This May, new Data Protection laws will be coming into place, specifically, the Data Protection Act will be replaced by the General Data Protection Regulation.
What’s the difference? The GDPR will have new rules around the storage and handling of personal information and there will be stricter punishments in place for those who fail to comply.
Why the new law? The short answer is because hackers are more easily able to access data from small to medium businesses than they are to hack huge, well-protected corporate networks.
Changes in Consent
At the moment it’s sufficient to ask someone to tick or even to untick a box in order to consent to the storage of their data.
Under the new laws, consent means active agreement. This means you cannot pre-tick a ‘subscribe me’ button.
Not only this, but companies need to be able to show a clear audit trail of consent, including screen grabs or saved consent forms.
Individuals also have the right to withdraw consent at any time, and it has to be effective and efficient. When someone withdraws consent all of their personal data must be immediately and permanently erased. It is not enough to remove them from the mailing list.
If you are subject to a data breach, you also have to inform the relevant authorities immediately and you must notify all individuals affected within 72 hours of the initial breach.
What does this mean for people that use e-mail marketing (and am I one of those people?)
If you have a newsletter that people subscribe to, or if you send e-mails to a database of people on whatever basis, this concerns you.
And it doesn’t just concern all the new data you might collect. It concerns all the data you currently have.
Any kind of personal data you keep has to follow these rules and you and you alone are responsible for being able to prove that someone has consented to have their data kept on file by you.
This means you can no longer capture e-mails through a competition and then add them into your mailing list, or you cannot auto-subscribe (for example) people that have bought a ticket to your show to your newsletter.
Does the GDPR apply to my personal blog?
The GDPR applies to all enterprises. So if you run a business from home, or if your blog/website is engaged in “economic activity” i.e. you use it to make money – this applies to you.
It does not apply to people processing personal data in the course of a purely personal or household activity. I.e. if you have your plumber’s email address on file, that’s fine. If you’re sending your plumber an email telling him that you have a new kind of product available for sale, that’s not fine.
So what do I do now?
For every e-mail address in your system, you need to go back and seek explicit permission from the person to continue to send them whatever communication you are sending them.
If you cannot provide evidence of consent, you cannot send them emails and you must delete their data permanently.
This means you will need to launch a re-permission campaign and bring your entire database up to GDPR standards.
What are the consequences of non-compliance?
Fines. These are tiered based on the level of non-compliance and the severity of the violation, and they are capped at 4% of an annual turnover of €20million.
Check out our next post on how to run a GDPR compliant re-consent campaign.
Disclaimer: None of the above constitutes legal advice. If you are in doubt, we recommend you seek professional legal guidance.
Penguin in the Room @prartsmarketing is a group of creatives with an arts marketing dream: penguin stepping our way into the arts industry and helping other creatives flourish! Specialising in online marketing, social media, branding, copy writing, media coaching and web design for actors, artists, casting directors, agents, production companies, theatre companies and creative individuals.