GDPR and Email Marketing

On May 25, 2018, the new General Data Protection Regulation (GDPR) came into effect. It is normal that when a new regulation is applied, doubts arise about its implementation and its implications for companies, so we will try to resolve them in this article.

What is the GDPR?

The European Union has updated its data protection regulations. This new rule is called the General Data Protection Regulation (GDPR, hereinafter), and it applies generally to all types of entities, from public authorities to small and medium-sized enterprises, regardless of whether the processing takes place within the EU or outside, as long as it affects European citizens. The main innovations brought by this European directive are:

Explicit consent: the implicit consent that was often given in many data treatments is nullified "de facto" and a real express and explicit consent is implemented. With the new regulation, consent must inform about the objectives of the treatment and the person responsible for it. It must be informed if the personal data subject to the treatment, are going to be managed in third countries. It is advisable that this international management is carried out in EU countries.
Increased controls on suppliers: with access to data especially for suppliers outside the EU. These must be more exhaustive and contractually all those aspects that affect the security of the information handled will be regulated.
Privacy by default: the approach of any new activity has to protect the privacy of the information handled, from the moment of its conception.
Increased rights over personal data: the right to be forgotten, which enables the deletion of user data; the right to portability, which allows data to be transferred from one provider to another and the right to object to profiles being made for marketing purposes with user information.
Incident notification: incidents that have an impact on the security of information and personal data must be communicated to the control authorities and the affected users within a maximum period of 72 hours.

You can check the percentage of compliance that your company has with respect to the GDPR with our self-assessment tool.

How does it affect email marketing?

The reality is that, although this new regulation increases the protection of subscriber data, it does not prohibit anything that was not prohibited before. The Spanish data protection legislation, made up of the LOPD and the LSSI, was already one of the most restrictive in Europe, so the changes that have occurred do not affect email campaigns.

If you had a commercial relationship with your subscribers or they had confirmed their consent when subscribing through an email with double opt-in (subscription confirmation email), you can continue sending campaigns as usual.

What tools are available in Acumbamail to comply with the GDPR?

Our forms are prepared to comply with the requirements of explicit consent, with a checkbox or box that the user must actively check that they accept the privacy policy. Also in the form itself you can link to your company's privacy policy.

To add a checkbox to a form, first you have to add it as a field in the list where you have included the form. Within the list, click on the Fields tab and add a checkbox/boolean type field.

Then, go back to the form of the list and in step 3 of creating forms you can drag the checkbox field into the form template and modify the text with the editor. You can also make it mandatory to subscribe (for that, double click, select the pencil icon and check Mandatory to subscribe).

You can add a link to your privacy policy directly in the text editor in this way:

<a href="url"> text </a>

Similarly, our forms have an automatic double opt-in system (which you can configure in the Notifications section of the list where you have created the form) and our customers have at their disposal tools for consulting and downloading personal data.

But not only that: our servers are located in Spain, so there is no international data transfer.

Therefore, from Acumbamail we have made sure that you can continue sending your newsletters without problem, giving you all the facilities to comply with this new regulation.

Does Acumbamail share its customers' data with third parties?

Acumbamail does not share its customers' data with third parties in any case. The databases that you upload to Acumbamail will be private and you will be the only one who can use them. No commercial communication will ever be sent to your customers and your database will not be shared with any other company.

Should I ask my subscribers for consent to send them campaigns?

You may have consulted with a lawyer or searched for information on Google and concluded that you should send a campaign but, are you really required by law to send this type of campaign? Probably not.

In which cases do you not have to send this type of campaign?

When the recipients of your campaign are your customers: normally contracts are signed (or accepted) with customers in which it is clearly expressed that the personal data they provide will become part of an electronic file registered with the Data Protection Agency. These customers have given their explicit consent when accepting this contract and, therefore, you can continue sending them emails.
When the recipients voluntarily subscribed to your shipments: this case is quite clear, since most subscription systems use a method known as double opt-in (basically an email is sent to verify the address and thus ensure that the person who has made the subscription is the owner of the email address). This acceptance through double opt-in is considered explicit consent, so any email verified through double opt-in is considered valid to continue sending campaigns.
When a registration is made without email verification but with acceptance of your privacy policy: when someone has accepted your privacy policy, the case is similar to that of an old customer, since there has been an acceptance of the clauses among which is the use of personal data for these purposes.

In these types of assumptions that correspond to the vast majority of subscribers, it is not necessary to send a consent campaign. Keep in mind that if you send this type of campaign, and especially these days, you expose yourself to people not giving you their consent simply because of the gigantic volume of emails there are and you will lose a large part of your database and your business, so try to send it only to people who do not meet these assumptions.

How can I send a consent campaign?

If after reading the previous section, you still want to send the consent campaign, at Acumbamail we have prepared a tool that will facilitate how to do it. The steps you need to take to do it are as follows:

1. Create a normal or classic campaign, select your list and choose a template from the "basic" category, for example "Basic notification" (Remember that you must use the new editor).

2. When editing the template remember that it should be as simple as possible. It should have a text explaining the reason for the notification, for example: that if they want to continue receiving your campaigns and to comply with the GDPR you need them to give you their consent again.

3. Finally, you must put a button with the text "renew consent", "resubscribe" or whatever you consider. When editing the link of this button you must click on "Special links" and "Renew GDPR consent".Once you send your campaign a field will be automatically created in your list with the name "GDPR Accepted" and it will be marked as True for all subscribers who click on the button. Also in the subscribers who click, another field will be created in your list with the name "GDPR Date" in which the exact date on which they clicked on the consent button will be put. With this you will have the consent through an affirmative action (pressing the button) and you will have it stored in your Acumbamail list.

renew gdpr consent

Subscribers who press the button will be taken to the "Thank you for subscribing" page, as they are actually resubscribing to your notifications. Remember that you can change this page from the Notifications tab within a specific subscriber list. You have more information about this aspect in Lists.