General Data Protection Regulation (GDPR): What Senders Need To Know

October 13, 2017
Written by
Jamila Firfire
Opinions expressed by Twilio contributors are their own

General Data Protection Regulation (GDPR): What Senders Need To Know

Note: This is for general informational purposes only and is not intended to constitute legal analysis or legal advice. You should contact a lawyer to find out more about your particular obligations under the GDPR.

Changes to the General Data Protection Regulation (GDPR) were announced in May 2016 and, if you are an email marketer in the UK, this is pertinent to your email program. The new GDPR aims to harmonize the current patchy rules around privacy laws across all EU member states.

Here’s a breakdown of what you need to know.

What is the GDPR privacy law?

The GDPR is a new set of rules around data protection and will apply across the European Union. It aims to bring together the privacy laws across Europe into a simpler and clearer piece of legislation. The legislation has been designed to give individuals better control, access, and security over their personal data.

Quite simply, EU citizens will get more say over what organizations do with their data. The new GDPR becomes effective as of 25 May 2018 across all EU member states. There will be no further transition or “grandfathering” period, so don’t panic, there's still another eight months to ensure you’re well prepared for the changes to come.

Who does GDPR apply to?

GDPR applies to all EU businesses, regardless of size or industry, that handles personal data. It also applies to international organizations not based within the EU if you offer goods or services to, or monitor the behaviour of, EU individuals.

What counts as personal data?

The GDPR definition of personal data is broader and more detailed than it was previously. It includes online identifiers (such as IP addresses and other unique online or device IDs), identification numbers and location data, as well as pseudonymised (e.g. encrypted or hashed) personal data.

What are the key principles of GDPR?

Full details are set out in Article 5, but to summarise:
  • The personal data collected needs to be processed in a fair, legal, and transparent way. In other words, the data shouldn’t be used in a way the person wouldn’t expect.
  • It needs to be specific for its purpose, organizations need to be open about what they need the personal data for, and why.
  • Data should only be held for what’s needed and enough for the purpose–meaning don’t hold data about a person that you don’t need.
  • The data held needs to be kept up to date, accurate, and held for no longer than necessary.
  • People have the right to access their own data, they can request the data relevant to them and ask for it to be rectified, deleted, restricted, or ported to another organization.
  • All personal information needs to be kept safe and secure, and companies undertaking certain types of activities are now also required to appoint a Data Protection Officer.
What does it mean for the UK and Brexit? The UK Government have confirmed that GDPR will still apply to the UK as of 25 May 2018 and the UK’s decision to leave the EU will not affect this commencement. What happens when the UK leaves the EU is still unclear.

Why is all this so important?

Failure to comply could mean a €20 million fine or 4% of your organization's global turnover, whichever is greater.

How GDPR affects email specifically

The GDPR has made the definition of consent stricter. Under GDPR, you will only be allowed to send marketing emails to people who have provided clear, unambiguous consent to receive them (e.g. an opt in tickbox). You'll also have to give them information about why you’re collecting their data and what you will do with it. Implied consent—such as an opt-out option alone or pre-checked boxes—are unlikely to be valid forms of consent under GDPR. GDPR isn’t just about collecting consent but also keeping a record of this consent. GDPR requires companies to maintain a detailed record of the consents obtained and to give EU individuals the right to ask when and how their consent was given, and withdraw it freely at any time. If the person doesn’t want their email address used, they can ask for it be removed from your email lists.

If you don't have a preference centre set up, start thinking about one! It provides prospects and customers a choice of what information and content they want to receive and the ability to unsubscribe to them at any time. Our blog 3 Types Of Email Preference Centers can help you choose which is best suited for your organization.

What does GDPR mean for existing email data?

It might seem like bad news for email, but the new GDPR can actually be a benefit to your organization. GDPR might be stricter than the current rules, but it can mean improved engagement and overall email deliverability.

Remember, buying cold email lists is never a good idea and you certainly can’t ensure they are GDPR compliant. Start growing your own email lists with the help of our handy tips blog.

Take some time to check out our 2017 Email Deliverability Best Practice Guide to get more insight into what email deliverability is and what it could mean to your organization.

Recommended For You

Most Popular

Send With Confidence

Partner with the email service trusted by developers and marketers for time-savings, scalability, and delivery expertise.