GDPR regulations apply to any organization worldwide that collects or manages the personal identifiable information (PII) of EU and UK citizens, virtually every digital organization in the world needs to comply.
The European Union’s General Data Protection Regulation (GDPR) goes into effect in May 2018, which means that any organization doing business in or with the EU has six months from this writing to comply with the strict new privacy law.
Penalties for noncompliance can be stiff: up to €20 million (about $24 million) or 4 percent of annual global turnover. whichever is greater.
What is Opt-In?
When a company uses opt-in consent strategy, the consumer must affirmatively give the company permission to send information about new products or sales, or to share the consumer’s information with other companies in a business relationship with the company where that consumer has an opt-in agreement.
What is Opt-Out?
In simple terms, you need to get explicit permission from your EU email database to email them after the 25th of May 2018, once GDPR takes effect. The process of going to a list or email database to establish opt-ins is called ‘permission passing
The present understanding is that if you have had an existing email exchange with a prospect or customer this will be considered consent
Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
Keep records to demonstrate what the individual has consented to, including what you told them, and when and how they consented.
Make it easy to withdraw consent
Consent requests need to make it as easy (or easier) for individuals to withdraw their consent as it is for them to give it. This means individuals need to be told straight away that they can withdraw their consent at any time, and you must explain how to do it.
Use a double opt-in mechanism
A double opt-in mechanism guarantees that individuals don’t give their consent by accident. The first step involves a regular consent form. Once the individual has completed it, they’ll receive an email with an attached link that they need to click on to verify their consent.
You need to make sure that every name in your CRM database and every email in your automation system has given you permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent. And no, having the next email already scheduled is not a valid excuse.
The solution to this is to have a single platform that hosts the consent record of every single user. Having a single platform, like a CRM system, will help you keep track of all your permissions data and ensure you’re GDPR compliant.
Other than that, the requirements for explicit consent are the same as the GDPR’s definition of consent, which is:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
GDPR applies to Applies to the 28-nation European Union’s 510+ million citizens, as well as any business doing business with them, regardless of where they are based.
Steve Eckersley, ICO Head of Enforcement said in case of Honda and Flybe
“Both companies sent emails asking for consent to future marketing. In
doing so they broke the law. Sending emails to determine whether people
want to receive marketing without the right consent, is still marketing and
it is against the law … Businesses must understand they can’t break one
law to get ready for another.
In practice, this means that leads, customers, partners, etc. need to physically confirm that they want to be contacted. You need to make sure you’ve actively sought (and not assumed) permission from your prospects and customers, confirming they want to be contacted. Therefore, a pre-ticked box that automatically opts them in won’t cut it anymore – opt-ins need to be a deliberate choice.
DO seek consent wherever possible — it’s better to be safe than sorry, and asking for direct, affirmative permission to contact someone via email is the most secure process under GDPR and E-Privacy legislation.
The introduction of the GDPR offers individuals a method to gain more control over how their data is collected and used – including the ability to access or remove it – in line with their right to be forgotten.As a marketer, it will be your responsibility to make sure that your users can easily access their data and remove consent for its use.
In (very) short. GDPR states that if a website collects, store or use any data related to an EU citizen. You must comply with the following:
– Tell the user: who you are, why you collect the data, for how long and who receives it.
– Get a clear concent, before collecting any data
– Let users access their data, and take it with them
– Let users delete their data
– Let users know if data breaches occur