You have probably heard that a new European privacy law, the GDPR, has brought big changes to how organizations process the personal information of EU citizens. We've put together this guide to help walk you through the law, help you understand how it relates to your use of Direct Mail, and help you prepare for any changes you may need to make.
What is the GDPR?
The GDPR, or General Data Protection Regulation, is a European privacy law that governs the collection and use of personal data belonging to citizens of the European Union (EU).
When does the GDPR go into effect?
The GDPR was approved by the European Commission in 2016 and became enforceable on May 25, 2018.
Who does the law apply to?
The law applies not only to organizations that are located in the EU, but also to any organization that processes the personal data of EU citizens, even if that organization is not located in the EU. This means that organizations both in and out of the EU should take the time to understand the law and how it may impact the way they handle personal data. Since the definition of “personal data” includes email addresses, it is a good idea for Direct Mail customers to learn about the law.
What is “personal data”?
The GDPR is intentionally broad in its definition of personal data. It is any information that could be used to identify a natural person. This includes information like names, social security numbers (or other identifying numbers), health data, physical addresses, telephone numbers, financial data, and more. Crucially for Direct Mail customers, it also includes information that you may obtain from your mailing list subscribers, like email addresses, names, IP addresses, and location data.
What does it mean to “process” personal data?
The GDPR defines the processing of personal data as basically any operation that would involve the collection, storage, use, or destruction of personal data. Direct Mail customers that collect and store the names, email addresses, or other personal data of EU citizens on their mailing lists would be considered by the GDPR to be processing personal data.
What is the difference between “controller” and “processor”?
The GDPR draws a distinction between two roles that one may have when accessing personal data: controller and processor.
The controller of personal data is a person, agency, or organization that (1) controls or determines the purposes of processing personal data, (2) determines what personal data is collected, and (3) determines the means of processing that data. As a Direct Mail user, you would be considered to be the controller of the personal data contained in your mailing lists and campaign reports.
A processor of personal data is a person, agency, or organization that processes personal data on behalf of the controller. e3 Software (the makers of Direct Mail) is the processor of the personal data contained in your mailing lists and campaign reports. This means that we process personal data at the direction of our customers, who are the controllers of that personal data. For example, our customers decide what mailing lists to import into Direct Mail, what personal data is collected on email sign-up forms, and which subscribers to send email to.
What does the law require of me?
The GDPR lays out many requirements, but the ones perhaps most relevant to email marketing can be found below. We’ve also included below details on how Direct Mail can help you, as a the controller, meet these requirements.
GDPR requires organizations to have a lawful basis for processing personal data
Under the GDPR, processing personal data is lawful only if at least one of the following is true:
- The subject has given their consent. See below for more information on consent.
- It is necessary for the performance of a contract to which the subject is party, or in order to take steps at the request of the subject prior to entering into a contract.
- It is necessary for compliance with a legal obligation to which the controller is subject
Please see Article 6 of the GDPR for the full list of acceptable legal bases.
GDPR requires organizations to respect the following rights of the individual
Right to be forgotten. An individual has the right to have their personal data erased or deleted without undue delay.
You can use Direct Mail's Personal Data feature to permanently remove any and all personal data relating to a subscriber.
Right to object. An individual has the right to object, at any time, to the processing of their personal data and also has the right to withdraw consent.
You can unsubscribe anyone from your list in Direct Mail at any time. To do so, select the subscriber and choose Addresses > Mark as Unsubscribed from the menu bar at the top of your screen.
Direct Mail also provides a built-in unsubscribe link that you should include in the footer of each email campaign that you send (here’s how). Subscribers who wish to withdraw their consent or remove themselves from your mailing list may do so at any time by clicking the unsubscribe link. Once an individual has unsubscribed, they will appear marked in Direct Mail as “unsubscribed” and will be automatically excluded from future email campaigns (unless they are added back to your list).
Right to restriction. An individual has the right to restrict the controller from processing their personal data.
Direct Mail does not use your subscriber’s personal data for any data science, data mining, machine learning, marketing, research, or other purposes. You remain in full control of the personal data for the individuals on your mailing lists. You should honor requests from your subscribers that pertain to the restriction of their personal data.
Right to rectification. An individual has the right to require the controller to rectify or correct inaccurate personal data concerning him or her.
You can update the personal data for your subscribers in Direct Mail at any time. To do so, double-click on the field of data for the subscriber you wish to edit. Direct Mail also provides a built-in “update email address” link that you should include in the footer of each email campaign that you send (here’s how). Subscribers who wish to correct their email address may do so at any time via that link. Changes are automatically synced to your Direct Mail project.
Right of access. An individual has the right to know what personal data about them is being processed and for what purpose.
As described below, when obtaining consent, you should make it clear to your subscribers what you are planning to use their personal data for (e.g. marketing emails, announcements, etc.). You can use Direct Mail's Personal Data feature to generate a report of all personal data stored in Direct Mail and on our servers.
Right to data portability. An individual has the right to obtain their personal data from the controller in a format such that they could transfer it to a different controller if desired.
GDPR imposes strict consent requirements
As mentioned above, the GDPR requires that you have a legal basis for processing an individual’s personal data. For Direct Mail users, the most common legal basis will be that you have obtained the individual’s consent to use their personal data (i.e. they gave you permission to use their email address to send them email). The GDPR imposes strict new requirements on what counts as legal consent. In order to comply, the individual:
- Must have consented to give you their personal data for a particular purpose. In other words, once you have an individual’s personal data, you can only use it for the purposes that they originally consented to (e.g. joining your mailing list to receive marketing emails).
- Must have explicitly opted-in. Silence, failure to opt-out, or inactivity does not constitute consent. Pre-checked “join my mailing list” checkboxes do not count as consent.
You should ensure that, for each person on your list, you have a record of how and when you obtained their consent to send them email. This is true even for people that joined your list prior to the GDPR taking effect. If the consent that you originally obtained at the time they joined your list meets the requirements of the GDPR, then you do not need to re-request their consent. If you are not sure if the consent you obtained meets the new requirements, then please take a look at this help article, which outlines steps you may wish to take to re-request consent from your subscribers. This should be done prior to the GDPR taking effect on May 25, 2018.
Direct Mail’s built-in, easy-to-use subscribe forms provide a straightforward way for you to obtain lawful consent. Subscribers who join your mailing list via a Direct Mail subscribe form will automatically have their proof-of-consent recorded (including date, time, email address, and IP address). We encourage you to take care when designing your subscribe form that the description shown to the user clearly explains the intended use of the information you are soliciting. By default, all Direct Mail subscribe forms use the confirmed opt-in method (also known as double opt-in).
Is Direct Mail compatible with the GDPR?
Yes. You can lawfully use Direct Mail to process the personal data of EU citizens (e.g. email addresses and other mailing list data). However, as the controller of this data, you should make sure that your use of Direct Mail is in line with GDPR requirements (e.g. you have obtained consent from the people on your list).
Can I use Direct Mail if I am located in the EU?
Yes. You can lawfully use Direct Mail even if you are located in an EU member state.
The GDPR does not require that the personal data of EU citizens (e.g. email addresses and other mailing list data) be stored only in EU member states, nor does it require that processors or controllers of personal data be located only inside a member state. Instead, it sets forth certain legal bases that allow personal data to be lawfully transferred outside of the EU. One such legal basis is that the country where the data is being transferred to maintains adequate privacy protections, as determined by the European Commission. The publishers of Direct Mail, e3 Software, are full participants in the cross-border Privacy Shield framework, which the European Commission recognizes as meeting this legal basis for adequate privacy protections. You can rely on our participation in the Privacy Shield framework as your legal basis for using Direct Mail for the processing of personal data.
How can Direct Mail help me meet the requirements of the GDPR?
Please review the above section "What does the law require of me?". It describes the most important GDPR requirements (as they pertain to Direct Mail users) and include information about how Direct Mail can help your organization comply.
How does e3 Software comply with GDPR?
In the above section "What does the law require of me?", we describe how Direct Mail can help your organization comply with GDPR requirements. In this section, we describe how the makers of Direct Mail, e3 Software, respect the individual rights of you, our customer.
- Right to be forgotten. You may terminate your account with us at any time by contacting our support team. All personal data associated with your account will be deleted.
- Right to rectification. You may update your account at any time via the Direct Mail account control panel. To access the control panel, choose Direct Mail > Direct Mail Account from the menu bar at the top of your screen. You may also contact our support team to rectify any information related to your account.
- Right to data portability. We will provide you with a machine-readable copy of your account data at any time.
- Right to object. You may unsubscribe from any of our newsletters at any time by using the unsubscribe link included in the footer.
In addition, we are active participants in the cross-border Privacy Shield framework, which the European Commission recognizes as providing adequate privacy protections for EU citizens. You can rely on our participation in the Privacy Shield framework as your legal basis for using Direct Mail for the processing of personal data.
What if I have additional questions?
Please feel free to contact our support team at any time with questions you may have. You may also wish to take a look at the following resources:
- General Data Protection Regulation in a easily browsable, searchable format
- Information Commissioner's Office Guide to the GDPR
- GDPR on Wikipedia
- Our Data Processing Addendum