If you market to residents of and companies within the European Union, you need to start preparing now for the General Data Protection Regulation (GDPR) — slated to go into effect on May 25, 2018.

What is GDPR?

Essentially, it’s a set of consumer protection regulations set forth by the EU that requires marketers to (1) gain explicit opt-in from all customers and prospects before sending them marketing messages (including sending emails and retargeting ads, and collecting analytics data on web usage, etc.); (2) securely manage data of customers and prospects; and (3) provide fail-safe opt-out. Even if a resident of the EU has opted in prior to May 25, 2018, they will need to again verify their opt-in status. The GDPR goes far beyond any of the CAN-SPAM laws currently in place, and it requires a great deal of work to ensure that you are compliant.

Why should you care?

The penalties for non-compliance are steep — up to 4% of your annual revenues.

What should you do next?

Start reviewing your data management practices now, audit the data you have, and check with your vendors to ensure they are compliant (analytics, registration, email providers, housing, etc.).

Educate yourself on everything you need to do to comply internally. We’ve collected a variety of articles about GDPR, but we encourage you to consult your legal counsel. A review of your systems can help ensure you are prepared.

As we move forward on your marketing campaigns for 2018, we will assume that all lists sent to CSG meet GDPR guidelines. We are also taking extra steps to secure your data once it’s received.

If we manage your website, we will work with you to make sure that the terms of service, privacy policy, cookies, etc., are updated per the recommendations of your legal counsel. If you use another vendor, we encourage you reach out to them immediately.

What about legitimate business interest — does that give me some protection?

There is a clause within the GDPR that allows for marketing contact under the premise of “legitimate business interest.” Even so, we strongly recommend working with your legal counsel to get their opinion on your specific marketing efforts to determine if this clause offers any protection.

I don’t market to the EU or have an office there. Should I care?

The short answer is “yes.” The GDPR protects EU residents regardless of where they are in the EU (or not), so it’s not practical to think that you can siphon off your European contacts and be compliant. From what we’ve learned about the GDPR, taking steps now to gain consent and protect your data will go a long way should there be a violation/investigation later.

Clearly, GDPR is a complex issue. We can’t stress enough how important it is for you to consult with your legal counsel and to start working on your individualized plan to be compliant. In the meantime, we will continue to share information with our clients as we learn more.

A Few Notes on Consent
Consent as defined by GDPR: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes.

It is important to note that a pre-checked form does NOT indicate consent. Appropriate forms of consent include “a written statement, including electronic means, or an oral statement.”

For associations, you should consider obtaining consent (or offering withdrawal from consent) from your existing members and contacts. Work with your legal team to better understand how these regulations work retroactively on previously obtained consent.