What is General Data Protection Regulation (GDPR)?

GDPR came into effect in all European Union countries on 25 May 2018. It was created with the objective of giving the European citizens greater control over their personal data. This new law is making rounds of discussions as the penalties for non-compliance with this regulation increase.

What does GDPR stand for ?

GDPR stands for General Data Protection Regulation.

Personal data means any information that can be used to identify a person directly or indirectly, using his personal credentials.

With this in mind, email addresses, profession, age, and gender, all come under the umbrella of personal data for the purposes of the data privacy law. I will try to answer the question in three parts, where I will talk about what GDPR is all about at first, then look at the consequences of email marketing, and finally lay down some actionable insights that you could be looking to implement to become compliant with this new law.

What are the 7 principles of GDPR?

Before we get into the details of the compliance it is necessary to understand the GDPR requirements. It is the regulation that requires businesses to protect the personal data of citizens collected for transactions.

1. Lawfulness, fairness, and transparency
2. Data minimization
3. Accuracy
4. Storage Limitation
5. Integrity and Confidentiality
6. Accountability
7. Purpose Limitation

These principles are the base of privacy law. This law is very strong and even companies like Google are facing the actions of regulators. UK regulator Information Commissioner held Mariott and British Airways guilty in the year 2018.

What is GDPR Compliance?

Let’s talk about what this law is all about before we tackle how it affects email marketing. Under the European Statute, the service providers and subcontractors are accountable for any data that they handle. This means that it is necessary for them to clearly communicate to customers how they plan to use their personal data. And not only this, they must be transparent about the customer’s rights such as requesting the restriction of access to, erasure of personal data, and/or rectification of the data. Any contact should be allowed to easily cancel and request the erasure of personal data as quickly as possible.

And at the same time businesses must take preventive measures in order to protect the personal data of their clients. Businesses are now required to inform the customers of any data breach or leakage that occurs on their end. If a business is found to be in violation, it faces fines, ranging from 2% to 4% of its revenue or up to 20 million euros, whichever is higher. You can read GDPR text here.

Who is Responsible for GDPR Compliance in the Organization?

This privacy law actually mandates certain businesses to bring on a ‘data privacy officer’ or a DPO in order to ensure compliance. However, this requirement is only for specific cases as below:

• Public company
• Companies whose core function is the regular and systematic processing of data
• Companies dealing with sensitive data such as information on past convictions or criminal charges

Now that we have a bit more understanding of what the enactment is and how it is going to affect businesses, let’s look at the consequences of the regulations on email marketing.

Who Does GDPR apply to?

GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU. Moreover, Non-Compliance with the data protection laws results in significant penalties for the companies. We at Regtechtimes have compiled certain instances of non-compliance and penalties.

1. Amazon faces the highest fines for non-compliance
2. Whatsapp faces $225 Million in fines
3. $20 Million fine on British Airways

Additionally, we have created a small reference document for the website owners to comply with the provisions of this new enactment on data privacy. Here is an exhaustive checklist for small operators.

Consequences of email marketing

1. Opting-in: The most important thing to keep in mind for email marketers is that there’s a new definition of providing consent or opting in. The consent to the processing of personal data must be now given in the form of a clear ‘affirmative action’ (opt-in as opposed to opt-out or passive opt-in). Additionally, businesses will need to have proof that the contact has affirmatively opted in. And yes, this also means an end to the passive opt-ins where one could acquire contact information that included making the opt-in feature default.
2. Opt-out: You can no longer store the data of customers that have previously unsubscribed and have opted out.
   In other words, you can only legally use the lists that are 100% opt in- and only if you can prove that these lists are opt-in. Hence, most email service providers ask for explicit consent. Meaning that you would need to re-confirm the consent of your contact again.
3. Profiling: Moving on to the topic of profiling i.e the use of automated processing of personal data in order to analyze, evaluate or predict user characteristics. The new law shields people from any automated decisions that are based on their profiling. You must now be thinking about your marketing automation workflows and how this affects them. Well, you can still use the marketing automation workflows, provided that you do the following:
   1. Notify your contacts
   2. Give your contacts the option to opt-out of the profiling upfront

Moving on to the final part of the answer that covers some actionable steps that you can take, if you have not taken them already, in order to become GDPR compliant. In an interesting case of enforcement in Italy, the complaints of unwanted telecalling became the reason for the huge fine on Enel Energia.

What is protected by the GDPR?

This law protects the personal data of European Union (EU) citizens and affects any organization that stores or processes their personal data, even if it does not have a business presence in the EU. Even the job description is sometimes considered to be a piece of private information under the law.

How to become compliant?

1. Evaluate if your current list is compliant with GDPR
   • Did your contacts give their consent through opt-in forms?
   • Reason for the consent – You can not use the data for reasons other than what the user gave the consent for
   • Did you keep precise and secure records of all the opt-ins you received?
   • The law states that minors under the age of 16 may not give their consent without consulting with their parents. This requires you to review the personal data to identify minors. It is necessary to check that they have the consent of their parents.
2. Make sure you’re respecting your customers’ rights: Do you have procedures that give users up-to-date access to their own personal data? Here are some things that you should consider:

• • Review your confidentiality agreement for opting in. And make sure that users receive the communication about how you plan to use their data.
  • You need to set up a form, contact page, or link in your newsletter. This makes it easy for contacts to request a copy or modification of their personal data. The data on your server belongs to the individual.
  • Set up a process for candidates to easily refuse to have their data used in profiling or automated decisions.
  • Make sure your work tools are GDPR compliant
  • The new law places a common responsibility on businesses and their service providers to be in compliance. To avoid penalties for not complying with the GDPR, you should do the following:
    • • Make a list of all the cloud services that host your customers’ personal data on their servers.
      • Ask them if they are GDPR compliant.
      • Re-evaluate your relationship with any tool that is not compliant with the new law.

How do I become a GDPR Professional?

In order to comply, it is necessary to understand various provisions of the GDPR and its interpretations. Certified GDPR Professional is one of the best certifications on this subject. Regtechtimes Academy offers this course in association with Riskpro Learning. There are numerous resources posted about this regulation by the academic team of regtechtimes, which are helpful in gaining insights. Additionally, there is a Prep course built around this certification that provides an exhaustive set of questions. This set of questions helps in preparation for the certification. These question sets help the students to aim to become DPO.

Who can be a data protection officer under GDPR?

The data protection officer may be a staff member of the controller or processor or fulfill the tasks on the basis of a service contract. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority. Having a GDPR qualification is always helpful for the aspirants.