The opinions stated in this document are not legal advice and should not be construed or relied upon as such. As with the interpretation of any legislation, readers should consult a qualified legal representative.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a new European Union (“EU”) regulation that will come into full effect on May 25, 2018. It will replace the existing EU Data Protection Directive and provides greater protection for individuals by imposing stricter requirements for personal data collection and processing, consent, and access to information.
Does the GDPR apply to all businesses, including those outside of the EU?
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of citizens of the European Union, regardless of the company’s location. Despite the pending “Brexit” initiative, the GDPR will also apply to UK-based companies.
What are the penalties for non-compliance?
Organizations can be fined up to €20 million or up to 4% of their annual global turnover (whichever is greater) for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of “Privacy by Design” concepts. There is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
What constitutes personal data?
Any information related to a natural person or “Data Subject” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What is the difference between a data “controller” and a data “processor”?
A “controller” is the person or entity that determines the purposes and means for the collection and processing of personal data. A “processor” is the person or entity that processes (e.g. digitizes, stores or catalogs) personal data on behalf of the “controller”. In this context, Campaigner’s customers are “controllers” and Campaigner is the “processor” of personal data for the purposes of the “controller’s” email marketing efforts.
What are the “controller’s” responsibilities?
According to Article 5 of the GDPR, the “controller” shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.
According to Article 24 of the GDPR, “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the ‘controller’ shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
What are the “processor’s” responsibilities?
According to Article 28 of the GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Is there a requirement to store and/or process personal data within the EU?
No. The GDPR does not specifically state that EU citizens’ personal data must be stored and/or processed within member states. However, certain minimum requirements must be met before personal data can be transferred outside the EU. One such requirement is that the recipient or transiting country must satisfy an “adequacy decision” for maintaining data privacy and security. A data controller or processor that is “Privacy Shield” certified will meet this requirement. In addition, certain countries that already meet or exceed the EU’s data privacy and security requirements through enacted legislation will automatically be considered to have “adequacy status”. Canada is one such country and since Campaigner is located in Canada and all Campaigner data is stored and processed in Canada, Campaigner customers who transfer legally-obtained personal data to Campaigner for processing will be deemed to meet this requirement.
What is Campaigner doing to be ready for the GDPR?
Campaigner, as part of the j2 Global group, is taking all necessary steps to comply with the GDPR, including engaging key stakeholders across our company to assess impact of the GDPR on our customers and actively evaluating our internal controls and procedures to identify any changes that need to be implemented in order to comply with the GDPR by the May 25, 2018 deadline.
Campaigner will also be incorporating language into existing and new contracts and updating our privacy policies to provide additional assurance that we have appropriate legal mechanisms and safeguards in place to securely process and transfer personal data in relation to the services we provide.
Campaigner may require you to sign or otherwise agree to updated contractual terms before the May 25, 2018 deadline in order to continue providing services to you after the GDPR comes into effect.
What does this all mean for email marketers?
Email marketers may need to re-examine their current opt-in process. After May 25, 2018, subscribers must be informed, and agree to, how their information will be used and what content they will be receiving — including newsletters, promotions or information about upcoming events.
Email marketers may also have subscribers indicate whether they are an EU citizen, to further track compliance.
Email marketers may need to fine tune messages to not only grab the attention of potential subscribers, but also meet regulations by more clearly defining how their information will be used.
Data security is another mandate email marketers should take note of. In the event of a security breach, it must be reported to the data protection officer or supervising authority within 72 hours of discovery, with some exceptions.
Email marketers may want to use a system that allows them to quickly and easily find, edit and remove email contacts. This saves time and allows EU citizens the “right to be forgotten” and to be completely removed from all databases. Additionally, email marketers may want to review their security protocols and make sure they have a proper security breach plan in place.
While these new regulations don’t apply to non-EU consumers, it is important for businesses located outside of the EU to understand and migrate toward these standards. This helps establish respect and build stronger relationships with customers that are truly interested in receiving information about products or services from companies and/or information about those companies.
4. Responses to GDPR Requests
Under GDPR, EU citizens can ask you to reveal, correct, or erase their personal data. They can also ask you to stop processing their data in specific ways (e.g. no personalized advertisements) and may even ask for a portable, machine-readable copy of their data (refer to GDPR Chapter 3 for details). Email marketers may be able to mitigate the impact on their IT and support staff by automating responses to these requests where practical.
5. Privacy Officer
Whether or not a particular email marketer is strictly required under the GDPR to appoint a formal Data Protection Officer (DPO), they may find it beneficial to appoint a local and/or global data protection officer, privacy counsel or global privacy chief regardless.
6. Data Privacy Notices
Email marketers may want to update and publish their data privacy notices to include GDPR requirements.
Where can I get more information regarding GDPR?