Marketing Dos and Don’ts: General Data Protection Regulation 2018

To embrace the latest in technology, more and more businesses are incorporating digital campaigns into their marketing strategies, keeping their customers updated through different social media platforms and email marketing.

However, these past few years, data breaches have become more frequent for businesses and customers alike.

Unauthorized parties find ways to access sensitive and confidential data without knowing the system’s owner, causing even the most loyal customers to have trust issues.

Ponemon Institute conducted a study on the 2017 global cost of a data breach, covering 11 countries (U.S., U.K., Germany, Australia, France, Brazil, Japan, Italy, India, Canada, and South Africa) and two regional samples (the Middle East, ASEAN region).

Over two years, the average size of data breaches continued to increase despite the noticeable decline in the average cost of data and the average cost of each lost or stolen record containing sensitive and confidential information, from 23,078 in 2015 to 23,834 in 2016, and 24,089 in 2017.

Countries worldwide are creating and quickly implementing data protection laws to protect customers from data breaches.

Some examples are the:

• General Data Protection Regulation (GDPR) for the UK will take effect in May 2018
• CAN-SPAM Act of 2003 for the US, PIPEDA (2000) and CASL (2017) for Canada
• Personal Data Protection Act 2012 (PDPA) for Singapore
• Privacy Act 1988 and Australian Privacy Principles 2014 (APPs) for Australia.

Though these laws have different names, they serve the same purpose – to protect customers’ privacy by requiring business owners to ask permission before including them in their email marketing campaigns. Violating these laws means heavy penalties.  

Dos and don’ts for your business

Stay on the safe side and comply with these laws by remembering some simple dos and don’ts:

Dos

 Identify the message as an advertisement.

You must disclose that your message is an advertisement.

 Tell recipients where you’re located.

You must include a valid postal address in your email campaigns.

Use the double opt-in method.

 Allow recipients to unsubscribe.

 Ensure you have permission to email people on your list.

 Monitor what others are doing on your behalf.

If you hire a third party to handle email marketing, ensure that you and your third party contractor comply with the law.

Both will be held legally responsible for the compliance, or the responsibility for compliance will rest solely on you.

Don’ts

Use false or misleading header information.

You must be accurate in identifying who sent the message.

Use deceptive subject lines.

You must not make false claims to deceive people into reading your email.

Collect unnecessary information.

You must limit your data collection to only the information relevant to your campaign or business.

Laws Applied to Different Countries

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC as the primary law regulating how companies protect EU citizens' personal data.

Companies that are already in compliance with the directive must ensure that they’re compliant with the new requirements of the GDPR before the May 25, 2018, effectivity date.

These requirements include:

• Requiring the consent of subjects for data processing
• Anonymizing collected data to protect privacy
• Providing data breach notifications
• Safely handling the transfer of data across borders
• Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

All organizations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply.

Note that even with Brexit, the UK is still implementing the GDPR.

CAN-SPAM Act

The CAN-SPAM Act or Controlling the Assault of Non-Solicited Pornography And Marketing Act of the US covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites.

It gives email recipients the right to ask businesses to stop emailing them and outlines harsh penalties for marketers who don’t comply. They also forbid marketers from misleading or deceiving the people on their email lists. The law makes no exceptions for business-to-business emails.

PIPEDA and CASL

The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada lays out the ground rules for how businesses must handle personal information during commercial activity.

CASL is a new anti-spam law that applies to all electronic messages organizations send in connection with a “commercial activity.” Its key feature requires Canadian and global organizations that send commercial electronic messages (CEMs) within, from, or to Canada to receive consent from recipients before sending messages.

Personal Data Protection Act (PDPA)

The PDPA aims to regulate the collection, use, and disclosure of personal data between organizations in Singapore. Every individual in Singapore must ensure that his or her data is only collected, used, and/or disclosed with his/her permission.

Privacy Act and Australian Privacy Principle

The Privacy Act and APPs govern how business entities and federal government agencies in Australia must handle personal information.

A successful digital marketing campaign is when you create the right content for the right audience, delivering it at the right time.  Data privacy and safeguarding your customers’ information add new layers to the digital marketing success criteria. Trust is the foundation of customer loyalty. Protecting your customers’ information is a necessary step to building that trust. Without relevant laws, failing to do so may have serious negative repercussions on your operations and business.