We collected and answered the most frequently asked questions about the GDPR here.
1. What is the GDPR?
The GDPR is an agreed regulation with the goal of strengthening and standardising the protection rights for the personal data of EU citizens.
2. What are the goals of the GDPR?
- Creating uniform standards in all EU member states
- Giving individual citizens more control over their data
- Standardising data protection legislation within Europe
3. When does the GDPR go into effect?
The GDPR was already agreed on by the EU Parliament on 14 April 2016 and came into force on 25 May 2016. Direct application of the GDPR will become mandatory for all EU member states from 25 May 2018.
4. To whom does the GDPR apply?
The GDPR applies to everyone who processes the personal data of EU citizens.
5. Where does the GDPR apply?
The GDPR applies in all 28 EU member states. It also applies to companies and organisations outside the EU insofar as their data processing affects EU residents.
6. Why does the GDPR exist?
The GDPR supersedes the Data Protection Directive. It closes gaps in the data protection laws of individual EU member states and defines a uniform data protection standard throughout the EU.
7. How will the GDPR change email marketing?
The GDPR calls for the implementation of several new requirements:
Declaration of consent
It will be mandatory to obtain consent for every single use of personal data. This consent must be voluntary, specific, informed and clear.
Application example: John Doe actively, voluntarily and expressly consents to downloading a white paper from Inxmail by providing his email address to Inxmail for this purpose.
Prohibition of coupling
The request for personal data must be made individually for each designated use and may not be automatically coupled with other services.
Application example: John Doe has agreed to the download of a white paper from Inxmail, but Inxmail may not automatically add him to the recipient list for the Inxmail newsletter.
It will be prohibited to draw conclusions about the behaviour of individual newsletter recipients unless they have actively consented to the person-related tracking and processing of their personal data. However, the assignment of an ID (pseudonym) will be permitted. Data that can be directly attributed to a specific person should be saved separately from all other data. The recipient must also always have the option to switch from person-related to anonymised tracking.
Application example: John Doe switches from personalised to anonymised tracking. Now it is no longer possible to draw conclusions about his behaviour during a statistical analysis. Only general statements can be made about usage behaviour, e.g., “80 per cent of the newsletter recipients clicked the link to inxmail.com in the email“.
Personal data of children under 16 years of age cannot be processed unless the parents give their consent.
Application example: During a newsletter subscription process, a section of text appears for age verification purposes: ‘By subscribing, I confirm that I am over 16.’
Duty of disclosure
Recipients will have the right to view the personal data which the service provider has saved about them for each designated use. This data must be available in a structured and standard technical format.
Application example: With Inxmail, John Doe has the option to access his data in a profile with a browser. Here he has the option to revoke his consent to person-related tracking, for example, and can also subscribe or unsubscribe to one or several Inxmail newsletters.
Right to erasure
In order to facilitate quick responses to requests for erasure, it must be documented which person-related data is processed at the company, where this data comes from and, if applicable, to whom the data was transmitted.
Application example: John Doe requests the erasure of his data at Inxmail. The data is deleted automatically from the databases and a confirmation is sent to John Doe.
8. How can you prepare for the GDPR?
You should (have someone) review the following items:
- Documentation of person-related data in your company
- Data compilation process (declaration of consent, age verification, documentation etc.)
- Rights of individuals (revocation of consent, erasure process, duty of disclosure etc.)
9. What changes will go into effect at Inxmail?
We implemented all necessary changes for our email marketing solutions. As such, we established the conditions for you to fulfil your obligations under the terms of the GDPR.
10. What opportunities will be created in email marketing by the GDPR?
Since individuals will have more control over the use of their own data, this will give email marketing the opportunity to collect qualified data. Customers who expressly agree to the use of their data will have a great interest in your products or services. This will provide an ideal starting point to approach customers in a targeted way, create customer experiences and sustainably increase customer loyalty as well as your sales.
11. What are the penalties for a breach?
The penalties for data security breaches will be increased drastically:
In the case of a breach, penalties can reach up to EUR 20 million or, if a company has committed the breach, up to four per cent of the worldwide annual sales (depending on which amount is higher).