@maryhlumilina ・ Feb 13,2023 ・ 6 min read ・ Originally posted on mailtrap.io
On May 25, 2018, the General Data Protection Regulation (GDPR) took effect in the EU.
Personal data protection is what the GDPR focuses on. Personal data is any information that can explicitly or implicitly identify an individual. This may include:
GDPR lays out rules and principles of personal data protection. It’s aimed at the way companies collect, store, or use the data. There is no direct emphasis on email or email marketing. However, the mailbox of a company contains lots of data that can be deemed personal: names, email addresses, conversations, and much more. Therefore, an email is a valuable asset that must be in compliance with GDPR requirements. This includes email marketing, antispam activities, as well as email encryption and safety.
Short answer: Email consent
Where in the GDPR is this covered: Article 6, 7
According to the EU Data Protection Directive (Directive 95/46/EC), data should not be disclosed without the data subject’s consent. GDPR expanded this statement and elaborated requirements for collection and storage of users’ consent. Details are laid out in Article 6, but the key points are the following:
Silence, pre-ticked boxes, or inactivity should not constitute consent.
Short answer: Send if you can prove there is email consent
Where in the GDPR is this covered: Article 4, 6, 7, 9, 22
Mailtrap began to take measures to ensure full compliance with GDPR far before it came into effect. Before GDPR, our customer base included over 300K email addresses. These were users who signed up for Mailtrap services and agreed to receive transactional emails like product updates, changes in billing plans, and other important notes. We did not, however, request explicit consent to send marketing emails to them. So, shall we reconfirm or can we send emails without it?
In the case of Mailtrap, we had consent for sending transactional emails only. So, sending marketing emails without re-engaging our email list would be a violation of the GDPR.
Short answer: To protect against possible break-in of employee mailboxes
Where in the GDPR is this covered: Article 5, 17
Data erasure is one of the main data protection principles laid out in GDPR. The essence of this is that companies can store personal data of individuals no longer than it is necessary. The storage period should be set up according to the reason why the data is needed for processing. For example, you’re processing CVs while looking for candidates for a certain position. Once the candidate has been found, you don’t have to get rid of all the processed CVs at once. On the other hand, storing personal data (from CVs) for 5+ years without any update would be irrelevant.
There are exclusions for when companies can keep the data for a longer period. Those include archiving or scientific purposes, law restrictions, and other reasons. In these cases, the appropriate data security measures are obligatory.
In terms of GDPR and emails, the companies have to focus on the amount of data their employees’ store in their mailboxes. For this purpose, they need to establish an email retention policy that will regulate frequency, volume, and other aspects of email data erasure. The idea is to minimize the adverse consequences of a data breach in the case of a mailbox break-in.
Short answer: No, it did not
Where in the GDPR is this covered: Article 5, 6, 13
Someone expected significant changes after May 25, 2018. There were predictions for the demise of spam. GDPR was introduced as a hero that beats outlaws spreading malicious emails. But the hard-driving requirements were meant to protect personal data rather than combat spammers. You can see the outcome by yourself – our spam folders have not emptied. Maybe, we should wait till the email consent-centered regulation will help. Who knows?
Another prediction referred to the sunset of email marketers. Oppositionists introduced GDPR as an anti-email marketing document. However, it’s only meant to facilitate a customer’s email experience. Yes, GDPR stimulates companies to be more attentive to how they work with data. Those who are OK with that, survive; others don’t.
Short answer: GDPR non-compliance may be a costly mistake
Where in the GDPR is this covered: Article 82, 83
Let’s say, you’ve experienced a data breach because of your employee’s negligence, mailbox break-in, or anything else. Mostly, this happens due to the lack of security measures and policies that could have prevented a data breach. GDPR is not aimed at punishing anyone for poor email safety measures alone. A penalty for GDPR non-compliance will be a result of many internal problems with security and a lack of understanding of GDPR principles.
The GDPR established the following fines for violation of the rules:
At the same time, the threshold of €20 ($22.3) million is not ultimate. At the beginning of 2019, the French data privacy body, CNIL, imposed a €50 million ($57 million) penalty to Google. The official reason was “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
Data protection regulators in each EU country are entitled to administer fines themselves. That’s why the UK Information Commissioner’s Office could penalize British Airways for £183 ($230) million. The reason was the 2018 data breach that compromised 500K consumers.
To check more about GDPR compliance email, you need to read the original article by the Mailtrap Blog.
Join other developers and claim your FAUN account now!
Only registered users can post comments. Please, login or signup.