Related Content: How to Maximize Email Messages for Millenials
On May 25, the General Data Protection Regulation (GDPR) will go into effect, marking the beginning of new regulations for the collection and storage of personal data. While the law itself is primarily regulated within the European Union, its effect will be far-reaching, as any global business that collects data and/or does business with a European subscriber will need to be in GDPR compliance. Failure to do so will result in stiff fines.
I know that I’m not alone in feeling a sense of urgency and, dare I say, a little confusion over what exactly is required for compliance with GDPR—it’s a hot topic in the Women of Email chats on Facebook, and even the recent reports from eMarketer show that the complexity of the law is the primary barrier to GDPR compliance.
Individuals have the right to ask organizations what data points they have on record about them, and the right to ask that the data be updated, corrected, or deleted.
As a US-based strategist focused primarily on email marketing, I’ve set out over the past few months to figure out what exactly I should be recommending to my clients to help guide their compliance discussions with their legal and technical teams—but before we dive into my recommendations, let’s back up just a bit and set some definitions. First off, personal data is defined as very nearly any data point under GDPR, including:
- Data points that can be attributed to an individual, i.e. my address or shirt size
- Sensitive personal data, i.e. my religious beliefs or membership affiliations
- Pseudonymous data, i.e. my IP address
- Anonymous data points that are collected or used by a brand
The two main areas that GDPR focuses on are how data is collected and how data is stored. Individuals have the right to ask organizations what data points they have on record about them and the right to ask that the data be updated, corrected, or deleted. They also have the right to access the data at any time. The burden of proof will fall to businesses—if a company does business with Europeans they must comply, even if they don’t have a physical European location. You can learn more about the intricacies of the new law in this guide, published by the UK’s Information Commissioner’s Office.
The GDPR is complex, and ensuring compliance will require a lot of cross-department collaboration. However, for email marketers, here are a few practical steps I recommend taking now to help get your team ready for the May 25 deadline:
Any email address collected must be freely given with clear, specific informed consent. Opt-in boxes cannot be pre-checked.
1. Take a close look at all of your acquisition touchpoints.
Any email address collected must be freely given with clear, specific informed consent. Opt-in boxes cannot be pre-checked. The language used to secure an opt-in must clearly state what the subscriber is opting in to. If the opt-in form states that you’ll send occasional emails, but in reality you’ve increased your cadence to nearly daily, you may need to adjust your opt-in language.
Also, be sure that any promises you make around your content fall in line with your current content marketing strategy to ensure that what you say you’ll be emailing customers about is what you’re actually emailing them about.
2. Take a proactive approach to any European subscribers you have on record.
You will have to bring all prior opt-ins into full GDPR compliance before the May 25 deadline.
This is a great opportunity to introduce a journey-mapping exercise to your marketing team if you have not used it in the past. There are a clear conversion and deadline to the process. By taking the time to do a full journey-mapping session, you’ll likely uncover some additional reasons why remaining a subscriber is beneficial for your customers, and you may find new opportunities to enhance your program for all your existing subscribers, regardless of their geographic location.
3. Finally, work with your IT department.
Data storage is a major component of the GDPR, and having a full catalog of all opt-in locations (including screenshots with a date/time stamp) of any forms you have will make your organization’s data storage processes more efficient and thorough. Use this process as an opportunity to bridge the gap between your worlds and set your teams up for greater synchronicity in the future.
We have just under three months until the deadline arrives. There’s a lot of work left to be done, but if you follow these guidelines you should be able to get your organization on the right track toward GDPR compliance. If you have questions or need guidance, DEG’s email relationship strategists can help.