If you pay attention to the web and security measures, then no doubt you have heard about the EU’s General Data Protection Regulation (GDPR). The GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Many American businesses are wondering how it will affect them.
What every company that does business in the US needs to know about GDPR
While this law only actually applies to members of the European Union, it is still going to affect those that do business on this side of the pond thanks to our global economy. For example, if you have anyone on your email marketing list that is in the EU, then it is important to be aware of the regulations.
Overview of the GDPR
GDPR regulates how organizations gather, store, examine and use data. The official website explains that it “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
Beginning on May 25th all companies in the EU need to provide a high level of data security or they could be fined up to $25 million. While this law only covers EU citizens, any company that stores EU citizens data is subject to be fined.
How the GDPR Affects Marketing
1. Processing and Storing Data
You need to properly store data in a way that is transparent. Meaning it needs to be clearly specified and agreed to by the EU citizen. If the data is lost or stolen and it is deemed it was not protected properly, then you are at fault.
2. Consent
Individuals need to give their consent to be on your email marketing list. This means there needs to be a clearly defined sign up
3. Right to Access
If a EU citizen requests it, you are required to provide them with all of the personal data that you have stored on them. You are also required to explain how it is being used.
4. Right to be Forgotten
If a EU citizen does not want you to store any data on them, you are required to delete all data you have on them immediately.
5. Data Breaches
You are required to announce and report any data or security breaches within 72 hours.
6. Data Protection Officers
If you store a lot of data on EU citizens, you are required to hire a data protection officer.
GDPR Checklist for Email Marketing
- Make sure you have consent to collect and use individuals’ personal data
- Keep a record of individuals’ personal data, which they can change or update
- Make sure it’s clear how and why you got their address on emails you send them; also include who you are and why you’re contacting them
- Provide a double opt-in
- During the opt-in process, clarify expectations for them so they know how often they’ll be hearing from you (e.g. weekly, monthly, etc)
- Include an opt-out option in each and every email communication
- Don’t buy lists or use lists from others
- If you’re targeting anyone under 16, create a system for collecting parental consent
- Add a check-box in your opt-in form for individuals to indicate they’re older than 16
- Update your Terms of Service and Privacy Policy that users younger than 16 aren’t permitted to register for or use your services/products
- Only require the information you need (e.g. email address)
- Be able to erase all data about an individual should they request it
- Erase users’ personal information when the service or agreement ends, or if they revoke their consent
How the GDPR Affects Media Relations
If you already have built a relationship with a reporter or media contact in the EU or they begin the communications, then you can chat through email. But if you do not already have that contact, you can’t initiate conversation through email. Sending unsolicited emails is restricted – even for reporters.
