GDPR stands for "The General Data Protection Regulation" which is a digital privacy law in the European Union. But it will impact every online marketer worldwide, including the United States.
The GDPR adds increased regulation to the processing of personal data in the EU. Although the law has been around for a while, enforcement will go into effect beginning May 25, 2018 in the EU.
However, this means if any of the email addresses on your current (and future) mailing lists are based in an EU nation, your data processing activities must be compliant, even if your business is located in the United States, or elsewhere.
For some businesses, this is not an issue and they can go on with their email marketing practices as before. However, for vast numbers of businesses and marketers, their lists contain significant numbers of email addresses located in Europe. And, for them, the restraints of the GDPR do apply.
A Brief Overview of the GDPR
The GDPR specifically addresses what it refers to as the "processing of personal data." This is significant as the term "processing" in the context of the regulation means "doing anything with data." To be safe, you should take this as meaning everything you do with all of the data your business collects for individuals.
In terms of email lists, this would include every step from actual collection of an email address and name (plus any other information you acquire) all the way through the point when you might delete that data from your email list.
So, what constitutes "data" for the purposes of the GDPR?
Fortunately, this only applies to personal data, which is anything that is related to someone who can be identified by it. This includes the following:
- Email addresses
- Physical addresses
- IP addresses
Unfortunately, some areas of the GDPR are a bit ambiguous or vague, so always better to include anything and everything that is associated with individual email subscribers on your email lists.
It gets a bit more complicated if you have been running surveys, quizzes, online challenges, etc. Also, this can include information gained through tagging or segmenting your CRM database. This is because those activities are considered "monitoring" the activities of people on your lists.
Who the GDPR Applies To
Again, it is always better to be safe than sorry when dealing with the potential downsides of the GDPR law. Essentially, this law applies to any commercial, or free, relationship or transaction where one or more of the individuals or parties are located in the EU.
For example, if you are a business or marketer based in the EU and working online, you must comply with the law for every aspect of your business. And, if you are based outside of the EU, but interact with individuals in the EU, you must also comply with the law.
Where it gets tricky is when your business or marketing efforts do not target any EU countries and is strictly a U.S. based enterprise. The problem is that the nature of the Internet can allow anyone pretty much anywhere to sign up for your lead magnet or newsletter, etc.
If you have 1,000 email addresses in your database and only 10 of those happen to be in the EU, you must comply with the GDPR on every processing action taken with the data for those 10 individuals. This is best done by segmenting those addresses, along with any you cannot confirm the location for, and treating those as "GDPR-compliant" addresses.
Essentially, this means you must either delete those addresses and information from your lists, or go through the proper steps to obtain a secondary consent from those individuals granting you permission to market to them. Having merely exchanged their email address and name for a lead magnet or email newsletter subscription will suffice as permission or consent.
The Principles of the GDPR
To help ensure the data privacy protection of EU citizens, the GDPR includes governing principles for the collection and use of personal data:
- All data will be processed lawfully, fairly and in a transparent manner
- All data will be collected for specified, explicit and legitimate purposes
- Data will be processed in a manner limited to what is necessary for those purposes
- All data will be accurate, up to date, and corrected as needed
- Data will be maintained so it identifies a person no long than needed
- All data will be processed in a manner ensuring appropriate security
The scope of compliance is fairly broad. If your business is subject to the GDPR, you must be able to document your corporate compliance efforts and your commitment to data privacy and security. In addition, you must be able to establish that, in the event of a data breach, you are able to notify anyone whose data was affected.
According to an article posted at HR Daily Advisor,
With respect to accountability, the GDPR requires an affected business to implement data protection measures into its corporate policies and procedures as well as infuse its corporate structure with a culture of compliance. In the event of an investigation by an EU supervisory authority, businesses subject to the GDPR will need to show not only that they have comprehensive data privacy policies and procedures in place but also that they follow their policies and procedures in order to maximize their compliance efforts.
What To Do Now
There are a few key things that should occur before May 25, 2018.
For most U.S. businesses, little action really needs to be taken. You do want to go through your email lists and determine if you have any subscribers from the EU, or of unknown location. These will need to be separated and placed in a their own list. Many email service providers are already doing this, or have done so.
The next key action you need to take is to re-engage with the subscribers on this special "GDPR" list before May 25. The goal is to reach out and ask them explicitly for their permission to market to them via email. This could involve either having them clicking a link in your email or signing up through an opt-in page.
For everyone else on your regular email list, you can continue marketing and reaching out to them as you have been.
Finally, anyone on your "GDPR" email list that has not given you the necessary consent by May 24, 2018 should be taken off the list. But, keep in mind that event he act of storing or deleting their information is considered "processing" so this task must be completed before May 25, 2018.
Your Inbound Marketing Strategy
Inbound marketing is a great approach for your business. And getting your message out there is, in many ways, easier than ever before.
But achieving your marketing objectives with a content-based marketing strategy takes time. It won't happen with a few emails, blog posts or even some great videos.
People will need to consume your content for a while before they contact you. Quality, relevant content will drive your organic search traffic and boost your SEO results. In fact, without your content compelling them to contact you, your goals may never be met.
The good news is that you don't have to figure out alone. In fact, one of the best investments you can make with your marketing budget is to partner with a solid firm like BroadVision marketing.