Whilst all companies deal with the personal details of customers, the EU General Data Protection Regulations (GDPR) is of especial interest to those involved in email marketing. The requirements of the new rules, although unlikely to be law before 2018, are such that planning needs to start soon. Implementation of the plans should start only a little later.
If you read reports in the USA on the GDPR you will find it mentioned alongside the collapse of Safe Harbour, the implication being that they are some form of coordinated EU based attack on USA businesses and the American way of life. Read a number and you wills see that some believe that the EU is out to destroy the American way of life. This is not a healthy situation with the Privacy Shield proposals coming under attack.
The provisions of the GDPR place a requirement on EU businesses for robust and secure systems to ensure there is no breach of the regulations. It should be noted that the maximum fine has been increased to four per cent of global turnover. For Google it could mean around £1.75bn. For us it might mean disaster. You certainly don’t want to be in the dock if the EU courts decide there’s a requirement pour dissuader les autres.
The phrase ‘data protection by design’ is used in the GDPR and is a useful guideline for what is required. Many companies will need to rework their processes, products and services from the initial stages to ensure that compliance is the default setting. For those who allow input onto their websites via feedback, reviews or contact methods, extra care will be needed. And who doesn’t use cookies? We will have to ensure that data is not unlawfully shared.
Such changes take time.
Similarly, it is easy to forget that the right to be forgotten requires a robust system to ensure that when a client asks for all personal information to be deleted, you can do that promptly and effectively. Consider how many databases will each subscriber to your email marketing lists appear on. You will also need solid reasons to use the exemption of legitimate grounds to retain information.
We also hope for a clear definition of what is meant by deleted as merely formatting a disc or folder leaves the information inaccessible in the normal course of events, but the data is there if simple, albeit extraordinary, processes are used.
There have been many piecemeal leaks of information whilst the legislation was being worked on so it comes as a surprise to discover that the majority of businesses are unaware of what will be required of them. This gives a possible edge to those who are proactive. It is essential to assess your systems to understand where they should be modified to comply with the new regulations. Strict control of the information in your email marketing lists, and your customer database should start as soon as possible.
Just a few years ago we were told that we should just ‘get over’ our lack of privacy. It would appear that that was way off, at least in the EU.