We covered the legal meaning of the GDPR’s right to be forgotten in a recent article. It can be summarised as an individual can demand of a company that their personal data be erased. Whilst there are times when this can be refused they are specific and limited. What we need to know is what changes to email marketing systems are necessary.
The reassuring news is that there is nothing revolutionary involved. For many of the requirements it amounts to tweaking current systems to ensure they comply. Even those requiring new processes are not that onerous.
The one essential is compliance. The penalties are likely to be quite high if a company is found in breach of the regulations. £17 million and 4% of global turnover, whichever is the maximum, concentrates the mind.
The first requirement is to familiarise yourself with the requirements of the GDPR. You will find that the correct terminology is right to erasure and this is a more accurate description. Once you understand the legislation, the matter will become clearer.
A company cannot make a charge for access as long as the requests are made at reasonable intervals. It is apparent that you will need systems as automated as possible to allow this. Further, an individual must only be allowed access to their own data. How this is best organised will be dependent to a great extent on the size of your lists and the data involved.
It can be seen that processes to reduce the likelihood of such requests might be a more efficient way of dealing with the requirement. For instance, if you tell a customer or subscriber exactly what you do with their data and how it is processed, the reasons individuals might want access could be minimised. One thing to note is that if, for whatever reason, you want to use the data for other purposes then this would be a breach of trust and possibly of legislation.
Both individuals and regulators will want to know how you use the personal data. This has a certain cost implication on its own, let along the problems that could arise if you cannot be specific. The answer is to have easily verifiable information of how each individual’s data is used.
You will also need to be able to show where, when and under what circumstances you gathered the data, what you stated you would do and what choices were available to the individual. Details of the design of landing pages and sign up forms would be useful. You need to be able to prove what you say you do.
It might seem as if all the work you’ve done to build up the data from your email marketing lists is at risk, and to an extent this is true. There is, commentators suggest, unlikely to be an overwhelming demand for data erasure, but those who do so might come from a specific demographic. You want the data about this section as accurate as possible and one way of ensuring this is to anonymise your data. In that way, the information you have gained will not be at risk.