Privacy has become one of the hottest topics as big-name tech companies scramble to keep user data secure and set boundaries of what they’ll share with third-party companies. While most online companies in the United States operate under some sort of self-regulation, the European Union recently put a strict plan in place to protect consumers.
The EU General Data Protection Regulation (GDPR) will go into effect May 25 and requires the attention of both European companies and those from around the globe. Any organization that collects personal data or behavioral information from people in an EU country must comply with the GDPR requirements. Here’s what that actually means for your team.
What is the GDPR?
At the most basic level, the GDPR looks to give consumers the power to control who is collecting personal data on them and what exactly is being done with it, in hopes of empowering users and providing transparency. This wide-reaching regulation is the biggest change in data privacy in two decades, so you need to see if and how it will affect your business.
To get a better grasp on what exactly this new regulation entails, the GDPR breaks down the rules into three main objectives:
- Implements rules related to the protection of how people’s personal data is processed and used;
- Protects people’s fundamental rights and freedoms, particularly in regards to their personal data;
- Prevents the free movement of personal data for reasons related to the protection of the processing of personal data.
It’s important to note these rules only apply to people inside the EU, and authorities don’t have to follow them in certain criminal or safety cases.
To flesh out some of the main components, we’ll take a closer look at what all is involved in this new regulation.
They define personal data as any information related to a person that can be used to directly or indirectly identify them — and that encompasses quite a bit. Think photos, social media posts, email addresses, banking information, IP addresses, and a dozen other things.
Right to access
People can find out whether or not their personal data is being used, and if so, where and for what purpose. The company must also give them a free, electronic copy of their personal data. (That’s something Facebook recently did after the whole Cambridge Analytica fiasco.)
Your conditions for consent need to be clear and to the point, so forgot any of the long, legal jargon you might have used in the past. The request has to be provided in an easily accessible, intelligible format, and you’ll need to include information on the purpose of the data processing. You also have to make it easy for people to withdraw their consent at any point, but more on that below.
Right to be forgotten
This provision — also known as Data Erasure — gives users the right to have their personal data erased and prevent the future sharing of their data. That can occur when their data is no longer necessary, the user withdraws their consent, the data is being unlawfully processed, or there is a legal reason for it to be erased.
Gone are the days of waiting weeks, months, or longer — or worse, never sharing — when there’s a breach. The GDPR requires organizations to tell their users within 72 hours that there’s been a breach if it could result in a risk to the “rights and freedoms of individuals.”
What happens if you break the rules
There are some serious penalties if you fail to comply with these new regulations, so you’ll want to take steps to avoid these. Your organization can face a fine of up to 4 percent of the annual global turnover or €20 million (about $23.8 million) — whichever amount is greater.
Those are the maximum fines that will be given to the most serious GDPR offenders. Some examples they give of what they consider to be “serious” include not having sufficient customer consent to process data or violating the core Privacy by Design concepts — which means any action involving the processing of personal data must be done with data protection and privacy in mind. Basically, this privacy concept must be incorporated from the start of any project or system, instead of simply being added on down the road.
The GDPR also has a tiered approach to penalties for less serious offenses, including a 2 percent fine for these types of non-compliant actions:
- Failing to notify the supervising authority and data subject if there’s a breach
- Not conducting an impact assessment
- Failing to keep records in order
Take steps to comply
After you’ve got a better understanding of what the GDPR involves, you’re probably asking, “Now what do I do?” You’ll need to start by looking at how you handle online marketing forms and other interactions if you’re offering localized web content in the EU or have a target market there.
Make sure any forms clearly ask for consent, giving users all of the parameters for which you’ll be using their personal data. Everything should be written in layman’s terms and provide specific information to ensure they truly understand what it means for them to give consent.
For example, if you’ve created a campaign and are trying to collect email addresses from users in Europe, you’ll need to clearly state what will be done with their email address. All of the information should be included on the page, instead of sending them to another subpage with long, tiny text that requires a law degree to figure out.
You’ll also need a box they can check or some other way they can give their consent. You must provide trackable, recorded proof that everyone on your existing email list has opted in. And once you’ve collected their data and consent, you’ll need to ensure their personal data is kept safe.
In Robly, once a person has signed up via a Robly signup form or reconfirmation email (more on that below), the opt in status is recorded with a status of “Subscribed Opted In.” The burden of proof for this type of permission lies with the company. This means that should you be challenged at any point, you will need to show reasonable evidence that you have complied with the law by keeping records of opt ins.
For new subscribers, you *must* inform your subscribers about who is collecting consent, as well as the purposes for collecting any personal data. For example, if you intend to collect someone’s email in order to enter them into a contest but intend to send them promotional content or marketing material later, you must disclose this at the time you collect the email, and be able to prove that it was displayed.
If you didn’t get express, provable permission from any contacts in your list, then you may not send them email marketing under this EU law. If you need to get permission now in order to comply, we recommend you do so immediately by following the instructions below for how to get your existing Robly data in compliance.
How to reconfirm your lists
With these new regulations just around the corner, it’s no longer enough to simply offer an opt-out option. Instead, you need to have trackable proof that your subscribers — both new and existing ones — provided consent and opted in. That means they either opted in through your signup form or reconfirmed via an email you sent them.
We’ll start with how you handle new subscribers going forward before diving into what to do with your current lists. You’ll need to clearly state who is collecting consent and the purpose for collecting their personal data. Let them know how you plan to use their information now and later. The more transparency, the better.
You do have the option of creating separate sign-up processes for people in the EU vs. the rest of the world, but that’s probably not practical for most organizations. That will lead to multiple lists and probably some headaches trying to manage the different groups.
For your current subscribers, you’ll need to make sure all of your lists are in compliance with the new rules, as well. If you’ve already segmented your lists and have one with only European subscribers, you can reconfirm just this group.
If that’s not the case, you’ll need to reconfirm all of your subscribers. We’ve put together a step-by-step guide on how to reconfirm your lists in Robly to help, and you can also view the main points below:
- Create a reconfirmation email campaign. Get straight to the point, and remind your subscribers how you use their personal data. Let them know they need to opt-in again to comply with the GDPR. You can also give them a quick background on the GDPR so they have a better understanding of what’s going on.
- Add a “reconfirm” merge tag. Insert this tag as either text or in a button. Add text to the campaign and the reconfirm link from the menu. The text will appear as a clickable link that says “Reconfirm.”
- Hit send. Now you just need to sit back and wait for your subscribers to re-opt-in.
- Segment your responses. Before we get to the GDPR start date (May 25), segment your lists by who did and didn’t reconfirm themselves.
While it might take a little time to make sure your lists are in compliance, it’s something all organizations have to do if they are interacting with users in the EU. Plus, you’ll be able to ensure your subscribers really want to receive your newsletters and campaigns, which will result in better engagement metrics overall. And isn’t that a win for both sides?
What do you think about the new GDPR? Share your thoughts below!
Lauren Dowdle is an award-winning writer based in Nashville, Tenn. Her decade-long writing career has covered everything from landscaping to marketing.