How does GDPR affect your email marketing program?
GDPR applies to you if you collect, record, organise, store, or perform any operations on data related to those who live in the EU — even if you are sending from somewhere else.
Among its goals, the GDPR seeks to add accountability to the practices of data controllers and processors.
- A controller is the one who “determines the purposes and means of the processing of personal data” (that’s you, and maybe us).
- A processor is one who “processes personal data on behalf of the controller” (that’s us when you send emails via our application).
While there are other options for lawful data collection and processing, for marketers, consent will be the strongest and the most familiar.
So, what does that mean for your current email marketing strategy? More of the same, and then some.
Leading up to the GDPR effective date (May 25, 2018), now is a great time to take another look at the consent you’ve received prior and strategise how you’ll obtain consent in the future under the GDPR’s requirements. This means adding a few new items to your to-do list.
What do I need to do to become compliant?
You'll need to adhere to some of the same best practices you're used to, plus a few more. While we recommend you consult with a legal and/or privacy professional to understand the full scope of your obligations under the GDPR, here are some tips that might be helpful for fulfilling your compliance obligations:
Review and update consent (signup) forms
Check out our Guidelines for Permission which provides quite a bit of detail about consent. It clearly defines how consent can (and cannot) be given.
Rather than using the term “explicit” which many of us are used to, the GDPR lays out a set of conditions for informed consent that reinforce the data subject’s rights and places specific obligations on the shoulders of the data controller.
Leading up to the May 25, 2018 GDPR effective date, now is a great time to review the consent you’ve received prior, and how you’ll obtain consent in the future under the GDPR’s requirements.
Practically speaking, this means adding a few tasks to your to-do list:
- Review consent for existing subscribers (no need to re-obtain consent if it was originally obtained in a manner that is in line with the GDPR).
- Review public-facing policies around data collection (eg. your online Privacy Policy) to ensure you are transparent about your data collection, sharing, and usage practices and ensure these policies are provided when collecting information via your consent forms.
- Review your consent forms (signup forms) to ensure any new information obtained about an individual is in compliance with the GDPR. Review public-facing policies around data collection (eg. your online Privacy Policy) to ensure you are transparent about your data collection, sharing, and usage practices and ensure these policies are provided when collecting information via your consent forms.
Review and update privacy notices
Building upon point 3 above, your subscribers have the right to know how their personal data is being processed by you, so you should make your privacy policy easy to find and easy to understand.
You could do this by:
- Clearly defining all processing activities related to personal data processed by you and any third parties processing on your behalf.
- Providing all information regarding processing activities in a concise, transparent, intelligible and easily accessible form using clear and plain language.
- Ensuring that your online privacy notices are not hidden, lengthy, or difficult to understand.
Operationalise Ways to Respond to Your Subscribers Requests
Data subjects — your subscribers (as they relate to your use of our email marketing application) — have the right to:
- Transparent information about your processing of their data.
- Deletion, correction, portability of their data.
So, you’ll need to operationalise ways to respond to and address these subscriber’s requests to exercise their rights under the GDPR.
When operationalising, consider the following:
- The process for the subscriber to exercise their rights as a data subject should be clear. Make sure instructions for the process are where they’re expected to be and that the mechanism to make the request is easy to use and does not require special knowledge beyond that needed to verify the request.
- Requests for information may not always be legitimate. As the data controller, you’ll want a way to confirm the identity of the requester so that you’re not disseminating personal data to the wrong person.
- Responses should be timely and accurate.
- There may be lawful grounds that prevent you from modifying or deleting, in part or whole, the record. Consider these carefully and fully document your reasoning.
- Keep your responses to data subjects clear and unambiguous.
- Make sure a subscriber’s data is in a common readable and portable file format in case they want to store that data elsewhere for their own purposes.
- You’ll generally have one month to fulfill the request (though there are allowances for additional time under certain circumstances).
- All steps in the above process should be documented.
Record Keeping
Keep a record of your signup forms, data collection mechanisms, and processing activities. This could be saving the underlying code, a screenshot, PDF, and/or use-case description of any data collection mechanism you’re currently using or use in the future — and it can help you prove the nature of consent between you and your subscribers.
As an added bonus, you’ll also be able to take a more critical look at your successes and failures in data collection to improve future practices.
Remember: the tips above are not meant to be legal advice and are in no way a comprehensive standard for ensuring your email marketing program is in compliance with the GDPR.