One of the main goals of the GDPR is to extend the rights of European residents in regards to the handling of their personal data. This can be summarized as follows:
- More access and control over the storage and processing of personal data for consumers
- A tighter definition of consent and personal data
- More transparency into the use of their personal data once it has been collected
New rights for users
The GDPR has created new rights of access and data protection for “data subjects”:
- Right to rectification: The data subject may request that their personal data be updated or corrected.
- Right to be forgotten: The data subject may request that their personal data be permanently deleted.
- Right to portability: The data subject may request that their personal data be sent to another organization or competitor.
- Right to object: The data subject may object to specific types of processing or uses of their personal data.
- Right of access: The data subject has the right to be informed of any and all of their personal data that has been collected, as well as its intended use.
A new definition for consent
One of the big changes in the GDPR is the new definition of consent, which should now be “given freely” and provided in the form of a “positive action” for each planned use case involving the subject’s personal data.
Opt-out practices (whereby subjects are automatically subscribed to a list, leaving it up to them to unsubscribe) and passive opt-in practices (pre-checked boxes in subscription forms) are now prohibited under the new regulation.
Opt-in is now the only way to get explicit consent, and therefore the only legal means by which organizations can obtain and use customer contact information.
This means that from now on you must:
- Provide additional opt-in forms for each of the different ways you plan to use personal data from your customers (e.g. newsletter, automated emails, profiling, etc.)
- Ask your users for permission each time you want to use their personal data in a new way.
It is important to note that this new definition of consent also applies retroactively to the personal data of European residents collected before May 28th, 2018.
If you have already received consent for the use of this data, you do not need to ask for it again. However, if your current lists do not comply with the GDPR, you must ask for explicit permission from your contacts with the use of an opt-in form.
More transparency, new requirements for risk control…
This page is mostly concerned with summarizing the implications of your email marketing and marketing automation practices, but the GDPR also includes numerous other requirements: record keeping, nominating a Data Protection Officer, implementing a management risk process, etc.
Depending on your business and the nature of the personal data you process, the implications of the GDPR can be extremely far-reaching.
To better understand the requirements and legal ramifications for your organization, we recommend you consult a legal advisor specializing in personal data regulations.