Private Thoughts on the New Data Protection Laws!
The rage against GDPR misinformation where email marketing is concerned continues…
Written by the Advisory team at Dmax (Malta) and edited by Ray de Bono
We’ve all been inundated with GDPR related emails and information. Speaking about SPAM, there was a lot of paranoia too with many organisations issuing tonnes of useless email, begging people (often clients) to stay on their lists. Mostly this was all hype as many of these emails were unnecessary.
The new EU General Data Protection Regulation (GDPR) has come into force bringing with it substantial changes to the way in which organisations take care of the data of individuals whose details they have collected. Gathering potential and existing clients’ email addresses has been the cornerstone of successful marketing practices for as long as the internet has existed, but as of 25 May 2018 the rules and regulations you need to adhere to have changed significantly. To help you understand the implications the Advisory team at Dmax (Malta) has condensed what you need to know, into a few short paragraphs.
What is the GDPR and what does it entail?
The GDPR is an EU regulation that will replace the current EU Data Protection Directive (1995) and national Data Protection laws with the objective to strengthen privacy rights EU citizens and residents and ensure a level playing field across the continent. The GDPR is built on a number of core principles including:
- The requirement to be transparent with data subjects on the handling and use of personal data.
- Ensuring that a lawful basis for processing personal data exists.
- Minimising data in terms of reducing the collection of personal data processing to what is required for legitimate purposes.
- Ensuring that data is only stored for as long as it is needed.
- Ensuring that personal data is fully protected using the appropriate security practices.
In general terms, the way you handle personal data should keep all these principles in mind.
GDPR relates purely to “personal data”, which is defined as any information that relates to an identified or identifiable living individual. With this in mind, even pieces of information which when combined can lead to the identification of a specific individual fall under the definition of personal data.
Under the GDPR an individual should be in control of their personal data. This starts with the right to know which organisations are processing their personal data and the purpose of that processing. The GDPR also embeds a general right for individuals to object to processing, ask for processing to be restricted and an unconditional right to object to direct marketing. These rights lead to obligations on organisations to ensure these rights are respected.
You also need to give consideration as to why you are collecting people’s data as you are required to have a valid, lawful basis in order to process personal data. The GDPR sets out six lawful bases for processing and you would need to decide which is the most appropriate to use dependent on the purpose of the processing and your relationship with the individual. The six bases are as follows:
- The individual has given explicit consent to the processing of his or her personal data for one or more specific purposes.
- Processing of the individual’s data is necessary for the performance of a contract to which the data subject is a part, or in order to enter into a contract.
- Processing is necessary for compliance with a legal obligation to which you, the controller, are subject to.
- Processing is necessary in order to protect the vital interests of the data subject.
- Processing is necessary for the performance of a task that is carried out in the public interest or in exercise of the official authority vested in you, the controller.
- Processing is necessary for purposes of legitimate interests pursued by you, the controller, or a third party, except where those interests are overridden by the fundamental rights and freedoms of the data subject.
Where an organisation processes personal data on behalf of another company based on their instruction they are defined as a data processor under the law. This means that Dmaxepaper.com, as the email marketing services provider, would be classified as a data processor.
Regarding email marketing, you will need to determine whether consent is required. In the case of marketing similar services to existing customers, explicit consent is not needed based on the ‘soft opt in’ derogation within Malta’s e-privacy laws. However, for non-customers, seeking consent is a must.
Where the conditions for ‘soft opt in’ referred to above do not apply you would need to ensure you have suitable consent. The GDPR raises the bar in terms of what can be considered adequate consent.
Under GDPR adequate consent has the following features:
• Consent must be active i.e.
- Silence can not represent consent.
- Pre-ticked boxes or other types of automated opt-ins are not valid consent.
- Consent must be evidenced.
• Consent must be distinguishable, intelligible and clearly presented
- Where consent is in the context of a written declaration regarding other matters then the consent for say marketing purposes, should be separate.
- The consent request should be easily understood by the intended audience.
- Therefore legalese should be avoided and special consideration should be given to vulnerable data subjects.
• Consent must be freely given
- The consent should not be conditional on other matters such as provision of service.
- The balance of power between the controller and the subject is relevant to whether consent is freely given. For example, it is problematic to obtain valid consent at the start of an employment contract.
• Consent must be revocable
- Consent may be withdrawn by the data subject at any time.
- It should be as simple for the data subject to withdraw consent as to give it.
- If consent is withdrawn, other lawful bases for the processing can not be used.
if you approach the GDPR through the eyes of your customer not only will you be looking after your client’s privacy, but you will actually be increasing the quality of your contact list”
Did you know?
Dmaxepaper.com provides users with tools to collect ‘double opt-in’ subscriptions when signing up contacts so as to avoid inaccuracies and mitigate the risk of impersonation.
Who does GDPR apply to?
The GDPR applies to all public and private bodies which process the personal data of EU residents. So if you’re just a casual user of email marketing, a professional (say a doctor or lawyer) using dmaxepaper.com to relate with clients or a business owner in any sphere, GDPR will touch all aspects of your data and ignorance about its rules is no excuse in front of the law.
If your organisations resides outside of the EU albeit processes data of EU residents, then your organisation will also need to follow GDPR regulations.
What happens if I do not comply with GDPR?
Non-compliance with the GDPR may result in hefty sanctions from your national regulator including the possibility of significant financial penalties. There are different penalties depending on what part of the new rules you have not complied with- in other words, ensuring you are compliant is most definitely in your best interests.
Whilst many organisations are finding these new regulations hard to interpret or tough to implement, if you approach the GDPR through the eyes of your customer not only will you be looking after your client’s privacy, but you will actually be increasing the quality of your contact list. By ensuring that only the contacts that REALLY want to be on your contact list are the ones receiving your emails, you can expect to see a much higher open rate, an increased response rate, and the goals that you hope to achieve with your email marketing campaigns will be reached with ease.
Wish to learn more?
The GDPR is a highly fact-specific piece of legislation and whilst every effort has been made to interpret its key points into easy to digest information, there are several aspects of it that are not yet well-settled and may be open to interpretation, or change. The information contained on this page is intended for informational purposes only and should not be construed as legal advice. If legal advice is required, we would suggest you work with a legally qualified professional who will be able to discuss how the GDPR applies specifically to your business, and how best to ensure compliance.