failures in data collection to improve future practices.

Remember: the tips above are not meant to be legal advice and are in no way a comprehensive standard for ensuring your email marketing program is in compliance with the GDPR.

What we’re doing to help

At Campaign Monitor, we are pursuing GDPR-compliance by May 25, 2018.

What this means is, we’re implementing robust GDPR training of all of our employees, managers, and executives. In addition, we’re currently building GDPR-compliant features to the platform to make sure you’re able to comply with your obligations as a controller of your subscriber’s personal data.

A few ways we’re doing this:

  • Privacy by design: We’re building internal privacy-by-design guidelines and training our product and engineering teams on GDPR to make sure that data privacy principles are taken into account during the earliest stages of feature and product development.
  • Data subject’s rights: When your subscriber reaches out to you to exercise their rights, for example, of erasure or rectification, it’s our responsibility to assist you in complying with that request insofar as it pertains to data processed through our application. We’re updating our platform with features that help you fulfill that subscriber’s request in a timely manner. Stay tuned for more details as these features get released.
  • Security measures: We are auditing and documenting all of our current security measures and practices, and where security measures can be further strengthened, our team is working quickly to implement updated security measures before May 25, 2018 to ensure appropriate technical and organizational measures are in place for the safeguarding of personal data. We are also re-evaluating all of our sub-processors to ensure they have adequate security measures in place for the onward processing of any personal data processed by them.

Wrap up

We are keen to be implementing new, compliant features to our platform as we enter this new era of GDPR. Remember to consult with an independent legal and/or privacy professional to understand the full impact of the GDPR on any of your data processing activities.

Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.