See the opportunity in the GDPR
I hope you had a peaceful and relaxing Easter. For us, it was a welcome time to catch up on some important things at our own pace. Looking forward, we now have eight weeks to finish preparing for significant data protection changes that affect us and all our clients. 25 May 2018 will see the coming into force of the GDPR (General Data Protection Regulation):
“Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Made by European Parliament and Council” Journal L119, 4/5/2016, p. 1–88
Believe it or not, we’re excited about this. Why? Because, in this case, compliance is not just a chore; it’s an opportunity. For what? For positive client contact and improving our relationship with our clients and our website visitors.
Protecting the individual’s data better is a good thing (we’re all individuals, after all); it’s good for business too.
By respecting your clients’ and readers’ data, you give them another reason to trust you. You also clean and strengthen your contact lists, and avoid data protection issues. Who doesn’t want a productive mailing list filled with up-to-date data about people who want to be on it?
To act on this opportunity, you may need answers to a few questions… but first, please note that this blog post is not legal advice. Also, see our Disclaimer regarding data processing below.
Who, me? Why me?
Do you collect, hold and use the contact data of EU individuals for the purposes of describing, selling, or delivering to them your products and services? If so, you are a “Controller” of the data of individuals (“data subjects”) in the European Union (EU).
The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
For more detail, see The European Commission’s answer to What is a data controller or a data processor?
This applies no matter how or when you acquired the data, and even if only names and email addresses. And yes, even if you operate from outside the EU, if any part of your target market includes EU individuals. You must now check and document your legal reasons for storing the data of all your EU “data subjects”.
Even if you’re not a business owner, do you process the data of EU individuals by automated or non-automated means? Clue: yes, you probably do. The European Commission definition of data processing is extremely comprehensive: What constitutes data processing?
Are any EU data subjects excluded?
According to the European Commission online legal resource:
(The GDPR) doesn’t apply to the processing of personal data of deceased persons or of legal entities. … (Nor does it apply to) …data processed by an individual for purely personal reasons or for activities carried out in one’s home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.
If you do use such data “outside the personal sphere”, then the law applies even if you hold only a company name (legal entity) but with an associated email address of an identifiable person.
Do my data sources matter?
You may have websites where people can contact you via contact forms or blog comments. This data is collected in databases associated with your websites. Or a Newsletter signup form enables people to add their data to an email marketing list, e.g. on MailChimp.
You may have mailing lists in Excel or Access, built up painstakingly over the years, or which you bought or otherwise acquired. Perhaps you store your newsletter and marketing contacts in a Contacts application, alongside your personal contacts.
Most people who market anything online have a mix of all these. No matter the data source, this law applies to you if the data subjects are EU individuals.
Establish the legal bases of your lists
The good news is… it’s quite possible that you DO actually have at least one lawful reason to approach at least some of your contacts, even if they have not yet bought from you.
There are two main legal bases for marketing to your contacts:
- You have their explicit consent to your holding their data and using it for specific purposes made clear to them at the time of consent. (Advantages: unequivocal; usually provable; marketing recipients already favourably disposed towards you.)
- OR: It is appropriate for you to hold and use their data due to your “legitimate interests” in doing so. Your legitimate interests include your need to offer to your market your products or services. (Advantage: Allows you more flexibility as to who is on your list; Disadvantage: Requires you to assess and balance each data subject’s interest in privacy against your legitimate interests, for every action you take with their data.)
In the case of legitimate interests, as I understand it, as long as the marketing is unlikely to surprise or unusually inconvenience the recipients, and does not unduly threaten their legitimate interests in preserving the security and privacy of their own data, you can use existing or obtain (limited) new personal data in order to do so.
However, if you previously asked those same people to consent to receive marketing from you, and they did not reply in the affirmative, you implied that the basis you relied on was “consent”, and you didn’t get it. You cannot then rely on the “legitimate interests” basis.
The e-Privacy Directive
This is particularly so for email and SMS marketing, where another EU directive comes into play as well, as explained by Phil Lee on the Field Fisher law blog:
Marketing regulation under the e-Privacy Directive
Marketing regulation under the GDPR is only half the story, however. Europe also has a separate law — the Privacy and Electronic Communications Directive (or e-Privacy Directive) that contains supplemental rules governing consent requirements for e-marketing, i.e. marketing sent over electronic communication channels (such as phone, fax, e-mail and SMS, for example). When sending e-marketing, these supplemental consent rules apply in addition to the need for businesses to identify lawful processing grounds under the GDPR.
Put as simply as possible, these rules require opt-in consent for e-mail and SMS marketing, unless an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time.
BEWARE! You CANNOT send an unsolicited email, even to an existing contact, for the purpose of asking them to consent to receive marketing emails! In March 2017, the Information Commissioner’s Office (UK) sent a Monetary Penalty Notice to Flybe for just such a breach. The key paragraph is this:
Flybe were informed that it was the Commissioner’s view that organisations cannot e-mail an individual to consent to future marketing messages. That e-mail would be in itself sent for the purposes of direct marketing, and so is subject to the same rules as other marketing e-mails.
I strongly urge you to read blogger Ben Rapp’s succinct review of this “Kafkaesque” situation in his post Kafka strikes again: GDPR requires consent, but you can’t ask for it.
He gives the examples of Flybe and Honda, with links to the documentation containing the reasons they were fined.
If you have another, legitimate, reason to contact an existing client by email, you might include an option to update details and preferences. This is pretty much the standard now anyway, and they should always have had the option to unsubscribe. However, getting consent to market to them in future cannot be the purpose of the email. Failing this, you might resort to meetings and phone calls, but you must still get their consent in provable form… i.e. in writing!
Must I do anything before 25 May?
How much you must do depends on whether your original data acquisition processes and the ways you currently store and use it comply with the GDPR.
This differs for each Controller, and for differently sourced data held by the same Controller.
The minimum you need to do is:
- Read up on the new law to understand your responsibilities (see resources below).
- Check your data and its acquisition, storage and usage processes.
- Decide whether you need to do any of the following:
- Modify your Contact Form and Newsletter Signup processes to ask contacts explicitly to consent to your using their data for specific purposes.
- Ask existing Contacts for their consent regarding the use of their data. But BEWARE! See the Warning above.
- Locate and be able easily to produce proof that all your contacts have given consent where necessary.
- Delete any contacts for whom you cannot prove this consent and where your other legal basis (e.g. “legitimate interest”) is absent or uncertain.
- Ensure that new online and offline contacts are added to your list/s only via informed opt-in processes (failure to object or opt out is not implied consent).
Where can I find more GDPR info?
The source of it all
The original European Commission document is, of course, well-meaning and worthy, if just a tad long: GDPR Full Text
WIRED offers a more digestible summary of some key points, including fines, the difference between “personal data” and “sensitive personal data”, whether Brexit matters (not much) and links to relevant documents: What is GDPR? The need-to-know guide
ICO guidance on steps to take
The UK Information Commissioner’s Office provides a useful 12-step guide and a checklist: Guide to the General Data Protection Regulation.
The steps are likely to be similar no matter in which country you are based. Obviously, you should check your own country’s online resources to make sure you don’t miss any nuances.
Iubenda provides website privacy policies for over 30,000 customers in 100+ countries. Read their summary here: GDPR: The new EU privacy law in short… and in-depth
The GDPR applies to individual bloggers as much as to companies, although some requirements differ. Blogger Nyomi has done some in-depth research and shared the steps that she is taking in her article GDPR for bloggers – does it apply to you and how to comply
MailChimp offers a good summary of how the GDPR affects email marketing: The General Data Protection Regulation (GDPR) Marketing: What it is, what we are doing, and what you can do
If I must take action, who can help me?
- Get IT Write International cannot give you legal advice (see Disclaimer). However, when you know what you want to do, you can ask us to help you:
- Update related website and email policies, messages and processes on your website.
- Modify your MailChimp newsletter templates. Again, BEWARE! See above.
- Install or update Iubenda applications
- Install or update other Cookie Law applications.
- Delete data that do not comply with the law.
- We recommend engaging a lawyer who specialises in EU data protection law to review your website, mailing lists, any other data collecting software, and related processes.
Eight weeks can go by more quickly than you think. But even if you haven’t started yet, you’ll get there if you act now. We will be completing many of these things ourselves over the next few weeks. You are welcome to use our GDPR-related messages in emails or on our website for inspiration. However, please treat these as starting points only — they will not suit you perfectly. Also, see our Disclaimer below.
Feel free to share thoughts or questions on the GDPR in Comments below. If you need us to research or implement something for you, please Contact us.
In particular, we do not control your contact sources and how you choose to use, store and protect contact data. We may implement and maintain data-processing tools for you, but you are responsible for the way you use them. This is especially so if you have admin or editing access to your sites, plugins and mailing lists. We will not implement any tools which would require non-compliance with the GDPR or the e-Privacy Directive.