How EmailOctopus can help you prepare for the upcoming General Data Protection Regulation changes
The GDPR (General Data Protection Regulation) comes into force on 25th May 2018. The GDPR legislation is designed to give EU citizens more control over their data and to unify the regulations across the EU for how that data is processed. The legislation applies to all businesses operating in the EU and to all businesses (irrespective of location) who handle personal data on EU citizens. EmailOctopus will be fully compliant with the regulation by 25th May 2018 and we're here to help you comply too.
We've thoroughly read the EU documentation on the GDPR and have worked closely with our lawyers to grasp the impact on EmailOctopus and our customers. We are now at a stage where we fully understand the regulation, the key concepts and most importantly, what needs to be done to be compliant. We've outlined the steps below which show the changes we are making.
While it's important that EmailOctopus is compliant with the changes, it's equally paramount that you, our customers, are compliant and understand what's involved with the changes. We've outlined a plan of changes to the platform which will make it simpler for you to comply and to remain on the right side of the law.
The GDPR, like any change in law, is a huge document made up of a number of different articles and concepts. Using our experience and knowledge gained by going through the compliance process ourselves we have outlined the key changes which will likely affect your businesses. We're not lawyers, so we'd advise taking legal advice where required. We'd also recommend that you give the legislation a read yourself, the UK ICO website is a great place to start.
It covers all businesses, irrespective of location This is perhaps the biggest change to data protection regulations, which is why it's here, right at the top. GDPR applies to all companies processing the personal data of individuals (data subjects) living in the European Union, regardless of the company’s location. In short, if you run an store based in the USA which has customers based in Germany, then you will need to comply with GDPR. In that case you will also have to appoint a representative in the EU.
Fines One of the main reasons why companies are taking GDPR so seriously is the huge fines which can be issued if in breach of the regulations. If you are found to have breached the regulation you can be fined up to 4% of annual global turnover or €20 million (whichever is greater). The fines apply to both controllers and processors and will be issued for serious breaches. With the right advice and steps taken, though, you should be okay.
Consent EmailOctopus only allows you to send emails to users who have opted in, or consented, to receiving communications. This will remain the same, but GDPR will strengthen the conditions for consent. Consent must be freely given, it must be distinguishable from other matters and be provided in an easily accessible form, using clear and plain language. You will need to make it as easy to withdraw consent as it is to give it, so ensure you have unsubscribe links in all emails. In short, this will not mean a significant change for most genuine businesses; if you're using any kind of confusing double-speak and pre-ticked checkboxes to collect emails for marketing purposes, they are no longer okay.
Breach notification In the event you get hacked or an employee's laptop gets stolen you will need to notify your customers if the breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. No cover-ups allowed, even if you're a large VC backed taxi firm.
Right to access Your customers, employees or other data subjects have the right to now request how their personal data is being processed, where it's being processed and for what purpose. Furthermore, you'll need to be able to provide a copy of the personal data, free of charge, in an electronic format.
Right to be forgotten This entitles the data subject to have the controller of the data erase their personal data. This only needs to be done under certain conditions, which are outlined in article 17 of the GDPR. As a controller you should not be holding personal data for any longer than necessary - those old lists and campaigns you have in EmailOctopus? If they're not needed anymore, they should be deleted.