In the spring of 2018, the General Data Protection Regulation (GDPR) began to operate in Europe. This is a European Union regulation that regulates the collection, processing and storage of personal data. An important feature of the GDPR is the extraterritorial principle of operation, so that it affects US and Russian companies serving consumers in the EU.
- What is personal data according to GDPR?
This is any information relating to an individual by which one can directly or indirectly identify him. That is, we can talk about the name, location data, online identifier, and other factors such as IP addresses that help to identify. There are also special confidential personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic and biometric information, information about health, sex life, consumer preferences.
- Who should execute GDPR?
All companies that use personal data of an individual are subject to be regulated. These can be Internet companies, gaming industry companies, payment systems and online services (online stores, social networks, etc.). More precisely: the GDPR must be executed by all those who have a website with registration or mobile apps that support at least one language of any EU member state or allow making payments in union currencies.
Fines can reach € 20 million or 4% of the company’s revenue on the world market for the year for violation.
Little will change outwardly for ordinary users: as a rule, you will have to accept various agreements again on the processing of your personal data. At the same time, experts say that the law is stunningly complex and incomprehensible for companies that are trying to comply with it. That’s why many advertisers have refused to use emailings as a source of traffic. After all, first of all, they faced the question: how to send emailings in order to do this completely legally and safely?
2 important documents should be publicly posted at the website you are planning to request user data from:
- data usage rules.
These documents should contain detailed information, what data and for what purposes you are collecting, how you will process, store, protect, modify and delete it.
It is important to indicate the purpose of the data collection. For example, specify “subscribe to our newsletter to be aware of world financial news and opportunities to invest money”. Thus, the user will be notified of the need to communicate personal data and will be able to give informed consent.
Rule number 1: the user must receive information about the processing of their personal data in a clear and accessible form.
If the future recipient only subscribes to your newsletter or you request new data, consent to the processing of personal information should not be an instant procedure for clicking the “Agree” button. If you already have a ready-made subscriber database, then you need to make a newsletter with a request to reconfirm your consent to data processing.
According to GDPR, the confirmation must be “a clear affirmative act in writing or verbally”. How to put this into practice?
- Use double opt-in – a subscription method in which the user confirms his consent twice.
- If you use the “tick” (this is allowed), then according to the new rules it is set to “no” by default.
- In addition, in the “I agree to the processing of my personal data” checkbox, it is possible to clarify the processing of which personal data the user gives his consent. Divide your personal data into different forms of giving consent: you can leave your consent to process mail, phone numbers, and so on in the registration form, and make your consent to process your location as a separate pop-up message.
Rule number 2: ask only the most necessary.
Remember that data must not only be properly processed, but also safely stored. Evaluate exactly what information is needed for full use, sale or advertising campaign. If you do not need to know the gender and age of the user, his home address, dog’s name or favorite dish – just do not ask about it.
For example, if your goal is to share all the discounts and promotions of your company, then you only need to request an e-mail, and if you want (and have the opportunity) to make more differentiated mailings (collections for women and men), then ask for the gender.
Rule N3: you can not use stolen and purchased databases, as well as databases from dubious sources.
The active use of the “sinister” bases was the reason that the data source of the traffic is in doubt and in disgrace from advertisers. Each recipient of your newsletter must understand how and from where the sender received his email address, as well as other important personal data (for example, name, age, preferences). If he realizes that he did not leave this company any information about himself and did not agree to receive an e-mail, the advertiser may have problems.
If you want to safely make mailings (and make money on it) in accordance with the GDPR, then you need to build a subscriber base yourself.
Rule N4: use personal data only for the purpose for which they were requested.
If the user subscribes to thematic news on the site, then you do not need to send him promotional materials and services of your company. If a user has subscribed to a financial site, he should not receive further cooking recipes, invitations for sales, or any “additional” information about ongoing promotions and news of partners.
For example, if a user left his data on the site with the purpose of “notifying me of the appearance of this product”, and the site owner starts to send information about discounts or the appearance of similar goods – this would be a violation.
Rule 5: the user should be able to unsubscribe from the newsletter and from the use of his personal data.
Therefore, it is necessary to include the “unsubscribe from” (“tick” or a separate button) position in each letter and make it explicit and visible.
Rule 6, optional.
Any subscriber base should work in the interests of the advertiser (the owner of the site / application), that is, to bring money. If subscribers are immediately ready to receive advertising products, services, company promotions, then the goal will be achieved. But it happens that it is necessary to interest the user in other ways.
For example, a user has subscribed to a newsletter about investing, and you want to advertise him forex trading. You do not need to stir in a letter a banner with a logo and a call to action, you also do not need to insert into the text of the letter a story about the advantages of this company. Work with content! Prepare «Top 10 best investment tools» material where among other things give the user necessary information.
Be careful! GDPR applies to anyone who collects and uses personal data in any way! Do it right.