General Data Protection Regulation (GDPR) is a somewhat time-consuming regulation that we all should be complying with by now. In short, it’s a European Union (EU) law on data protection and privacy for all citizens of the EU and the European Economic Area. By this time, you should have taken steps to ensure that your marketing is not going to EU individuals without the proper permission. After all, the law did go into effect in May 2018. With the constraints this can place on everyday marketing, do you understand why it’s important to follow these regulations?
The regulation is based on privacy. Quite simply, you need to make sure those you contact are interested in hearing from you – if not, you will not receive permission. And you cannot use any personal information about a source, without their permission. By following the rules, you are not only complying with the regulation, you are preserving your reputation and your brand.
Compliance can be confusing. I sat in on a webinar from The Trust Bridge, an organization that offers expertise on data privacy, where they explained the intricacies of the regulation. The simplest factor – the email address – is unreliable, they explained, because an email address doesn’t always identify the country it’s affiliated with. Some companies have large offices or subsidiaries in many countries, and all may use the same type of email address. So, don’t rely on the email address to determine which country you are contacting.
Here’s a few facts to remember:
- If you are absolutely sure your data is only going to American members, then you don’t need the checks in place. But truthfully, that is unlikely. If you are gathering email addresses from those who go to your website or read your blogs, then it is doubtful that you know their citizenship.
- Because data doesn’t recognize borders, it’s your job to find out whether email addresses are from the United States or other countries.
- Today’s consent is an active checkmark. Consent must be a “yes, I want to hear from you,” and cannot be implied from a blank box. If you are hosting a conference or an event, you must ask for permission for everything – to share personal information with sponsors and to use photos. Even speakers for an event must give permission for filming or for their likeness to be used. Nothing can be implied anymore.
How do you get consent? You may email a source twice for permission. Remember they MUST check off a box saying they are interested in future correspondence from you. If they do not respond, they then must be removed from any mailing lists. Keep your wording in the requests clear and in plain English. As you add new contacts to your mailing list, the process must continue. This is not a one-and-done event.
It is important that the responsibility and accountability for this process must reside with management, preferably a privacy officer.
Not to scare you, but it’s getting easier to do a class action suit and there are increasingly more whistle blowers. Heavy fines for non-compliance are up to four percent of a global revenue. A demonstration of accountability is now required. Don’t forget that directors and officers often neglect the liabilities that can occur. It’s up to you to ensure that procedures are being followed.
Simple steps to take now:
- Periodically review all your organization’s documentation and policies.
- Provide awareness training for all staff.
- Review your consent approach.
- Be prepared and know how to manage a breach.
- Remember this is a continuous process. It is now part of our culture.
While GDPR may seem like an issue that won’t touch you, don’t be lured into non-compliance. This is an ongoing regulation and it’s up to you to keep your marketing up-to-date. In the end, GDPR is a good step toward preserving an individual’s and/or organization’s privacy, bringing privacy into the 21st century and accountability and transparency into our inbox.
If you need help ensuring that your organization is complying with GDPR regulations, contact us today!