It’s May, the month of new beginnings. The flowers are blooming, the weather is finally nice and GDPR compliance starts on the 25th. The GDPR (General Data Protection Regulation) is the new set of guidelines that you must adhere to if you handle personal data of European Union users.
Not familiar with GDPR? Learn how it affects email marketing here: GDPR and How Compliance Can Improve Your Email Marketing
As you know, we’ve been working hard to develop new features for MailerLite that will help make GDPR compliance easier for you and your subscribers. Over the next 3 weeks, we will share all of our important GDPR updates and include easy-to-follow instructions.
In this post, we will cover some new features that will help you comply with the following GDPR requirements:
The right to be forgotten is a GDPR mandate that allows subscribers to ask you to delete all of the data associated with them.
If someone makes a request to be forgotten, you can’t simply unsubscribe them or delete them from your list. Even when you remove a subscriber from your list, the system keeps a history of the user. You must delete all their data permanently.
This means that you need an easy way to delete EVERYTHING about the subscriber.
When you use the Delete function in the subscriber section of MailerLite, the information is not entirely removed. The reason for this is simple. If that person later resubscribes, his or her history is still there so you don’t have to rebuild their profile.
MailerLite created a new feature called Forget that completely wipes a person’s data from our system. This function was built specifically for GDPR compliance of the right to be forgotten. Here’s how it works:
In your subscriber page, there is a new button called Actions.
When you choose the option, Forget, the subscriber’s data will be completely removed. Everything will be permanently deleted including reports, clicks, profile data, etc.
This will allow you to comply with GDPR. That said, it is a major step to completely remove a subscriber, which is why we implemented an additional confirmation.
Everyone makes mistakes. The last thing you want to do is delete a happy subscriber’s information by accident. As a safety measure, you will need to type in the word “FORGET” to confirm the deletion.
When you click the Forget button after typing in “FORGET”, the user’s data is completely wiped from the system within 30 days.
Most email service providers make permanently deleting users a manual process. But who has time to fill out forms every time a subscriber makes a request?
We decided to build an automated Forget feature to make it easy for you to comply with this GDPR rule. The feature is now live. But our hope is that you will never have to use it!
Obtaining active and explicit consent from subscribers is a huge deal for the GDPR. If you start sending emails to people who don’t want them, they can cause you a lot of problems within the GDPR framework when they complain.
While you might have heard that you need to revalidate all of your subscribers to comply with GDPR, that might not be the case.
If you’ve been growing your subscribers using opt-in forms that clearly explained how you would use their information, you most likely do not need to reconfirm their consent.
But you will need to have a record of their consent. The burden of proof is on you to provide the documentation proving that a subscriber agreed to share their data.
Here is a checklist of the proof points that you should have:
If you are not sure that you have this information, MailerLite might be able to help you find it.
When you use MailerLite signup forms to acquire subscribers, we capture IP address, location, date, time, and the source of the consent form. This information will solidify your documentation of where, when and at what time your subscribers consented.
MailerLite now displays this information in your subscriber profiles. It is important to note that you can only get this valuable proof from users who subscribe through MailerLite forms.
The good news is that this data is available for both your new and old subscribers.
Moving forward, we will capture the date of the double opt-in (when subscribers confirm their subscription) for another proof point. But this function only works for new subscribers.
The final proof point is a copy of the opt-in form used to get consent. We recommend taking screenshots of your forms. This way you will have a separate record saved in your files if you ever need it.
If you don’t have the necessary information to prove consent, we created a GDPR revalidation template that will help you renew consent.
While most of you have subscribers all over the world, the GDPR only applies to citizens of the European Union. How can you segment EU citizens so you don’t have to worry about GDPR compliance for your entire list?
If subscribers signup with a MailerLite form, our location tracking capabilities can determine if the person is signing up from an EU country. We can then segment them into a special GDPR group.
It’s important to note that there is a chance an EU citizen is living abroad in a non-EU country. In these cases, it is impossible to identify them as EU citizens. But GDPR states that you only need to make a reasonable effort determine a person’s status.
Starting May 14, we will launch a new rule in the subscriber filter called Location where you can sort your subscribers by location.
We will also include a special list of all 28 EU countries to help you easily sort GDPR subscribers. By using this filter, you will know how many subscribers you have in the EU.
Again, this feature only works with subscribers that come through a MailerLite form. The location-based ID will not work for subscribers imported from a file or other sources.
Once you identify EU users, you can target them with GDPR-specific emails and requests.
These new features are just a few of the GDPR improvements that we have planned for this month.
Next week we will share additional functionality around web forms that will make your life a little bit easier during this confusing time of GDPR compliance.
And the week after that, we will present the Data Processing Agreement that users will be able to sign and download.
GDPR is coming May 25th, and we want you to have all the tools necessary to make it an easy transition.