The EU General Data Protection Regulation (GDPR) will take effect May 2018. This new regulation defines how companies and organizations use and protect the data of EU citizens.
At The Refinery, we’ve taken steps to ensure our own compliance. We’ve also taken proactive steps for many of our clients as well.
GDPR is a new law which replaces the existing EU Data Protection Law, created to strengthen the protection of personal data and personal rights of individuals. Once in effect, GDPR will be the source of all rules regarding the regulation of EU data.
Almost certainly. Even if you aren’t based in the EU, if you hold any data pertaining to an individual in the EU, this law will apply to you. Even if you don’t think this affects you, we recommend that you safeguard against it anyway.
Your situation is unique, and you need to evaluate your own needs. To begin, I suggest looking over the 12 steps outlined by the EU Information Commissioners Office.
If you would like help or advice, please contact us for a free discussion about how it affects you.
When it comes to marketing, there are 3 general areas of concern. That is data permission, data access and data focus.
Data permission revolves around how you control the opt-in to your promotional lists. Specifically, they need to take a physical action to be contacted by you for promotional reasons. This may be as simple as a checkbox on a sign up form that discloses that they are signing up to receive offers. Also, this checkbox must be unchecked by default, so the user must take a physical action to check the box.
One place to be extra careful about are on referral programs, like a “refer a friend” type program where someone on your list types a friends email into a box and opts them into your promotions on their behalf. In this scenario, you are allowed to send an email to the friend to ask them to opt-in, but you can’t simply add them to the list and start sending without their individual permission.
The EU Justice Court has talked extensively about the “right to be forgotten.” This simply means that a user has the right to contact you and request for their personal data to be removed.
For promotional emails, this can largely be handled by ensuring you have an unsubscribe link or providing a mechanism where users can manage their email preferences.
We like to collect data about our customers in order to better understand and target messaging to them. But, we need to be much more careful with this moving forward.
GDPR requires you to legally justify the processing of the data. Basically, this means you need to stop asking for data you don’t actually need. For example, if you are an online shoe retailer, asking and saving the customers shoe size is perfectly okay. Asking what their favorite movie probably is not.
Our recommendation is to avoid collecting the “nice to have” data and stick with things which are directly relevant to the business.