The General Data Protection Regulation (GDPR)

What it is, what we are doing, and what you can do.

The GDPR will become enforceable on May 25, 2018, and will set a high bar for global privacy rights and compliance. We are actively preparing our business and compliance processes for the GDPR to take effect, and this guide is intended to help our customers do the same.

Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.

What is the GDPR?

By now, you have likely heard of the GDPR: the General Data Protection Regulation, a European privacy law approved by the European Commission in 2016. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.

A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.

When does it come into effect?

The GDPR was adopted in April 2016, but will officially be enforceable beginning on May 25, 2018. There will not be a “grace period,” so it is important that organizations impacted by the GDPR get ready for it now.

Who does it affect?

The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.

There are a few definitions that will aid the understanding of the GDPR’s broad scope.

What is considered “personal data”? Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. This means that, for MailChimp users, at least a majority of the information that you collect about your subscribers and contacts will be considered personal data under the GDPR. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual.

Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your MailChimp account.

What does it mean to “process” data? Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your MailChimp lists contains the email address, name, or other personal data of any EU citizen, then you are processing EU personal data under the GDPR.

Keep in mind that even if you do not believe your business will be affected by the GDPR, the GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later.

How is the GDPR different from the Directive? How are obligations changing?

While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Here are a few that we believe are particularly relevant to MailChimp and our customers:

1. Expansion of scope: As mentioned above, the GDPR applies to all organizations established in the EU or processing data of EU citizens, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.

2. Expansion of definitions of personal and sensitive data, as described above.
3. Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the

right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens.

• Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.

• Right to object: An individual may prohibit certain data uses.

• Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.

• Right of access: Individuals have the right to know what data about them is being processed and how.

• Right of portability: Individuals may request that personal data held by one organization be transported to another.

4. Stricter consent requirements: Consent is one of the fundamental aspects of the GDPR,

and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis, such as those found in number 5 below. The surest route to compliance is to obtain explicit consent. Keep in mind that:

• Consent must be specific to distinct purposes.
• Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
• Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. 5. Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:

• Contact details for the data controller, which we will explain in more detail below.
• Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
• Retention period: This should be as short as possible (“storage limitation”).
• Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s "legitimate interest.”

There are many other principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure that you have a full understanding of its requirements and how they may apply to you.

Does the GDPR say anything about cross-border data transfers?

Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers.

One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy decision. MailChimp participates in and has certified its compliance to the Privacy Shield framework, and we are committed to treating all personal data received from EU member countries in accordance with the Privacy Shield framework’s applicable principles.

What does this mean for you? Generally speaking, it means we expect that MailChimp’s EU customers will be able to continue to rely on MailChimp’s Privacy Shield certification in order to transfer their lawfully obtained personal data to MailChimp under the GDPR.

Do you need to comply with the GDPR?

You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you. Even if all that you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you.

What happens if you do not comply?

Non-compliance with the GDPR can result in enormous financial penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.

Source: Mailchimp - Our official Email Campaign manager.