What is GDPR?
The General Data Protection Regulation (GDPR) is a new digital privacy regulation that will take effect on May 25, 2018. It standardizes a wide range of different privacy regulations across the EU that protect EU consumers’ privacy and gives them greater control over how their data is collected and used.
How Does This Policy Affect You?
The new regulations are mainly targeted at businesses that collect consumer information from people living in the EU. However, if your organization or company markets and/or collects information from anyone in the EU, you are required to follow the GDPR regulations. The fines associated with being non-compliant with GDPR are aimed at larger businesses with over 250 employees. However, any business or organization that “processes” personal data is responsible for being GDPR compliant. Given that your organization may have some EU nationals on its email list, may acquire a subscriber in the future, or may have an EU national visit your site, it is important to make your sure your digital presence is compliant with the new regulations. Additionally, the United States may enact similar laws in the future, so now is a good time to be proactive about this measure.
What Data Does the GDPR protect?
The GDPR protects uniquely identifying information such as:
- Email addresses
- IP addresses
- Physical device information such as a computer’s MAC address
- Individuals’ home addresses
- Dates of birth
- Online financial information
- Online transaction histories
- Medical records
- User-generated data such as social media posts (including individual tweets and Facebook updates)
What Steps Should You Take
The GDPR states that organizations and companies must provide EU nationals with clear, easy-to-understand opt-in processes that clearly state how users’ data will be stored, analyzed and used. To be compliant, we suggest the following steps:
If you would prefer that we not collect information that may be used to help determine which advertisements to serve you can opt out or change your behavioral advertising cookie preferences by visiting the opt-out page for the Digital Advertising Alliance (U.S. residents and those not in the EU or Canada), the European Interactive Digital Advertising Alliance (EU residents), or the Digital Advertising Alliance of Canada (Canadian residents).
After your policy is updated, we suggest sending an email to your entire email list to notify them of the changes. We recommend this be its own email message, rather than a part of an upcoming newsletter.
Sample Email Message:
3.) Update your website’s opt-in forms if needed
Under the new regulations, users must actively accept all forms of data collection. For instance, if a user is completing a donation form or signing a petition, they cannot be signed up for your newsletter by default. The form or petition in question must have a checkbox that users can actively click (the box cannot be pre-checked), signaling that they have agreed to be added to your email list.
If your website and forms do not already comply with the above requirements, then you must update your website.
In addition, if you have acquired email addresses in a way that was not GDPR-friendly, you’ll need to collect consent from those contacts (example: a purchased email list). To do so, send an email to anyone on your list that does not comply with a link to update their settings.
If you’d like to learn more about GDPR and see examples of how other companies are incorporating these changes, we suggest reviewing these resources:
- Mailchimp: About the General Data Protection Regulation
- Saper Law: GDPR Summary