A gavel and a law book - European union
How does GDPR affect American business’ marketing efforts? This post explains.

If you’ve been following the news lately, you’ve heard about the EU’s General Data Protection Regulation (GDPR). It’s left a lot of American businesses wondering – do they need to worry about it?

While this law only applies to members of the European Union, it’s still going to affect those of us that do business on this side of the pond thanks to our global economy. In terms of your email marketing, if you have even one person on your list that is an EU citizen, it’s important you’re aware of the regulations. And if you don’t, it’s beneficial to be informed for good measure.

An Overview of GDPR

GDPR regulates how organizations gather, store, examine and use data. As the official website explains:

The EU General Data Protection Regulation (GDPR)…was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Beginning May 25, companies need to provide a high level of data protection. If they don’t, they can be subject to fines up to nearly $25 million. While GDPR only covers EU citizens, any company that has information about those living in the EU is subject to the law.

So even if you only operate in the United States, it’s important to be aware of these regulations and consider changing your business’ marketing practices – better safe than sorry!

How GDPR Affects Marketing

GDPR includes 99 articles, but SpinSucks provides a nice summary of the ones that will most significantly affect your marketing.

1. Processing and Storing of Data

You need to store and process data transparently, in a way that’s clearly specified and agreed to by the citizen. The data also needs to be held securely – if it’s lost or stolen, you’re held responsible, “Should it appear proper protections were not in place.”

2. Consent

Individuals need to give their consent to be on your email marketing list. There needs to be an opt-in process with clear consent for only the information you need (e.g. email address only rather than demographic information).

3. Right to Access

If an EU citizen requests it, your company needs to provide them with all the personal information you have about them, and explain how it’s being used.

4. Right to Be Forgotten

If an EU citizen doesn’t want you to have their information, you need to delete all data you have on them.

5. Data Breaches

It’s required you report any data or security breaches within 3 days (72 hours).

6. Impact Assessments

Businesses need to, “Conduct data protection impact assessments to identify risks to EU citizens. Assessments must also describe how the company is addressing those risks.”

7. Data Protection Officers

If you process or store a lot of data about EU citizens, you need to hire a data protection officer.

GDPR Checklist for Marketing

SpinSucks also shared a handy checklist for email marketing safely moving forward. Here are the main points:

  • Make sure you have consent to collect and use individuals’ personal data
  • Keep a record of individuals’ personal data, which they can change or update
  • Make sure it’s clear how and why you got their address on emails you send them; also include who you are and why you’re contacting them
  • Provide a double opt-in
  • During the opt-in process, clarify expectations for them so they know how often they’ll be hearing from you (e.g. weekly, monthly, etc)
  • Include an opt-out option in each and every email communication
  • Don’t buy lists or use lists from others
  • If you’re targeting anyone under 16, create a system for collecting parental consent
  • Add a check-box in your opt-in form for individuals to indicate they’re older than 16
  • Update your Terms of Service and Privacy Policy that users younger than 16 aren’t permitted to register for or use your services/products
  • Only require the information you need (e.g. email address)
  • Be able to erase all data about an individual should they request it
  • Erase users’ personal information when the service or agreement ends, or if they revoke their consent

As you look through this checklist, think about your current email marketing list – how did you build it? Did you obtain consent? Can subscribers access and change/delete their data?

How GDPR Affects Media Relations

If you’re pitching media contacts in the EU, remember this applies to them too! Unless you’ve already built a relationship with a reporter or they’ve contacted you, you can’t email them. Sending unsolicited emails falls within list of restricted activities – even for reporters.

How can you contact them?

  • Use a contact form if they have one
  • Contact them via social media (terms of service provide contact consent)
  • Develop long-term relationships with them

If a reporter reaches out to you, this implies consent, which means you can reply and email them moving forward.

As with any type of marketing, it’s important to keep up with what’s going on in the world and how it might affect your business.