NOTE: Goolara complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.
May 25th, 2018, the General Data Protection Regulation (GDPR) went into effect in Europe. Designed to prevent the kind of abuses of private information that got Facebook into hot water recently, the European Parliament and the Council of the European Union wrestled with this regulation for three years before its final approval in April 2016. In spite of this careful scrutiny, the regulations can still seem a bit confusing and even contradictory at times. Fines for flouting the regulations are stiff, and they aren’t restricted to European companies. If your company does any business at all with European subscribers, you’ll need to follow the GDPR guidelines. Here are the main points to keep out of trouble.
You might be liable even if you’re not in Europe
If you strictly do business outside of the EU, you won’t have to worry about the GDPR: It only pertains to citizens of the European Union. If you’re not sure, or you have subscribers in Europe, you’ll want to make sure you follow the regulations, if only to be safe. The penalties for violating the GDPR are steep.
You’ll need to keep track of your subscribes and unsubscribes
This shouldn’t be a problem if you’re using Goolara Symphonie. It already does this automatically.
No pre-checked subscription boxes
If your sign-up page includes a verification check box, that box must default to unchecked. Pre-checked are common in cases where the information is being given to affiliates, but a marketer might also use this data for their own records. If you’re using Symphonie’s built-in subscription forms, the forms already default to unchecked, so you shouldn’t have to worry about it.
Confirm subscriptions (existing and new, if necessary)
If you need to comply with GDPR, you’ll also need to keep proof that your subscribers really did sign up to receive your mailings. The safest way to accomplish this is with a double opt in (also known as a confirmed opt in). If you prefer a single opt in, you may want to send a follow up mailing to verify and to establish a “paper trail” (metaphorically speaking).
Get consents for all data
Any time you plan to add data to you subscriber records, you’ll need to make sure that the subscriber has approved the inclusion of that additional data in their record.
Notify subscribers in case of data breach
If you are using Goolara’s hosted service, we ensure that your data will remain safe, but on-premise users need to be advised that they are responsible for the security of their own data (we no access to that data unless you’ve given up express permission to do so). By GDPR rules, in the case of a data breach, your subscribers must be notified within 72 hours from time you became aware of it, with details on the nature of the breach, if possible, and how you are resolving the issue.
Everything here is for information purposes only. Companies with a strong European presence will certainly want to seek legal counsel to ensure they stay within the letter of the law. For more on the GDPR and its features, see our GDPR Overview on the Goolara Blog.