If your business is based in the European Union (EU), or you process the personal data of individuals in the EU, the General Data Protection Regulation (GDPR) - a new European privacy law - affects you. It takes effect May 25th, 2018.
Here is some information from MailChimp and Squarespace, the companies we use most often for email newsletters and websites. It should help you make an informed decision about what to do. We apologize for the late notice. Personal trials and tribulations got in the way, sorry, but let us know if you need help implementing any of this.
Do you need to comply with the GDPR?
If you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you. Even if all you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you. Non-compliance can result in financial penalties.
That said, I need to remind you that we are not legal counsel. If you have clients/customers and other people you collect personal data from in the EU, you may want to consult with legal and other professional counsel regarding the full scope of your compliance obligations.
So what does it all mean?
If you send emails to, or collect other personal data from, people in the EU you will need to implement some changes to how you collect and store their data. One of the fundamental aspects of the GDPR is that organizations who collect personal information from people in Europe must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. For example, the law says that pre-ticked boxes on a newsletter signup form (along with silence and inactivity) do not count as consent, so you’ll need signup forms that make it easy to collect the permission you need.
When relying on consent as your legal basis, the GDPR says the consent you obtain must be freely given, specific, informed, and unambiguous. You also must clearly explain how you plan to use their personal data.
Please note: Whatever system you use to send emails and collect personal data please know that just enabling GDPR fields on your signup forms does not make you compliant. It’s the first step of the process. To collect consent from new and existing EU contacts, you’ll set up your forms and send a consent campaign. If they do not consent to being on your email list, you must remove them.
Your business may not be affected by the GDPR. However, we think it wise to put these protections in place for the future since European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later.
All our best to you and yours,
Want all the technical details? MailChimp has a good guide here.
Planning on doing it yourself? Here is some info on how to do that in MailChimp.
Here is info on keep your website complaint at Squarespace.