By Bill McCloskey on Wednesday, 18 April 2018
Category: Email Strategy

Mitchell: GDPR: EU’s New Privacy Law – Does It Affect You?

If your business collects personal data from people residing in the European Union, regardless of where in the world your business is based, then it’s most likely in progress with an implementation plan to comply with the GDPR (General Data Protection Regulation) that comes into effect on May 25, 2018. If your business falls into the first bucket but hasn’t started yet, then it’s as late as being a 50-mile drive away from its best friend’s wedding that starts in 4 minutes.

I’m not a lawyer, nor do I play one on TV, so none of what I write here is legal advice. Businesses should consult with their own legal counsel to learn whether the GDPR applies to them.

The GDPR was approved by EU parliament in April 2016 and gave companies 2 years to comply. It replaces and expands upon the Data Protection Directive from 1995 and gives Europeans more control over their data. The fines for non-compliance of GDPR are steep: up to 4% of the offender’s annual global revenue or 20 million euros, whichever is larger. That’s per violation.

It doesn’t affect me, my company is US based and doesn’t market to European residents. If 1 EU resident found your company’s website or call center, gave their personal information and it was collected, then the GDPR applies. Whether the authorities are going to prosecute your company for non-compliance is perhaps another matter; Gartner predicted in May of last year that 50% of US businesses that are actually subject to the GDPR will not be compliant by the end of 2018, so 1 inadvertent offense is less than minute compared to big banks, retailers and social media sites who actively collect and process EU customer or client data for millions of people. But the law is the law, so be educated and prepared.

I don’t collect personal information from my EU-based customers. “Personal Information” may go beyond what you think. Any data that identifies a natural person as that person – or that does so when combined with other data – is personal information. According to the Definitions outlined in the GDPR, it can include things like “name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” It even applies to ‘pseudonymized’ data, i.e. data that is encrypted or de-identified but could be transformed to re-identify someone.

My company only has 50 employees, we can’t possibly be subject to the same rules as large companies. Companies with fewer than 250 employees are not required to comply with some of the record-keeping requirements unless the data processing it performs “is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data … or personal data referring to criminal convictions and offenses.” But other than those exceptions, businesses of all sizes are subject to the GDPR.

Your business may not fall under the GDPR’s jurisdiction, but since the law tends to get tighter not more loose over time, and the frequency of data breaches and abuse of customer data in the US is now almost as frequent as a Trump administration replacement, don’t be surprised if the US data privacy rules eventually change in favor of heightened data protection for Americans. Furthermore, your company may reach a point where it’s too cumbersome to manage several different sets of rules for customers in different countries, and find it more efficient to apply the policy with the lowest common denominator – the most strict rules – to the whole international database. So why not read on to see what the EU has mandated, and how that affects email marketers?

 So what does the GDPR say, in a nutshell? I repeat my earlier disclaimer that I’m not a lawyer, what I’ve written in this post is not legal advice, and any business should seek advice from their own legal counsel. These basic requirements below are paraphrased from a whitepaper by Osterman Research, titled “A Practical Guide for GDPR Compliance”, published in July 2017, but there are many more details associated with them, than what’s here:

The full GDPR regulation can be found here.


The US is governed by anti-spam laws set out in CAN-SPAM, while Canada is governed by CASL, Australia by the Spam Act of 2003 and New Zealand by the Unsolicited Electronic Messages Act 2007. That covers the main English-speaking world markets other than the UK. All of these regulations are specific to email or other electronic communication as well, while the GDPR more broadly regulates the processing of personal data. An email address is personal data, so for email marketers all mentions of personal data and data subjects in the GDPR apply to your program.


Helpful Anti-Spam Compliance Guides for the US and Canada:

CAN-SPAM (US): https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

CASL (Canada): http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00211.html

Title: GDPR: EU’s New Privacy Law – Does It Affect You?
by
About: GDPR
Audience: Email Marketers
Publisher: OnlyInfluencers.com
Copyright 2018, Only Influencers, LLC
Leave Comments