What is GDPR? Everything You Need to Know

The General Data Protection Regulation (GDPR) is a new data protection law in the EU that will go into effect on May 25, 2018.

It was created to protect EU citizens from the privacy and data breaches that have become all too common in an increasingly data-driven world.

This law, replacing the Data Protection Directive 95/46/EC from 1995, aims to improve upon the previous policies and create a safer place for consumers and their data.

For brands, and more specifically marketers, GDPR will not only change the way you communicate with your clients, but also how you handle their data. Continue reading to learn more about GDPR and how it will impact your job.

What Is GDPR and Why Was It Created?

Many brands may feel a sense of fear when thinking about and planning for GDPR. But the reality is there is nothing to fear about these new regulations, as GDPR is nothing more than a way to help consumers reclaim their data.

And when you think about it, doesn’t it just make sense? As marketers, we don’t own customer data – we borrow it. They lend it to us with the trust and expectation that we will use it to provide them with a personalized and relevant experience that delights them to the point of purchase.

The problem is that too many brands are exploiting this data and creating bad experiences for customers. Companies selling email lists or opting customers in for dozens of email communications after filling out one form are creating an unpleasant, and spam-ridden, environment.

As marketers, can we start here with a foundational agreement that we shouldn’t be marketing to customers who haven’t given us their outright consent? After all, it’s really not the size of your email list that matters, but the engagement of each contact within it.

At one point, mass one-size-fits-all incentives served a purpose – and honestly, there was really no alternative to a “spray-and-pray” approach to special offers. But the time has come to mature beyond the age of mass promotions. When a customer provides you with their personal data, they expect you to use their data to create a more personal experience for them in return.

What’s more, the mass amount of data that brands collect from consumers across dozens of channels elevates the risk of that information falling into the wrong hands. GDPR is meant to protect consumers and allow them to have a say in how their data is used.

Frequently Asked Questions about GDPR

Whether you’re just getting exposed to GDPR or feel well-versed on the topic, you likely still have a few unanswered questions about the new regulations. Here are a few of the big questions many marketers are asking about GDPR.

What is GDPR?

GDPR is the new EU framework for data protection laws, replacing the Data Protection Directive which has been in place for over 20 years. It is primarily designed to give greater protection and rights to individuals while also reducing the risk of their personal information being exploited or misused by limiting the amount of data that may be collected by companies, the way it can be used, and the amount of time that it can be stored.

How is this different from the existing law?

Because each country applies the previous directive in their own way, laws currently vary across the EU. However, in general, GDPR levels the playing field and changes how personal data is used. Because GDPR is a regulation, it is a legal requirement and will apply as a law in all EU countries on May 25, 2018.

I’m not in the EU. Do I need to worry about GDPR?

Yes. Any company handling the personal data of EU citizens must be compliant with the new regulations or face penalties. Even companies not located in the EU who export and handle the personal data of EU citizens will need to comply.

What constitutes personal data?

Personal data refers to any information that can directly or indirectly identify an individual. This can range from a name, email, photo, bank details, credit card information, social media posts, medical information, a computer IP address, and more.

What are the consequences of not being GDPR-compliant?

Fines will be applied to organizations failing to comply with the new regulations. These will be accrued based on a tier level, with the harshest penalty being €20 Million or 4% of the non-compliant company’s annual global revenue.

What are the requirements to be GDPR-compliant?

Several changes are being implemented as part of the new regulations including:

Strengthened consent conditions: Companies must be transparent and clear in their language about what consumers are consenting to. Retracting consent must also be as easy as giving it.
Breach notification: All organizations will be required to notify their contacts within 72 hours of a data breach.
Right to access: Consumers will now have the power to ask how, where, and for what purpose their personal data is being used. Organizations must provide a copy of their personal data in an electronic format for free.
Right to be forgotten: Consumers also can ask that their data be erased and no longer be used by organizations.
Data portability: Consumers must be able to receive the personal data they requested and then transfer it to another controller for processing.
Privacy by design: GDPR strengthens the requirement of building data into systems, rather than as add-ons or afterthoughts.
Data Protection Officers: In some cases, companies will be required to appoint a Data Protection Officer (DPO).

Will I need to appoint a Data Protection Officer?

The new regulations require companies to appoint a DPO if they are a public authority, an organization known for regularly monitoring individuals on a large scale, or if the organization conducts the processing of special categories of data, like health records or information about criminal charges, on large scales.

How GDPR Will Impact Marketers

With added regulations coming into play, you can expect a lot to change in the way you’re acquiring, handling, and using EU data. Here’s what you should be aware of and how you can prepare for the upcoming changes.

Collecting data

For starters, the way you’re collecting data will shift. Currently, you can rely on a pre-checked box to collect consent for marketing communication. But under the GDPR, that will no longer be an acceptable way to collect data.

Because the GDPR requires that consent is “freely given, specific, informed, and unambiguous,” you must now be more deliberate in the way they are opting consumers in. While pre-checked boxes no longer suffice, requiring consumers to check a box, fill out a form, or update their preferences when visiting a website are all clear and acceptable ways to collect data and consent from consumers.

Consent Requirements

Clear consent is a more stringent requirement under the new GDPR. You will not be able to hide consent for data processing with generic statements like “we may process your personal data to improve our services.” For consent to be considered valid under the new regulations, you’ll need to clearly indicate the following:

What personal data will be processed (are you collecting names, browsing behavior, addresses)?
How you will process this data?
Who will process this data (include yourself, any data processors, and third-party partners)?
Why you are processing this data (sending emails, tracking website activity, showing Facebook ads)?
When the data will be processed (include when the data expires)?

Breaking Down Valid Consent

GDPR applies to all new and existing data. If requested, users will be required to prove that they have consent to use personal data. The following contacts will need to be proved accordingly:

Current customers: Consent exists under an “existing customer relationship.” Be mindful of how long the relationship could be considered valid and whether the communication content may be restricted to existing relationships (e.g., under the German UWG Sec 7(3)).
Lapsed customers: You should not store any customer’s data without explicit consent, an “existing customer relationship” (see above), or ongoing email activity., i.e. engagement by the recipient – not just emails sent to the individual.
Active email subscribers without provable consent: You must be able to prove that your email program provides a valuable service to use “existing customer relationship” as the basis for ongoing email activity.
Inactive email subscribers: You should not store a individual’s data without recent consent, an “existing customer relationship”, or ongoing email activity.
New and re-engaging customers/email subscribers: You should store the wording and act of consent (i.e., this individual checked this box at this date/time from IP address X and they consented to data processing in Y statement).

Proving Consent

Under GDPR, you must prove consent before sending any communications to contacts. Remember that consent applies to all data collection practices including offline methods such as mail and telephone.

When collecting data and consent, ensure that you store:

Date and time of consent
Method of consent
A referential copy of the sign-up form, including its wording

Privacy Policy

As previously mentioned, GDPR will require greater transparency from marketers around consent. You will have to ensure that the individual is giving you “informed consent” and that they understand who they are giving consent to and why their data is being processed.

You should keep records of the privacy policies, consent information, and processing activity to prove that you are complying with the permission granted by the individual.

The example above is a compliant privacy notice from the UK Information Commissioner’s Office (ICO). It is concise, transparent, and easily accessible.

Using Double Opt-Ins

Because you need to collect proof that you have permission to use an individual’s data, you’ll likely need to rethink the way you are asking for consent. Double opt-ins are great for this because the process validates consent by confirming an email address and asking the individual to take another action to provide consent.

Double opt-ins are not a GDPR requirement. As long as you provide clear and transparent language around what you will be doing with personal information, an individual can provide consent by clicking a box that says “Yes, I agree,” or “I consent.” Double opt-in is simply an added safeguard to help you confirm consent.

Marketing to Your Existing Database

Before sending any marketing communication to your existing database, make sure that all your data is compliant with GDPR. You’ll need to check that you have existing consent records that prove you have permission to send communication to each individual contact. It’s also important to remember that you need explicit permission to send to each channel, not just email.

You don’t have long to get permission from unengaged subscribers, so consider running re-permissioning campaigns to grab their attention (maybe consider using lead magnets, like incentives, offers, upgrades, etc. ). If these subscribers feel that there’s value in the communication, they’ll give you their consent.

Consequences of Non-Compliance

After May 25, what happens to organizations that are not compliant with GDPR? According to the regulations, organizations will face fines for non-compliance, with the steepest fines at €20 Million or 4% of their annual global revenue. Different violations will accrue different fines based on the severity of the violation.

How Emarsys Is Preparing Marketers For These Changes

For years now, many brands working and sending communications in the EU have been preparing for more stringent guidelines. And at Emarsys, we’re no different. We’ve been practicing within the most stringent guidelines, and recommending our clients do the same, since 2009.

A lot of the communication around preparing for GDPR is fear-inducing, but as stated above, we believe these new regulations will push marketing to be better. The GDPR is an evolution in data protection and is meant to put consumers back in control of their data. Remember, if you are already obeying existing data protection laws, you’re already on your way to compliance.

For our clients, many strive to stay ahead of the curve, and compliance with GDPR is another opportunity for optimization. In countries with strict data protection laws, we often see better results from our clients’ marketing efforts. Why is that? It’s because marketers are using good quality data where the individuals have been well informed about the use of their data.

As an organization, we’re all in on making true one-to-one personalization at scale possible for our customers. Helping our clients collect, store, and process clean data is just another step in delivering on that promise.

GDPR compliance is possible and nothing to fear with the right partner.