Keep in mind, this material is provided for your general information and is not intended to act as legal advice. To fully understand the impact of the GDPR on your business, please consult with an independent legal or privacy professional.
The European Union’s new privacy law – the General Data Protection Regulation (GDPR) – will come into effect May 25, 2018. This new regulation will apply to the data of all individuals residing in the EU, no matter where their data resides (i.e. if you're sending from the US but have recipients in the EU, that means you). This new regulation is part of a broader effort to ensure consistent and enforceable legal requirements across all Member States to protect the right of any EU individual to privacy and the security of their personal data.
To repeat: YES, the GDPR applies to you if you collect, record, organize, store, or perform any operations on data related to those who live in the EU — even if you are sending from somewhere else.
Among its goals, the GDPR seeks to add accountability to the practices of data controllers and processors. What does that mean, exactly?
A controller is the one who “determines the purposes and means of the processing of personal data."
A processor is one who “processes personal data on behalf of the controller."
A controller is you (and possibly us), and a processor is us when you send emails via our application. While there are other options for lawful data collection and processing, for marketers, consent will be the strongest and the most familiar way to achieve this.
You'll need to adhere to some of the same best practices you're used to, plus a few more. While we recommend you consult with a legal and/or privacy professional to understand the full scope of your obligations under the GDPR, here are some tips that might be helpful for fulfilling your compliance obligations:
1. Update your signup forms.
Our Trust Center provides quite a bit of detail about consent as it’s defined under the GDPR. The regulation's text clearly defines how consent can (and cannot) be given. Instead of using the term “explicit,” which many of us are used to, the GDPR lays out a set of conditions for informed consent that reinforce the data subject’s rights and places specific obligations on the data controller.
Leading up to the GDPR effective date (May 25, 2018), now is a great time to take another look at the consent you’ve received prior and strategize how you’ll obtain consent in the future under the GDPR’s requirements. This means adding a few new items to your to-do list:
Review consent for existing subscribers (no need to re-obtain consent if it was originally obtained in a manner that is in line with the GDPR);
Review your consent forms (signup forms) to ensure any new information obtained about an individual is in compliance with the GDPR; and
2. Update privacy notices.
Make sure you explicitly define all processing activities related to personal data processed by you and any third parties processing on your behalf.
Provide all information regarding processing activities in a concise, transparent, intelligible and easily accessible manner, using clear and plain language (avoid jargon and legalese whenever possible).
Ensure that your online privacy notices are not hidden, lengthy, or difficult to understand.
3. Operationalize ways to respond to your subscribers' requests.
Data subjects—(in this case, your subscribers as they relate to your use of our email marketing application)—have the right to: transparent information about your processing of their data; deletion, correction, portability of their data; and the right to restrict or completely revoke consent for future processing of their data, including objection to any automated decision making that may be in place based on their personal data. So, you’ll need to operationalize ways to respond to and quickly address these subscriber’s requests to exercise their rights under the GDPR.
When operationalizing, consider the following:
The process for the subscriber to exercise their rights as a data subject should be clear. Make sure instructions for the process are where they’re expected to be and that the mechanism to make the request is easy to use and does not require special knowledge beyond that needed to verify the request.
Requests for information may not always be legitimate. As the data controller, you’ll want a way to confirm the identity of the requester so that you’re not disseminating personal data to the wrong person.
Responses should be timely and accurate.
There may be lawful grounds that prevent you from modifying or deleting, in part or whole, the record. Consider these carefully and fully document your reasoning.
Keep your responses to data subjects clear and unambiguous.
Make sure a subscriber’s data is in a common readable and portable file format in case they want to store that data elsewhere for their own purposes.
You’ll generally have one month to fulfill the request (though there are allowances for additional time under certain circumstances).
All steps in the above process should be documented.
4. Begin keeping more comprehensive records.
Keep a record of each of your signup forms, data collection mechanisms, and processing activities. This could be saving the underlying code, a screenshot, PDF, and/or use-case description of any data collection mechanism you’re currently using or use in the future — and it can help you prove the nature of consent between you and your subscribers. As an added bonus, you’ll also be able to take a more critical look at your successes and failures in data collection to improve future practices.
Remember: the tips above are not meant to be legal advice and are in no way a comprehensive standard for ensuring your email marketing program is in compliance with the GDPR.
How are we helping at Emma?
At Emma, we are pursuing GDPR-compliance by May 25, 2018. This means we’re implementing robust GDPR training of all of our employees, managers, and executives, and building GDPR-compliant features into the platform to ensure you’re able to comply with your obligations as a controller of your subscriber’s personal data. We’re also reviewing all sub-processors to ensure the security and privacy of data throughout our operations and software.
Privacy by design: We’re building internal privacy-by-design guidelines and training our product and engineering teams on GDPR to make sure that data privacy principles are taken into account during the earliest stages of feature and product development.
Data subject’s rights: When your subscriber reaches out to you to exercise their rights, for example, of erasure or rectification, it’s our responsibility to assist you in complying with that request insofar as it pertains to data processed through our application. We’re updating our platform with features that help you fulfill that subscriber’s request in a timely manner. Stay tuned for more details as these features get released.
Security measures: We are auditing and documenting all of our current security measures and practices, and where security measures can be further strengthened, our team is working quickly to implement updated security measures before May 25, 2018 to ensure appropriate technical and organizational measures are in place for the safeguarding of personal data. We are also re-evaluating all of our sub-processors to ensure they have adequate security measures in place for the onward processing of any personal data processed by them.