The GDPR became obligatory on 25 May 2018, changing some important aspects in the processing of personal data by companies. Here you can find out how these changes have affected email marketing and how to comply with this new regulation.
The European Union (EU) has updated its regulation on data protection. This new law is known as the General Data Protection Regulation (henceforth, GDPR), and is applied to all types of entities, from public authorities to SMEs, without differentiating whether the processing takes place within the EU or outside, as long as it affects European citizens.
As this is a far-reaching subject, we're written a whole post to clarify all your doubts about email marketing and the GDPR. The post has lots of useful information and even the video summary of our webinar on the GDPR. Acumbamail has been complying with the GDPR since even before its mandatory implementation.
Take our test to check that you meet all the requirements of the new data protection regulation.
The GDPR annuls the 'de facto' implicit consent that was commonplace in a lot of data processing procedures and explicit consent is introduced. With the new regulation, consent has to say who the data subjects and data controller are. They need to be informed whether the personal data being processed will be managed in third countries. This international management should preferably be carried out in EU countries.
With the new regulation, controls on suppliers with access to data are increased, especially for suppliers from outside the EU. These will have to be more thorough and will contractually govern all aspects that affect the security of the information handled. The communication of security incidents with suppliers will be, for example, an aspect to regulate when offering services by a third party.
It will be necessary to update existing procedures and records for their adaptation to the new regulation. The start of any information and personal data management operation will imply the philosophy of "privacy by default". In other words any new activity has to involve protecting the privacy of the information handled, from the moment of its conception.
The procedures implemented must reflect the reality of the company and must be able to be audited at any time. The new regulation foresees new procedures and controls on the retention of information, management of backups and other practical aspects of the operation of any entity.
This analysis is known as Data Protection Impact Assessment (DPIA). When data management may incur a high risk to the rights and freedoms of individuals, a risk analysis on the protection of personal data must be carried out before processing begins. DPIAs will be commonplace and a very useful tool for companies to address confidentiality risks.
The GDPR reinforces the rights that people already had in terms of the management of their personal data and creates new ones. In particular, it is about the right to be forgotten, which enables the elimination of user data; the right to data portability, which lets you move data from one provider to another, and the right to object to make profiles with marketing goals with user information.
Incidents that have an impact on the security of information and personal data will have to be reported to the supervisory authorities within a maximum period of 72 hours. Users must also be informed about incidents that affect their personal data.
The new regulation includes the creation of the figure of Data Protection Officer (DPO), mandatory for public entities and any companies where personal data management is critical for the core business. When data is being collected, the data subjects must be informed about the specific identity and contact details of the person who will collect and manage the information or their representative.
Entities that manage personal data must undergo periodic audits to review the status of the procedures for managing this personal data.
The success and reputation of a company depends to a large extent on its privacy and management.
Creating training actions to convey the implemented procedures is a guarantee to creating this culture of privacy.
It's about creating a culture of security and privacy that reaches all the elements of the company.
Failure to comply with legal obligations entails significant penalties, which can seriously affect any company. Are you going to risk it?