Website Design & Marketing

On The Hill: Radar Hill Blog

GDPR – Canada and Email Marketing

The GDPR is the new regulation coming into force 25 May 2018 across the European Union. The details of what it is and how to be compliant are discussed here, and why it is a good thing is explained here. In this article, the effect it has on Canada and email marketing will be explored. As before, this is not meant to be legal advice, and if you are concerned about being compliant, seek professional council! This is an introduction, as many people in Canada have not heard of GDPR before.

Effect on Canada

“What? A strict law Europe now has to comply with, I’m so glad I don’t!” I hear you say after reading the previous articles. If you’re reading this on Radar Hill’s blog, it is highly likely you’re in Canada. Well I’ve got news for you – the GDPR affects EU citizens, which means that even if you are a business in Canada, who has EU clients, you still need to comply. Every company in the world that handles data from a EU citizen needs to comply with the GDPR.

The GDPR affects EU citizens – NOT the country where a business is based.

Admittedly, enforcement from the EU Privacy Commission of Canadian companies will be limited, if anything. Especially for small and medium businesses, it is highly unlikely the EU would opt to prosecute, unless there was particularly grievous and malicious handling of personal data. Nevertheless, intentionally being uncompliant or recklessly using data will not be looked upon favourably.

It is good to note that the European Commission has recognised Canada, amongst a few others, as providing adequate data protection. This means that the EU has deemed it suitable for personal data to flow from the EU to the “safe” country, without any further safeguards being necessary. In other words, transfers to Canada will be assimilated to be intra-EU transmissions of data. Otherwise, all data transfer outside of the EU must be recorded specifically as part of being compliant.

Effect on Email Marketing

Most people have not heard of the GDPR, or if they have, they think it will only affect email marketing. Because consent is such an integral part of the Regulation, it is easier to talk about only in terms of email marketing. However, this is not the case, as can be seen previously. The GDPR has to do with providing people with transparency and control over all of their data, no matter what it is used for. Of course, email marketing is involved, but it is by no means the only aspect.

Even without this new GDPR, it is good practice to have consent before adding someone to your mailing list. In Canada a couple years ago, anti-spam laws were put in place, and as time goes on only more regulations will be established.

For now, the GDPR affects EU citizens, and it is highly likely that there is at least one European on your mailing list. Therefore, being compliant is necessary.

Many Europeans, and even Canadians, have been receiving numerous emails a day from their various subscriptions in anticipation of the 25 May deadline. These emails are detailing how they have updated their privacy policy, and that in order to keep receiving emails from them, they require another opt-in. This has been irritating, and isn’t absolutely necessary. If you can prove that the people on your mailing list signed up initially in a GDPR-compliant way, then no further action is necessary,  on that instance anyways.

Because of the Storage Limitation clause, it would be prudent to eliminate those subscribers that have been on your list for a long time, but don’t interact with you anymore. If you use a mail service like MailChimp, contact them to make sure that they are compliant. Some companies have been better than others and becoming GDPR compliant by the deadline; while there is a lot that small businesses have to do in order to be compliant, there is no such thing as being solo and insular, so contact of data will need to occur with others. Just ensure that they are GDPR compliant, and keep a record of all data processed. Technically, it is your responsibility to ensure that any software or program that you share data with, are compliant.

Consent Is Key

As seen in the introductory article, consent is vital. Consent for email requires a positive opt-in. Which means you cannot use pre-ticked boxes or any other method of default consent. Be specific and ‘granular’ so that you get separate consent for separate things. Yes, this means having an option for marketing, an option for general information emails, etc. People have to consciously opt-in to the different kinds of email you send out. There is no more implied consent.

You need to be transparent about data collection. Be clear about how it is being used, and explicitly define all the processing that is going to happen to it, including third part processing. This needs to be in clear language that is easily understood, not hidden in a bunch of technical jargon.

Right of Withdrawal

Along with explicitly positively consenting, people also have the right to remove that consent at any point. Therefore, as exists in Canadian law now anyways, there needs to be a clear “unsubscribe” link in every mass email sent out.

One way to prove current consent is with screenshots of your sign-up process. As long as to the best of your knowledge all current subscribers clearly consented, and you have a clear unsubscribe link, your email marketing list will be ok – just don’t go selling it to any sketchy third party who will just scam them. Your list is yours alone.

When Will It End

It is not just European companies that need to comply, it is any organisation that deals with EU citizens. The GDPR is also just best practice, as it is meant to ensure the safety of personal data. In Canada we should at least be aware of it, and be prepared to comply. Have a process should someone exercise their right of rectification or right of access etc.

The GDPR is a process, part of consistent reviews for processing personal data. Almost anything can be a personal data point, and it doesn’t matter how it is stored; instead, it is merely having the data that means you have to ensure it is processed in a secure and lawful way. Explicit consent is vital for compliance, as is documenting all processing activities.

These three posts are not meant to be legal advice, if wondering what to do now, contact a professional GDPR expert. This has been an introduction to the General Data Protection Regulation, and you should now have a better grasp of what it means for you, if you are an EU citizen, or a business. Radar Hill cannot help you become GDPR compliant, but we can offer email marketing services, on a platform that is GDPR compliant. Get in touch to find out more.