GDPR stands for the General Data Protection Regulation. It’s a legal framework that went into effect on May 25, 2018. The aim of it is to protect the privacy of all EU citizens by imposing regulations around personal data. It has forced organizations to be a lot more careful about how they gain consent for storing data and sending marketing campaigns. Note that the law applies to all organizations that interact with EU citizens, therefore it may be relevant to your business even if you are not based in the EU.
This article will give you some suggestions on how you can increase your chances of becoming compliant with the GDPR. Note that the information provided should not be construed as legal advice. We encourage all of our users to seek legal advice on the specific changes they may need to make to become GDPR compliant.
The GDPR requires that organizations obtain consent from EU citizens before they are able to store personal data and send marketing communications.
According to the GDPR, consent must be:
- Freely given. You can’t mislead or force someone into letting you use their information. They must be given a legitimate choice, and you can’t withhold a service or transaction on the basis of consent if that consent is not integral to the service or transaction.
- Specific. Consent to process personal data must include details about the purpose of the processing and the type of processing.
- Informed. The individual must be told how their data is going to be used, the specific purpose their data is being used for, and the type of data processing you are using.
- Unambiguous. It must be obtained through clear language and indicated through affirmative action on the part of the individual.
With the above in mind, you can analyze whether you have already gained consent from your existing users and subscribers. If you have not, you have some work to do…
In order to comply with the GDPR, you will need to delete the data you have on any EU users who have not given consent. This could have a negative financial impact, so to minimize the pain you should have a plan for gaining consent from as many of your existing users as possible.
Kevy users can start by building a segment of any subscribers who have opted in to receiving marketing communications and are located in an EU country. These are subscribers who may need to give their consent, in which case you’ll need to give them a chance to do this.
Any EU citizens who have not previously opted in to marketing communications should be pulled into a separate segment and deleted, unless you have some other lawful basis for continuing to retain their personal data (other lawful bases are rare).
To segment your list to users who are located in an EU country. Add a Default Field rule. Select "Country" and "Is In". Copy and paste the list of below country names and country codes:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Russia, Slovakia, Spain, Sweden, Switzerland, United Kingdom, UK, England, ES, BG, RS, GB, BE, CZ, DK, DE, EE, IE, EL, FR, HR, IT, CY, LV, LT, LU, HU, MT, NL, AT, PL, PT, RO, SI, SK, FI, SE, IS, LI, NO, CH, BA, ME, AL, RS, TR
You can then segment this list by ‘Consent’ to select only the EU users who have opted in to marketing communications. Add a Default Field rule. Select "Consent" and choose a consent value like in the below screenshot:
Once you have this list, you’ll want to give the users several chances to give consent in order to minimize the amount of user data you’ll need to delete. This could mean sending more than one email and including opportunities to give consent within emails that are about other things.
As we aren’t lawyers, we can’t say for sure what language you should use to obtain consent. Whilst you may want to check it over with a lawyer before using it, we do have a GDPR consent template ready for use. Just go to ‘Email Templates’ and you’ll see it:
Of course, you may wish to customize your emails based on your specific situation in order to maximize the conversion rate.
The last step is to delete the data you have on users who do not give their consent. We strongly recommend deleting the data rather than just segmenting it into a separate list. This is because the GDPR prohibits organizations from storing users’ contact details, or any information that might identify them.
Gaining Consent From New Users
We recommend going over the GDPR’s definition of consent (mentioned earlier in this article) and working with a lawyer to ensure that you meet the requirements.