The first half of 2018 is likely to be dominated by the new General Data Protection Regulations (GDPR). The effects on email marketing are not overwhelming but there is a lot to note in the details. We will do our part in pointing out what to do in the run up to the go-live date and beyond, but it remains your responsibility to familiarise yourself with its intricacies.
The ICO website is very helpful in covering all the requirements under the new regulations. It uses clear language and is well presented. However, there are one or two things to look out for.
One problem is that definitions have changed in detail. This can lead to difficulties as it can be easy to get confused as to which is which. I would suggest that instead of concentrating on how the wording has changed, it is best to work entirely with the new. Take, for instance, what the GDPR defines as a personal data breach.
For us, with our email marketing lists, the threat of a personal data breach is very real, but the GDPR use a broad definition. In essence it includes ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’
Whilst hackers in the darkened rooms wheedling their way way through your defences is what springs to mind whenever a personal data breach is mentioned, you can see that it goes well beyond that. If a data processor, working on your email marketing lists, accidentally deletes them, it is not only a catastrophe for your company, it is also a personal data breach as there is a loss of availability of personal data.
A breach is not dependent on a deliberate act. Sending personal data to the wrong person would also be a breach whether or not the sender did it deliberately. Access by an unauthorised third party, whether with criminal intent or not, would be included.
The GDPR require responses from you if, for instance, something happens to your email marketing lists. These vary depending on what the nature of the breach is. We will cover this in a future article.