In times of Big Data, Omnichannel Marketing and the Internet of Things, the upcoming EU General Data Protection Regulation seems overdue: the same data protection standards apply to all EU countries, starting in May 2018.
But what exactly does that mean for companies and their email marketing? We have interviewed our manager and legal security expert Konrad Frerichs.
PUSH: Konrad, what stays the same and what’s new about the EU General Data Protection Regulation (GDPR) that will be applicable in May 2018?
Konrad Frerichs: The new EU General Data Protection Regulation protects personal data of natural persons. That’s the same as the „old“ and currently still applicable Federal Data Protection Act.
The GDPR makes data protection even more transparent by making it necessary to document relevant data protection processes much more intensively than before.
Who does this apply to?
Anyone – whether people, companies or authorities – processing or commissioning personal data. Heating engineers managing their customer life; debt collection agencies wanting to collect receivables; the Chamber of Commerce and Industry managing their members, and so on …
What are the challenges that the data protection management of companies are facing now?
Step one: Companies must identify where and how they process personal data. Nowadays, data processing is natural in so many areas, that you sometimes don’t recognize it as such. Many people probably think of their customer management when it comes to data protection, and they are right. But how about your staff for example? Data is processed here as well.
Step two: Once the individual processes have been identified, it has to be clarified whether the data processing is legal and clean. The processing of personal data is only permitted if there is a justification (e. g. the consent of the person concerned, because it is necessary for the fulfilment of a contract, legal obligations and the like). If this is not the case, these “gaps” must be closed in accordance with the law.
Step three: Companies have to observe and implement the new documentation, transparency and information requirements of the GDPR.
What should newsletter managers keep in mind from May on regarding new customers and existing address lists?
The GDPR regulates several reasons for allowing the processing of personal data, including the email addresses used. In the context of newsletters, the recipient’s consent usually allows the processing to take place. The GDPR tightens the requirements for effective consent.
For this reason:
First: The responsible person must prove that recipients have given their consent for processing their data and receiving a newsletter. It’s not necessary to have a printed form, the logging of electronic consents makes sense.
Second: The recipient must know the extent of the data, the purpose their data are processed for, as well as the consequences of refusal to grant consent. For this purpose, it is necessary that the request for consent is written in an easily accessible and understandable form and in a clear and simple language. When asking for a recipient’s consent you have to point out that they can withdraw their consent at any time. It’s not allowed to demand something in return for this withdrawal.
Third: In the case of consents which have already been validly given in the past, it is not necessary to ask for them again. These consents still have to fulfill all aspects required by the GDPR. However, if a previously given consent violates the requirement of voluntary action, it won’t continue to apply and must be obtained again. This should be done as soon as possible before the upcoming changes of the GDPR.
What consequences do companies have to expect if they violate the law?
It can be assumed that the fines will increase compared to the fines in the past. You can also expect an increasing use of fines because of increasing formal requirements for documentations, and the fulfilment of formalities is relatively easy to handle. But as for so many points of the new law, we will have to wait and see.
However, I can only give all companies the tip that, in view of the new requirements and impending fines, they should not fall into a state of shock paralysis but should tackle the challenges with courage and thus avoid negative consequences.
And who should you turn to if you are not sure whether you have already implemented all the necessary measures?
The first contact person always is – if available – your own or another data protection officer. They have the necessary expertise.
It’s not the task of the data protection officer to ensure compliance with data protection regulations himself. That’s the task of the person responsible for data processing or the processor of the order. However, it is not only the data protection officer’s task to monitor compliance with the data protection regulations, but also to inform and advise the person responsible for data processing or the processor on their duties.
In addition, there are certainly a number of other consultants who can be interviewed. A large number of lawyers have specialized in questions of data protection law.
Everyone may decide for themselves whether to make use of the advice provided by the competent data protection supervisory authorities. But be careful: An authorities request can also cause them to act beyond the question.
Last but not least: What security features does CleverReach® offer its customers in this respect?
CleverReach® relies on a combination of flexibility and security: The extent to which personal data should be collected, e. g. opens or clicks, is the responsibility of the respective sender. At the same time, the customer’s consent to the collection of their data is fully recorded in our software by using Double Opt-In.