In May last year, the European Union enacted a piece of legislation called the European Union Data Protection Regulation that governs the privacy and the data of EU citizens
Not based in the EU? You might be under the impression it does not apply to you, but you would be wrong. The EU GDPR applies to any business or individual anywhere in the world that collects, processes, or stores the data of EU citizens. For example, if you are in America and you have some French clients, even if they also live in America, you are bound to abide by the EU rules or risk a huge fine. If you are in Albania and have some people on your mailing list that are citizens of Italy, then again, you are bound by the rules of GDPR.
So what exactly does the regulation entail? And how can you protect yourself?
Most businesses use mailing lists to keep their clients up to date with information, offers, and services, but with GDPR you need to be very careful about who you contact and why. You need to do a full audit of your mailing list and be able to prove that you have two examples of consent for each individual on it- the consent should specify that they knew they were being added to a marketing list. You also need to have information including that individuals full name and location.
Going forward, for consent to be validated under GDPR the individual must actively opt into to mailing list inclusion. You cannot use pre-checked boxes or automatic consent. In addition to this, such consent requests must be separate from any other Ts&Cs and you cannot restrict services provided based on refusal to accept. You also need to make it very easy for people to withdraw consent, with no penalty and you need to provide clear instructions on every communication, of how they can do it.
Remember, unless you have a paper trail of evidence proving that the individual specifically opted into being included on your mailing list, you need to remove them immediately and cease all unsolicited communications.
There are several things to take into account when ensuring that your website is GDPR compliant. First of all you need to update your contact form to advise your visitors why you want their information and what you will do with it. You also need to add one tick box for users to confirm that they accept the terms and conditions of your website and agree to be contacted, and another to confirm that they agree to be sent marketing materials.
Your customers also have the right to be forgotten and should they request, you are obliged to delete all of their information, personal data, and any other data pertaining to them. You need to respond to such requests in a timely manner and provide evidence of their removal. They can also ask for corrections or amendments to any data you hold, and you are obliged to comply.
Failure to comply with GDPR is not an option and there are tough penalties applicable to any business that is found to not be complying. Fines include 4% of annual global revenue or EUR 20 million, whichever is greater. More and more citizens are becoming GDPR savvy and the EU has noted a big increase in the number of reports being made to them over the last six months.
GDPR might sound scary and complicated but the reality is that it is designed to help improve privacy and the personal information of EU citizens. It’s introduction has driven forward a number of changes in policies across the world, resulting in improved best practices when it comes to clients and managing their data. Whilst you might not like to delete half of your mailing list, remember that by ensuring people opt in, you are creating quality contacts and not being relegated to the Spam folder.
To find out more about GDPR and how to protect yourself whilst being compliant in 2019, you can read more here.