The GDPR is an EU data protection directive that any business which provides a service inside the EU has to comply with. Given the global and virtual nature of many business transactions in the internet era, it is often difficult to establish where a customer or potential customer resides or to determine where the ‘service’ takes place. It is this that makes the GDPR applicable to South African businesses.
The crux of the matter comes down to consent – do you as a business need to have consent from a person in order to send them email marketing? And if so, have you obtained it in a manner which the GDPR considers satisfactory?
Determining whether or not you require consent is relatively simple. You do not need consent from customers with whom you communicate as part of providing a contracted service, for example by sending statements, invoices, and so on. You do require consent from someone who has signed up to receive marketing communications from you but otherwise has no legal relationship with your business.
The purpose of the GDPR is to force businesses to be transparent and careful while processing personal information when providing services in the EU, regardless of where it is processed or whether the data subject is a citizen. The type of information protected under this legislation is broad: identity, contact, banking, medical, employment, education. The definition of processing is also broad - anything from collecting, storing, using and sharing.
As such, the GDPR requires you to have consent from people in order to send them marketing communications, and it requires you to have a record of their explicit agreement (ie opt-in not opt-out) and to be able to show when and how they gave their consent and what they agreed to receive.
If your business sends email marketing communications that may result in a service being delivered in the EU, then the safest approach is to act as if the GDPR does apply to you and take steps to comply.
You have two options here - get hold of everyone on your marketing databases and get their explicit consent or go through your database and remove everyone for whom you do not have recorded, explicit consent before the 25 May deadline.
If you aim to contact everyone, there are two important things you need to know. Firstly, you need to ask them opt-in, not to opt-out – so communications must explicitly ask if the customer wants to ‘switch on’ not ‘switch off’ marketing communications from you. Secondly, if you have no record of how someone got onto your marketing database, emailing them to get their permission is illegal, even before the GDPR comes into effect. Flybe and Honda, to name two, are being fined for doing such.
You’re probably going to take a hit on your database as the majority of your current base will likely ignore your request and you will have to remove them. On the other hand, this gives you a golden opportunity to start building a legitimate database of people who are genuinely interested in receiving information on your products and services, obtained through a legally compliant process.
Not complying, by the way, could land you with a fine of up to 4% of annual global turnover or €20m (whichever is the larger) for breaching the regulations in the GDPR.
