Your GDPR + Email Marketing Playbook: How to Prepare for the EU Data Law
Update 5/16/18: We now have Data Processing and Security Terms.
A new law called the General Data Protection Regulation (GDPR) went into effect on May 25, 2018 — and it impacted email marketers around the world.
The good news? If you’re using AWeber, you’re probably already doing many of the things required.
Keep reading for a walkthrough of the GDPR, what AWeber is doing to prepare, what it means for your email marketing business, and how you can prepare for the changes.
Update 4/28/18: Want to learn about the most common myths surrounding the GDPR and email marketing? We wrote about it here!
Disclaimer: This blog post is for informational purposes only, and you should not consider it legal advice. We recommend that you seek legal and other professional counsel to determine exactly how the GDPR might apply to you.
What is the GDPR?
The GDPR is a European privacy law approved by the European Commission in 2016. Its purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.”
This is fantastic news for EU citizens. The GDPR will hold businesses and entrepreneurs more accountable for data breaches, require them to not only keep records of a person’s consent to disclose personal information, but also clearly state what the data will be used for up front.
(Is your small business or nonprofit making an impact beyond the inbox? Want to make an even bigger impact? You can win $20,000 from AWeber. Click here to learn more!)
Why the GDPR is a good thing for email marketers
The goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
While it requires a bit more effort on your part, it can also lead to some pretty important benefits to your email marketing.
By taking greater measures to protect and use subscriber data correctly, you’re more likely to send more relevant, targeted, permission-based emails to your subscribers. And that can translate into more trust with your subscribers, fewer spam complaints and unsubscribes, and better email deliverability.
Win. Win. Win!
Who does the GDPR affect?
The GDPR applies to any data controller or processor who collects, records, organizes, stores or performs any operations on personal data of those who live in the EU — even if you don’t reside in a European country.
Personal data is any data that can be used to identify a person, including email addresses.
Data Controller? Processor? What are those?
Here’s a quick definition of each:
Data Controller: Any individual or business who determines how an individual’s personal data is processed.
Data Processor: Any individual or business who processes personal data on behalf of the controller.
As an AWeber customer who collects EU resident data, you would more than likely be considered a Data Controller. AWeber would be considered a Data Processor.
How does the GDPR affect me?
To understand how the GDPR will affect you, it’s first important to understand the key rights the new law protects and how these rights apply to you:
- Right to be informed: Your EU subscribers can ask about personal data, how it is used, and why it is being used at any time.
- Right of access: Your EU subscribers can request a copy of personal information at any time.
- Right of rectification: Your EU subscribers can update (or request updates to) personal information at any time.
- Right of erasure: Your EU subscribers may request that you or AWeber erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Right to object: Your EU subscribers may unsubscribe from any of your emails at any time.
Knowing these rights allows you to better understand your responsibility in protecting these rights.
How to prepare your business for the GDPR
There’s a lot to think about with the GDPR, and we understand that it can feel a bit overwhelming. So we’ve outlined five steps you can take to help prepare for the GDPR.
- Customer Terms of Service
- Data Processing and Security
- Affiliate Terms of Service
- Developers Terms of Service
2. Get explicit, opt-in consent from subscribers
The GDPR describes consent as “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Translation: You must explain how you will use a person’s data before he or she gives it to you. If you plan to use a person’s data for multiple reasons, you must disclose all those purposes from the get-go.
For example, imagine you have a weekly blog newsletter. Once a person subscribes, they’ll receive a weekly newsletter from you, as well as an occasional email promoting your product. To be compliant with the GDPR, you must explain on your signup form that subscribers will receive both educational newsletter emails and promotional emails.
There’s been a lot of talk about the need to have checkboxes in your signup form to be compliant with the GDPR. However, checkboxes are not necessary to comply with the GDPR, but are simply one of many ways to prove consent.
Another way to prove consent is by adding simple language to your signup form that clearly explains how you will use a subscriber’s personal data, what kind of content you will be sending them, and how often you will be sending it.
If you do, however, decide to use an optional checkbox on your signup form, make sure your checkbox is not pre-checked. To get affirmative consent, subscribers need to check the box themselves.
Here’s an example from outdoor enthusiast Paul Kirtley that demonstrates how to clearly explain how a subscriber’s personal data will be used:
As you’re reviewing your signup forms, here are a few questions to ask yourself:
- Have I made it clear to the subscriber what information I am collecting?
- Have I made it clear to the subscriber why I am collecting their information?
- Have I made it clear what information I will be sending them?
- Have I made it clear how often I will be sending them information?
Another common question people have is this: Do I need to have double opt-in (aka confirmed opt-in) now with the GDPR?
You don’t need to have double opt-in to be compliant with the GDPR. You can still use single opt-in and be compliant if you can prove informed consent in another manner. However, there are benefits to using double opt-in, including a more engaged list of subscribers and better deliverability.
For the subscribers who are already on your list, you can send a re-engagement email prior to the GDPR taking effect to confirm continued consent to receive your emails.
You can use AWeber’s new click automations for broadcasts to tag subscribers who click the confirmation link in the email.
3. Create or update your public-facing privacy policies
Along the same lines as gaining explicit consent, it’s a good practice to create, review, and update your public-facing policies around data collection and usage.
As mentioned above, your subscribers have a right to know how their personal data is being used, so make that clear and easy to understand in your policy.
Also, make sure your policies are easy to find. You can do this by adding a link to your policies within the footer of your signup form, emails, and website.
4. Document and communicate a process for data requests from subscribers.
The GDPR requires that you document and communicate a process for subscribers to opt out, make changes to their personal data, request copies of their personal data, or request that their data be deleted entirely from your records.
You may need to document a process for subscribers to make such requests.
Here are the types of requests to document and communicate, and how to fulfill them:
Unsubscribing from your list
Under the GDPR, subscribers have the right to object or opt out of your communication at any time.
Your subscribers already have the ability to unsubscribe on their own using the “Unsubscribe” link in the footer of your emails.
However, you can also unsubscribe them manually if they request it, either on a list-by-list basis or by bulk unsubscribing someone.
You can also make this option more obvious by adding it within your email messages. Here’s an example from Ann Handley with her bi-weekly Total ANNARCHY newsletter. You’ll notice she added an unsubscribe link following her signature, with some playful language.
Updating personal data
Subscribers also have the right to rectify or update their personal data at any time.
Similar to the unsubscribe link in your emails, subscribers already have the ability to update their personal data on their own using the “Change subscriber options” link in the footer of your emails. However, you can update their information manually upon request.
Requesting a copy of personal data you maintain
With the GDPR, your subscribers have the right to access their personal data you maintain.
Unlike opting out or update personal data, your subscribers won’t be able to access this information on their own. Instead, they will need to request it from you.
AWeber makes this easy for you to find this information within subscriber management. Using the filters, you can search for the subscriber’s email address. Then using the “Export CSV” option, you can export your subscriber information in a format you can deliver to them.
Deleting subscriber data entirely from your records
Under the GDPR, your subscribers also have the right of erasure. In other words, the right to be forgotten. That means you must delete their personal data upon request.
Deleting subscribers is easily done within your AWeber account using the “Search All Lists” feature. Simply use the “email” filter to search for the subscriber’s email address. Then check the box(es) next to their name and click “Delete.”
When you delete a subscriber from your list, that subscriber’s personal information will be deleted entirely from your reports and your list. However, deleting a subscriber will not affect your reporting data; you’ll still be able to view anonymous, aggregate reporting data in your account, but the deleted subscriber’s name and email address will be removed.
5. Begin keeping comprehensive records of how you collect personal data.
The GDPR also requires that you can prove the nature of consent between you and your subscribers. This has two parts: showing the signup source in the subscriber data, as well as a copy of the signup form or data collection mechanism from which they provided that consent.
You can accomplish this by either saving the underlying code, a screenshot or PDF you used to collect their information.
Remember: these tips are not intended to be legal advice and in no way represent a comprehensive standard for ensuring the GDPR compliance.
Download our GDPR checklist
Whew! That was a lot of information. Fortunately, we’ve boiled it down to a one-sheet checklist for a quick reference as you prepare for the GDPR.
What is AWeber doing to prepare for the GDPR?
AWeber is already self-certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and we comply with lawful transfers of EU/EEA personal data to the U.S. in accordance with our Privacy Shield Certification.
Additionally, we are actively preparing to be fully compliant with the GDPR by May 25, 2018.
To help us do so, we formed a dedicated, cross-functional team to organize, lead and carry out the work that needed to be done to bring AWeber into compliance with the GDPR.
Here’s what this team has been working on:
- Developing a comprehensive strategy to comply with the GDPR
- Conducting a detailed audit of our personal data and processing practices
- Review our services to ensure we protect the rights of EU citizens mentioned above
- Developing Data Processing and Security Terms for our customers
Moving forward, we will hold regular training sessions to ensure our team members are always up-to-date on our processes and best practices for helping our customers.
Update 4/28/18: Still confused about the GDPR? Not to worry. We set the record straight about six common myths surrounding the GDPR and email marketing.
Update 5/16/18: We now have Data Processing and Security Terms.
To learn more about the GDPR, visit www.eugdpr.org.
Have questions? Comment below and we’ll do our best to answer them.
Not an AWeber customer? Get the peace of mind of working with a trusted provider. Try AWeber free for 30 days.