GDPR compliant email marketing

How EmailOctopus can help you comply with the General Data Protection Regulation

The GDPR (General Data Protection Regulation) came into force on 25th May 2018. The GDPR legislation is designed to give people in the EU more control over their data and to unify the regulations across the EU for how that data is processed. The legislation applies to all businesses operating in the EU and to all businesses (irrespective of location) who handle personal data belonging to those in the EU. EmailOctopus is fully compliant with the regulation. Here are some common questions and answers related to the regulation and data protection.

Where is EmailOctopus based, and where are your data centres?

EmailOctopus is a UK based company. Our application and website is hosted by Amazon Web Services, in the EU region, and all your data is stored here. Our email sending servers for our EmailOctopus product are also based in the EU.

What features do EmailOctopus offer to help me achieve compliance?

While it's important that EmailOctopus is GDPR compliant, it's equally paramount that you, our customers, are compliant and understand what's involved with the changes. Here are a few things we offer within the platform to help you.

  • Double opt-in, making it simpler to record that users have given explicit consent.
  • GDPR friendly forms, where you can add checkboxes to gather the required consent.
  • A comprehensive data processing agreement which can be signed by you, the controller.

How does GDPR affect me?

The GDPR, like any change in law, is a huge document made up of a number of different articles and concepts. Using our experience and knowledge gained by going through the compliance process ourselves we have outlined the key changes which will likely affect your businesses. We're not lawyers, so we'd advise taking legal advice where required. We'd also recommend that you give the legislation a read yourself, the UK ICO website is a great place to start.

It covers all businesses, irrespective of location This is perhaps the biggest change to data protection regulations, which is why it's here, right at the top. GDPR applies to all companies processing the personal data of individuals (data subjects) based in the European Union, regardless of the company's location. In short, if you run an store based in the USA which is targeting customers based in Germany, then you will need to comply with GDPR. In that case you will also have to appoint a representative in the EU.

Fines One of the main reasons why companies are taking GDPR so seriously is the huge fines which can be issued if in breach of the regulations. If you are found to have breached the regulation you can be fined up to 4% of annual global turnover or €20 million (whichever is greater). The fines apply to both controllers and processors and will be issued for serious breaches. With the right advice and steps taken, though, you should be okay.

Consent EmailOctopus only allows you to send emails to users who have opted in, or consented, to receiving communications. This will remain the same, but GDPR will strengthen the conditions for consent. Consent must be freely given, it must be distinguishable from other matters and be provided in an easily accessible form, using clear and plain language. You will need to make it as easy to withdraw consent as it is to give it, so ensure you have unsubscribe links in all emails.​ In short, this will not mean a significant change for most genuine businesses; if you're using any kind of confusing double-speak and pre-ticked checkboxes to collect emails for marketing purposes, they are no longer okay.

Breach notification In the event you get hacked or an employee's laptop gets stolen you will need to notify your customers if the breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. No cover-ups allowed, even if you're a large VC backed taxi firm.

Right to access Your customers, employees or other data subjects have the right to now request how their personal data is being processed, where it's being processed and for what purpose. Furthermore, you'll need to be able to provide a copy of the personal data, free of charge, in an electronic format.

Right to be forgotten This entitles the data subject to have the controller of the data erase their personal data. This only needs to be done under certain conditions, which are outlined in article 17 of the GDPR. As a controller you should not be holding personal data for any longer than necessary - those old lists and campaigns you have in EmailOctopus? If they're not needed anymore, they should be deleted.

Any questions?

Send us a message if you'd like to ask us anything about EmailOctopus and GDPR compliance.

Get in touch