GDPR – its impact on email marketing platforms (Part 1)

emailmarketingdiscussion

Europe’s General Data Protection Regulation (GDPR) will take effect in May 2018. This regulation is not to be reckoned with. It will have wide-reaching effects on cloud service providers (CSPs) and providers of software as a service (Saas).

I will focus solely on email marketing platforms as this is my key area of focus hereunder. As email marketing platforms involve the storing and processing of personal data (i.e. email addresses and names), they will be affected.

The market is quite saturated with quite a large number of players from Nasdaq-listed players that bolt on the email marketing component to dedicated email marketing platforms that are run by companies of less than 100 employees.

Here are some of the new rules that will affect the industry:-

  • A customer’s (“Data Subject”) Right to be forgotten
  • A Data Subject’s consent and not just forgiveness – ie. Opt-in only sendings of emails rather than just having an option to Opt-out
  • A Data subject’s right to access and rectification
  • A Data Subject’s right to Data portability
  • Pseudonymization / Anonymization of storage of personal data
  • Legal agreement between the email marketing service subscriber (“Controller”) and the email marketing service provider (“Processor”)

So Email Marketing Platforms (e.g. Constant Contact, Marketo, SendSmith, Mailchimp, etc.) are effectively now defined as the “Processor” and with the new legislation the Processors are required by GDPR to follow a number of strict guidelines even if the Processor is not based in Europe. Previously, Controllers (e.g.  the client or subscriber) would fob off responsibility to the Processor whom would claim to be outside of the EU and therefore not subject to EU legislation so nobody is culpable. With the new GDPR rules, certain clauses must be included in the agreement between Controller and Processor before the Controller would be deemed compliant which include the following:-

– The subject-matter and duration of each processing
– The nature and purpose of each processing
– The type of personal data and categories of Data Subjects
– The obligations and rights of the Controller
– Process the personal data only on documented instructions from the Controller (including with regard to transfer of personal data to a third country or any international organisation)
– Ensure confidentiality
– Take appropriate measures to ensure security
– Notification to the Controller of any data breach without “undue delay” after becoming “aware” of breach

(To be continued)…