Written by Femke van Zelst
The GDPR (General Data Protection Regulation) influences virtually all digital marketing activities, including email marketing. Starting 25 May 2018, all records that you send commercial emails to have to comply with this legislation. In this blog we will tell you what you as an email marketer needs to know about the GDPR.
The GDPR came into effect on 25 May 2016, but is actually being enforced since 25 May 2018. The GDPR replaces previous legislation to protect personal data and influences all companies that process European citizens’ personal data. From 25 May onwards, companies will sometimes have to be able to show they have permission to process the data subject’s personal data.
From 25 May onward, you are required to have much more specific permission from the end user when your organisation works with personal data or information that can be traced back to an individual person.
The definition of the idea of ‘personal data’ is sharpened with the introduction of the GDPR. Personal data includes: ‘any information relating to an identified or identifiable natural person’. As soon as it is possible to identify someone, you’re dealing with personal data. When processing personal data, a distinction can be made between non-anonymous personal data, pseudonymous personal data and anonymous personal data.
Data relating to an identified or identifiable person. Examples: name, address, city, phone number, email address, IP address, birth date and location information.
Data that cannot be traced back to a natural person without additional information, but can be individualised. Examples include: hashed email address, order number, customer number and username. Encrypting personal data is also a form of pseudonymising the data.
If identification is not possible and cannot be made possible, it no longer falls under personal data. This is called anonymous data. This data is outside of the scope of the GDPR.
The person concerned, or: the person whose data is processed, is given additional rights under the GDPR. We discuss two of them below.
Data subjects now have the right to request companies to remove their data. From 25 May onwards, they can also demand that the company pass on that removal to all companies that obtained that data through this company.
Data subjects also have the right (under certain circumstances) to request their personal data from companies in a standard format.
It is not necessary to have a double opt-in. The GDPR only deals with data processing. Considering the fact the Dutch legislation had been fairly strict before, the GDPR doesn’t change much in this regard for companies already complying with the previous Dutch legislation.
This is what the GDPR says about the e-mail opt-in:
If you have acquired the email addresses legitimately and have documented this properly, there is no reason to panic. If this is not the case, there is work to be done. You can do two things:
We feel option 1 is very rigorous. That is why we prefer option 2. Below we will explain to you how to get valid opt-ins through a Permission Passing Campaign. This campaign means emailing your database with the question of whether or not they still wish to receive your emails. The recipient can give permission using a button in the email. When you document this in your database, the opt-in will be considered valid.
Profiling is the automatic processing of personal information, allowing you to evaluate and attempt to predict people’s behaviour. You can still profile, but there are requirement you have to meet in order to safeguard the rights of the data subject. Firstly, you require explicit permission for profiling. This is a special type of granting permission, where the action is specifically aimed at granting permission. You are also required to inform the data subject of the fact that you are profiling, as well as explaining the basic logic behind profiling, and the importance and consequences of profiling. You are also required to inform the data subject that they can add their own points to the profile you created. Naturally, you are also required to be able to facilitate this process.
A record of data processing activities is an overview of the processing of personal data done as an organisation. This does not only include processing done for your own organisation, such as employee administration, but processing of clients’, prospects’ and contacts’ personal data. That is why the creation of a record of data processing activities is relevant for an email marketer. The record of data processing activities documents the purposes for which personal information is processed, which risks come with the processing, and which security measures have been taken to protect the personal information.
The answer is: yes! From 25 May onwards, you are required to create a record of data processing activities that records structural processing, such as your database of clients, prospects and contacts. If you do not have a record of data processing activities, you are not in compliance with the GDPR, and run the risk of sanctions. So always make sure to create a record of data processing activities.
A Data Protection Officer (DPO) is an internal or external compliance officer for privacy regulations within an organisation. Appointing a Data Protection officer is a requirement for specific organisations or when a certain type of personal data processing is conducted. Three types of organisations are required to appoint a DPO:
The previous Dutch Privacy Act required you to report to the Dutch Personal Data Authority when processing personal data. Under the GDPR, as a processer you are required to instead comply with the documentation requirement. This means you are required to document all data processing taking place within your organisation, how you do it, and that you are able to secure the rights of the data subject when doing so. This means you have to be able to show that in compliance with the provisions of the GDPR, you have taken the correct organisational and technical measures and comply with the regulation.
Under the GDPR, you are allowed to process personal data based on a legitimate interest, when necessary. Processing can only be done if the fundamental rights and liberties of the person concerned do not outweigh the purpose of the data processing and the processing itself. This means you have to be able to show that your purpose is not outweighed by the interests of the data subject. The GDPR states that processing personal data for marketing purposes can be a form of processing with a legitimate interest. A web shop, for instance, can have a legitimate interest when it uses an email address for targeted ads. This is not allowed when the data subject objects to this.
If you do not meet GDPR requirements by 25 May 2018, you risk a fine. A distinction is made between upper level and lower level infringements.
In case of upper level infringements, fines of up to 20 million euros or 4% of global annual turnover (whichever is higher) can be imposed. Upper level infringements include::
In case of lower level infringements, fines of up to 10 million euros or 2% of global annual turnover (whichever is higher) can be imposed. Lower level infringements include:
Indeed there is! A few things are listed for you below.
We hope that this blog has answered your most important questions concerning the GDPR. If you have any questions, please contact us.