CASL requires that all commercial email messages sent to or from Canada receive consent from recipients before sending messages. Such consent can be implied. If the sender has a preexisting relationship with the recipient, for instance, the communication is viewed as consensual. Australia’s Anti-Spam Act has similar stipulations and applies to emails to and from that country.

The GDPR has similar restrictions about email messages as well, but the law affects many more people — 750 million versus about 60 million for the combined populations of Canada and Australia. Neither soft opt-in or soft opt-out options are allowed. These restrictions are much more stringent that those set forth by the U.S.’s 2003 CAN-SPAM Act, which does not require that emailers permission before they send their emails.

The vast majority of marketers do not understand the full implications of new European data laws and are ill-equipped to deal with their consequences.

According to a World Federation of Advertisers (WFA) survey of major global brands that spend more than $20bn on marketing annually, 70% of brand owners do not feel marketers in their organisation are fully aware of the extend of the General Data Protection Regulation (GDPR) and just 65% expect to be fully compliant when it comes into force in May 2018.

One in four organisations admitted they are still in the “initial planning stages”, while only 41% have a framework or strategy in place to ensure they comply with the new laws.

There are two categories of sanctions with associated fines associated for non-compliance. Companies may fall into minor or technical and major violations. Each can range from about €12 million to €20 million ($15 to $24 million USD) and above. Should individuals suffer damages from non-compliance, untapped liability may ripple across the value chain, adds Precsenyi.

Data protection has always been important. Now it’s becoming urgent. Here’s a primer on how companies can adapt to the new rules.

Data subject consent is a massive issue ‒ how you obtain consent from a data subject. Under GDPR, a data subject is the actual individual and not an anomaly. Cross-border data transfers is a big one. If you’re moving data around Europe or from Europe back to the US or wherever it may go, that’s something to think about. In terms of how it’s done from an adequacy perspective, under the current environment, the cross-border data transfer mechanism between Europe and the US is governed by a program called the privacy shield, and we are privacy shield-certified as a company. But there will be other entities that come to play to help that along.

Profiling and the right to reject will be a massive issue in terms of how individuals get profiled and how they have the right to object about being profiled; meaning, if I know that you’re wearing a white shirt today, I’m going to profile your shirt preferences, and maybe send you some white pants to go with that. As the individual, the issue is how you can manage that in terms of being able to opt out of that profiling moving forward.

I’m starting to get a lot of email from companies that haven’t asked permission to email me. I suspect that a few of the new sales prospect scraping technologies out there are supplying email addresses to aggressive sales and marketing teams.

What about security? Data loss prevention, security management, etc.
There are two particular items around security. The EU introduces, for the first time, a data breach notification requirement. Some countries had this before, some did not, but it requires companies to notify users within 72 hours of discovery. Any data breach that happens must be reported. Where this becomes controversial is with large organizations such as banks and retailers, who have had contained breaches that they declined to report, now have a legal obligation to tell people. Alongside that, GDPR massively increases fines that can be levied to organizations for failing to comply with GDPR.   

The other security aspect is that GDPR requires that security be included in development by design, from the beginning. What this means is that when you are building new processes or IT systems, you have to be able to demonstrate privacy from the start. You can’t build it on top, you have to build it from the start and this is a major consideration with software system design. In addition, you are responsible for your data supply chain. If you hire a software developer to develop something for you, it is your responsibility to commission this to include privacy by design. If you commission another organization to do something for your network in an outsourcing agreement, you are responsible for them having appropriate security protections. If you are a cloud provider, you have to be able to show that you comply with GDPR or your customers won’t be able to store in your cloud. All three of the big cloud providers have committed to this but some of the smaller cloud providers could be put at a competitive disadvantage if they can’t comply.

"GDPR response, therefore, will need to orchestrate not only technology, but also people and processes.

-Have a plan. When preparing for GDPR, having a robust response plan in place is an important first step. Security teams should also consider mapping out how response will happen if a breach is impacted by GDPR. From there, creating or adapting processes so that the appropriate measures are taken when an incident occurs. Keep the people aligned by outlining key tasks and assigning owners across the company to ensure accountability.
-Practice your plan. Under the GDPR’s short notification period there is no room for error. An important best practice is running a simulation every quarter to test out something that perhaps the company doesn't have regular experience with. For example, analysts can rehearse assessing a risk and running through the steps involved in engaging with a Data Protection Authority and notifying the people whose data has been compromised. This frequent practice can help to identify gaps and areas of improvement."

Planning for GDPR Compliance – Are you ready? The General Data Protection Regulation (GDPR) comes into force on May 25th 2018 and triggers the most signifi. Marketing topic(s):Digital marketing strategy. Advice by Expert commentator.