The General Data Protection Regulation, or GDPR, is the European regulation that came into force on 24 May 2016 with penalties being applied from 25 May 2018. The law’s primary goals are to harmonise data processing policies across Europe, protect the data of European citizens, and redefine the data processing rules in companies.
While 60% of marketers are now on course for GDPR readiness, the rest are either behind in their preparations, or don’t possess a solid plan, which is highly worrying. It appears that a lot of organisations are resting on their laurels, with research suggesting that as Brexit looms, marketers no longer need to do anything. This is a dangerous approach.
This regulation will be enforced long before Brexit becomes a reality, with the Great Repeal Bill ensuring GDPR will be signed into British law regardless. In fact, the British government is moving forward with its own Data Protection Bill, which will extend GDPR even further by forcing social media companies to remove a user’s posts if they’re under 18, when requested.
With such laws coming into place in the near future, it’s more vital than ever for marketers to understand the implications of the regulation and, in particular, the stamp it will leave on email marketing. Marketers need to understand the impact GDPR will have on their email campaigns and which practices should be adopted to avoid penalties.
What’s new?
GDPR sets a high standard for consent, which will have a huge impact on the marketing industry. Consent means customers will need to be given genuine choice and control over how their data is handled. Transparency, in general, is long-recommended as best practice, but under GDPR this will be enforced.
"...whether you’re a European-based company or a US firm with offices and customers in Europe, you'll need to adopt new practices to ensure full compliance with this regulation"
Who’s affected?
The truth is, the impact of GDPR is far-reaching. It affects every company located in Europe or present in the European market who are collecting, processing and storing personal data from EU residents. That means whether you’re a European-based company, or a US firm with offices and customers in Europe, you’ll need to adopt new practices to ensure full compliance with this regulation – or face the regulators’ wrath.
According to the DMA, 64% of marketers feel their organisation will be ‘very’ or ‘extremely’ affected by GDPR, and they’re not wrong. Marketing teams will be the first feel the force of these new changes, as they’re one of the main players when it comes to data processing in companies. Data collection and processing strategies will have to be unambiguous and communicated to all users and subscribers. In other words, it will be prohibited to collect and use the email address of a third party, without his or her clear consent.
Many companies will also have to appoint a data protection officer (DPO), who’ll be responsible for informing and advising the person in charge of data processing, as well as monitoring the company’s compliance with the new regulation. Public sector enterprises will be especially affected by this measure.
What information is considered as personal data?
Article 4.1 of the regulation defines personal data as “any information relating to an identified or identifiable individual”. So, any information capable of directly identifying a person, or having been cross-linked with other data, will be considered as constituting personal data. This has already posed important questions around whether practices such as retargeting, behavioural tracking, abandonment emails, and the storing of IP address information will continue to be lawful.
What are the repercussions of non-compliance?
To put it bluntly, the penalties could be devastating. Not only will poor data handling reflect badly on the company and its reputation, leading to a lack of customer trust, but regulators will have the capability to award eye-watering fines of up to 4% of a company’s annual turnover or €20m, whichever is higher. The ICO is taking a tougher stance on data protection non-compliance, and will be looking for brands to be made an example of. For any company, this could be hugely damaging.
In the instance of GDPR, knowledge certainly is power for email marketers, and it’s key they learn as much as they can about the regulation before its rollout in 2018. This can enable them to navigate the requirements of the regulation to avoid penalisation and even reap the benefits of it. With 39% of marketers believing that GDPR will improve their customer offering, it’s no surprise brands are already learning how to harness email consent so that it’s engaging, while respecting consumer privacy. Ultimately, it is possible for marketers to make the most of GDPR, while also abiding by it.