The GDPR is coming. Do you know where your data is?
While the Cambridge Analytica Facebook news is all over every news channel and sensationalized up and down, the GDPR (General Data Protection Act) has gotten relatively little attention in the mainstream.
Which is too bad because…uh, you guys, it’s kind of a big deal.
It’s a big deal for big businesses. It’s a big deal for small businesses.
Businesses worldwide need to make changes to how they collect, store, and monitor data of all types.
So let’s talk about what the GDPR is, what communications pros need to know, and prepare you with a checklist.
What is the GDPR?
The GDPR will go into effect May 25, 2018. The European Parliament and European Council developed it to replace the 1995 Data Protection Directive.
According to the official GDPR website, it was designed to:
Harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
It’s the regulatory muscle to enforce longstanding governmental guidance about how EU member states handle data privacy.
It is an unprecedented level of regulatory overview and requires companies to ensure an extremely high-level of data protection or suffer large financial penalties.
And when we say large financial penalties, we mean LARGE.
GDPR fines are up to €20 million (about $24.5m) or four percent of your global annual turnover.
Who Does the GDPR Affect?
If you offer goods or services to influence or monitor citizens of the EU, you must follow the data privacy regulations of the GDPR.
That means all companies, in all geographies that process or hold personal data of people living in the European Union.
What Do GDPR Protections Include?
The GDPR focuses on giving consumers control of their data.
To be GDPR compliant, an organization must not only protect consumer data but also provide many simple ways for consumers to control, monitor, check, and delete any and all information about them.
There are 99 articles in the GDPR the ones that most significantly affect businesses and communicators are:
Article 5 Processing and Storing of Data
- Data must be processed and storied lawfully and transparently and for the reasons CLEARLY specified and agreed to by the individual.
Data must be processed securely to prevent unlawful access (i.e., if data is lost or stolen you will be held liable and fined should it appear proper protections were not in place).
Article 6-8: Consent
- Very similar to Canada’s Anti-Spam Laws, individuals must give consent. You can’t buy lists or upload contacts. Clear consent and provide an opt-in process.
- Only the information needed must be collected. So only data to accomplish the task initiated and consented to by the individual.
- This means we can’t just collect additional information from EU residents (demographic information, survey information, etc.) if it isn’t required for the actual execution of the task (such as signing up for an email list to get blog posts).
Article 15: Right to Access
- EU citizens must be given, upon request, all personal data a company has on them and told how it is being used.
Article 17: Right to Be Forgotten
- Companies must delete all data on citizens upon request.
Article 33-34: Data Breaches
- Report any data or security breach within 72 hours.
Article 35: Impact Assessments
- Companies must conduct data protection impact assessments to identify risks to EU citizens. Assessments must also describe how the company is addressing those risks.
Articles 37-39: Data Protection Officers
- Any company that processes or stores large amounts of data on EU citizens must hire a data protection officer (DPO).
How Does the GDPR Affect Communicators?
As with other data privacy legislation, email marketing and marketing automation are the areas most affected.
However, you also need to be sensitive to GDPR when pitching EU reporters or any sales calls (if you manages sales team) to prospects who have not provided consent for you to reach out to them.
GDPR Checklist for Media Relations
If you don’t have a previous relationship with a reporter in the EU, they haven’t emailed you, or in some way contacted you as a source, you cannot email them.
- Do not send an unsolicited email to an EU reporter or editor. If you want to get in touch with them, you need to use contact forms or social media channels where they have given contact consent.
- If they email you first or request information from you directly, this implies consent, and you are free to respond and communicate with them.
- Develop relationships with reporters for the long-term. Now not only is it bad practice and ineffective to “spray and pray” releases to reporters and publications—it’s illegal.
GDPR Checklist for What You Already Should Be Doing
Many of the email marketing regulations you should already have in place, but you will have to make a few tweaks and put in extra layers of protection and data access.
- Just as with CAN-SPAM and CASL, you need to have consent collect and use personal data.
- You also must have a record of their personal data which they can access and change or update.
- You need to be clear on all email communications how and why you obtained the email address, who you are, and why you are emailing them.
- Always provide a double opt-in.
- In your opt-in process, you need to be clear about expectations and what they can expect from providing their email (example: weekly blog posts and the occasional special report).
- You need to provide an opt-out on every communication.
- Don’t buy lists. Don’t use lists from others. While these people have given that organization consent, they have not given it to you.
All of this is what you already should be doing. So no stress here.
GDPR Checklist for What You Might Not Already Be Doing
Some additional GDPR checklist guidelines you might not already be doing include:
- You cannot collect information from anyone under 16 without parental consent. So if this is a general target for you, you will have to change your system for data collection (and probably your overall communications strategy).
- If you don’t target those under the age of 16 you need to add a check-box in your opt-in to indicate if the subscriber is older than that.
- Update your Privacy Policy and Terms of Service to indicate you have a policy that prohibits users younger than 16 years old from registering or using your services/product.
- You cannot require more information than is needed for the consented action of the subscriber. So if you don’t need a phone number or an address, you can’t require one. If you don’t need to know what industry they are in, you can’t ask.
- If you want to collect this information, you’ll need to have a valid reason why (such as an industry-specific email that supplies information specific and helpful to those in that industry) and explain that upon opt-in. Guess what? This will help you send more targeted information anyway, so all the better.
- The right to be erased means that you need to be able to erase ALL existence of the individual should they request.
- Erase the personal data of your users when a service/agreement comes to an end, or they revoke their consent.
- Make sure your sales teams are aware of regulations and cannot “cold email” or call prospects without prior consent. (Or add those prospects to ongoing email lists).
- Evaluate your current email lists. Where did you get them? How did you obtain consent? Do you have a record of that consent? Can all subscribers access and change/delete their data?
- Create a plan for the holes identified from your audit.
Are Your Current Lists Compliant?
To make sure you are fully in compliance you either need to set-up a second opt-in process for anyone who says they are an EU resident and keep them on a segmented list, or update your protocol for everyone.
Data protection isn’t a topic that’s going away soon. It’s always better to over-prepare. So we’d suggest the latter.
If you haven’t followed the regulations in your current opt-in process, you must also go through a re-opt-in with your current list to make sure all current data is up to GDPR standards and all.
Eugen Opera has a really great and comprehensive GDPR for email marketing guide HERE, which I definitely recommend checking out.
Email Best Practices Equals GDPR Compliance
As communicators, we want to send the most useful, relevant information possible to our email subscribers. We don’t want them to see us as spam, but a trusted source.
If anything, GDPR forces you to stay committed to that goal.
The GDPR regulations will not only protect data privacy but also help you build a more engaged and targeted list.
A list that receives your emails because they want them, not because you bought, tricked, or insta-added them to your database.
“Inspired By” GDPR Checklist
If your ultimate goal is to maintain the integrity of your data and the quality of your list consider adding the following protocols to your email marketing strategy.
I like to call these the “inspired by” GDPR checklist items.
Non-Engagement Auto Unenroll
If you’ve ever signed up for any of the HubsSot email lists you might have also been kicked off.
Hubspot has a system that if you don’t engage with their email over a consistent period of time, they unenroll you (and send you a nice note to say “see ya, you can re-enroll here if you want).
This allows them to:
- Continue to get consent.
- Re-engage you if you are really interested.
- Keep possible “spam” rankings low from people who forgot they subscribed.
Just because someone gave you consent once doesn’t mean they want you to have it forever.
This system helps them keep, and write the most specific content for, the people who really want to be there.
The business with the biggest email list doesn’t succeed.
The business with the most engaged list that converts succeeds.
The size of the list isn’t the goal, the quality is. Put a strategy in place the works to build a quality list, not just a list. GDPR compliance comes along with this.
Specificity in Content and Lists
Just because someone subscribed to your blog, doesn’t mean they also give consent to receive product updates or other emails that aren’t blog posts.
These GDPR checklist items focus on specificity and targeted content.
- Be extremely clear on what they’ll receive.
- Remind them often why they signed up and what they should expect to receive.
- If anything changes, let them know and give them the option to change their preferences.
- Think about including separate opt-ins or checkboxes, so they can choose all the things and areas they want you to communicate with them about.
- The more targeted and specific to their needs to better. If you don’t segment your lists and continue to re-access interests through lead flow and email click-throughs, you need to examine how you can make that part of your strategy.
GDPR Checklist Resources and Questions
Feel overwhelmed? Got questions?
Me too!
I hyperlinked A LOT of resources throughout this article. I used every single one of them to write this, so use them for more information and detail.
Next week I am going to talk with Tom Fox and Jonathan Armstrong.
They are two of the leading authorities on the GDPR.
They will answer questions and discuss some of the most important aspects of the GDPR for communicators.
You will walk away better able to understand and discuss it with your organizations and clients.
If you have questions you want me to ask Tom and Jonathan make sure to leave a comment on this post or in our Spin Sucks community by 8 am EST on Tuesday, April 10.
As modern communicators, it’s our responsibility to understand and support our organizations and clients through issues such as GDPR.
Make sure you take advantage of this opportunity to get your GDPR checklist questions answered.