What's the General Data Protection Regulation (GDPR)? Should I dread it?

No dreading required! The General Data Protection Regulation (GDPR) is simply about giving back some extra security and privacy control to UE citizens.

 

Do I need to comply with GDPR?

If you use E-goi and abide by our anti-spam policy and marketing best practices, you've been complying since, well, forever! Check out this handy infographic:

Should I dread RGPD?


GDPR basically requires that:
  • You must have gotten prior explicit permission from anyone residing in the EU or European Economic Area to receive your messages (E-goi already requires you to do this).
     
  • Your lead acquisition pipeline (sign-up forms, account registration pages, hardcopy forms, etc.) must clearly tell people how their data will be used and what type of content you'll be sending them (E-goi also requires you to do this).
     
  • Any of your contacts is able to:
    • view and edit their subscriber information;
    • contact you using a physical address in order to retrieve, modify, delete or request the transfer of your data;
    • easily unsubscribe so as not to be sent any of your messages anymore.

      For all the above, E-goi helps keeping you on the safe side. We embed your postal address in the footer of all your emails while also adding one-click "Edit subscription" and "Remove" links (allowing people to opt out from either your list only or from any other business using E-goi).
       
  • Your contacts' personal data must be stored somewhere safe, secure and protected from unauthorised access. We already do this for any contacts you import into E-goi or subscribing via an E-goi form. If you've been deploying data security best practices, you should also be in the clear for any contacts you store outside E-goi.


 

Is there anything GDPR requires which E-goi can't help with?

Three things only, super-specific:
 
  • If someone steals or compromises your subscriber data, you've got 3 days to notify your country's data protection ruling body. In the UK, the ICO is your go-to bookmark. In the USA, that should be the FTC. For sensitive stolen data (such as usernames, medical records or financial info), you should also let your own contacts know about the breach and how you're handling it.
     
  • If you are a public body or a business processing large amounts of personal data (eg. banks, insurance companies, major retailers, etc.), you should appoint someone (either from your company or an external consultant) to protect your databases. This person should liaise with data protection specialists and cyber-security services in order to always be sure that your entire data handling meets GDPR. Your marketing manager or IT manager is usually able to play this role.
     
  • If one of your contacts asks you to have their data permanently removed (ie, their GDPR-given "right to be erased"), just follow this quick how-to.


 

OK, be honest. Should I really, really need to worry about GDPR?

Not if you use E-goi! We already comply with GDPR plus a number of other international data protection laws. GDPR is just a way to enforce this across the board. But if you were already doing things by the book - by following best practices and managing all your contacts using E-goi -, you've got nothing to worry about. And no need to re-confirm your contacts again either!


 

I'd still like to take a look at the full legalese lowdown. Where can I do it?

Have a gander at this primer by ICO.