The EU General Data Protection Regulation

(GDPR) and Email Marketing

The EU General Data Protection Regulation (GDPR) shall apply from 25 May 2018 and
the day is fast approaching:

“This Regulation shall enter into force on the twentieth day following that of its publication in the Official
Journal of the European Union. 2. It shall apply from 25 May 2018. (88p of the regulation)” (p.88 Regulation
Document)”

This new ruling is important not only to marketers, but to all citizens of the European
Union (EU). This regulation should replace the EU Protection Directive that currently
outlines the guidelines regarding personal privacy. It was approved by the European
Parliament, the European Commission and the European Council to protect a person’s
privacy.

What’s new: this will apply to that individual’s private, public or professional role.
What was considered as recommended guidelines will now be a mandatory practice.

Copyright © 2017 CODEMEFY www.codemefy.com Page 1

Why is this happening?

Data security and privacy is becoming a significant discussion issue – increasingly more
attention is paid on how your data is stored, who can access it, giving and withdrawing
consent.
“(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The
scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and
public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons
increasingly make personal information available publicly and globally. Technology has transformed both the economy and
social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and
international organisations, while ensuring a high level of the protection of personal data.

(7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong
enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal
market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons,
economic operators and public authorities should be enhanced. (p.2)”

Who will this affect?

If you have any contacts in your database that are EU citizens, you have to comply – it
doesn’t matter that you may or may not be located in the EU. And the fines are big, one
can face up to 4% of annual global turnover or €20 Million, whichever is greater.

Have you thought about how you are obtaining email addresses?

It is not that only big companies collect personal data - various

bloggers and smaller websites, eCommerce shops are capturing
such information – so make sure you’re not breaking the rules.

“ (32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous
indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written
statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet
website, choosing technical settings for information society services or another statement or conduct which clearly indicates in
this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or
inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same
purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's
consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily
disruptive to the use of the service for which it is provided.” (p.6)

Copyright © 2017 CODEMEFY www.codemefy.com Page 2

Note that your sign-up form has to have clear and to the point
language, outlining any additional data solicitation that might occur
in the future. No more pre-ticked boxes.

Anything else?

“The right to be forgotten” – your contacts can ask to delete any personal data you
hold, and you need to comply.

Companies processing large volumes of personal data need to have data protection
officers. They must report a data breach within 72 hours.

Proof of consent – it must be documented and stored. Email recipients must be able to
withdraw consent. It needs to be clear how to unsubscribe: it should be as easy to
withdraw consent as it is to give it. You are obliged to respond without delay, at the
latest within one month.
“(59) Modalities should be provided for facilitating the exercise of the
data subject's rights under this Regulation, including mechanisms to
request and, if applicable, obtain, free of charge, in particular, access to
and rectification or erasure of personal data and the exercise of the right
to object. The controller should also provide means for requests to be
made electronically, especially where personal data are processed by
electronic means. The controller should be obliged to respond to
requests from the data subject without undue delay and at the latest
within one month and to give reasons where the controller does not
intend to comply with any such requests.” (p11)

Make sure you have a copy of the regulation document – download the official GDPR
pdf here.

Sources:

GDPR document:
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

Copyright © 2017 CODEMEFY www.codemefy.com Page 3