I am aware that email is considered as PII and should be used and stored under strict security guidelines as per GDPR. If we use email in any our communications and in what cases it might not be considered as PII under GDPR?
Asked
Active
Viewed 218 times
1
-
Storing customer's (and even other employee's) email is covered. If you send an email to a customer, that's fine. Just don't give out other people's email addresses, and protect your data. – MikeP Jul 02 '19 at 02:34
-
2Although interesting and potentially useful for many, this question is not about security, but more about legal matters. However, I answered it below. – Overmind Jul 02 '19 at 06:35
-
What does this have to do with NIST, a US government institution? – user Jul 02 '19 at 10:53
1 Answers
2
The issue of e-mails reduces to the following: you need consent and you are not allowed to share it with 3rd parties without proven consent. If you want to share the e-mail or send them unsolicited e-mails, you need the consent and here things can be more complicated than they apparently are.
In detail:
1. Consent requires positive opt-in
That means, no pre-ticked boxes. For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
Recital 32: “Silence, pre-ticked boxes or inactivity should not constitute consent.”
2. Consent requests must be kept separate from other terms and conditions
E-mail consent must be freely given—and that’s only the case if a person truly has a choice of whether or not they’d like to subscribe to marketing messages. If subscribing to a newsletter is required in order to download a white-paper, for example, then that consent is not freely given.
Under GDPR, e-mail consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless e-mail consent is necessary to complete that service.
Article 7(4): “When assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
3. Withdrawal should be possible and easy
Article 7(3): “The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”
All major e-mail laws the U.S. and E.U. require brands to give their subscribers the opportunity to opt out from receiving e-mails. Promotional e-mails you send must include an option to un-subscribe. If you are already compliant with current Canadian, American, or European e-mail laws, you may not have to change much when it comes to this requirement for GDPR compliance. Still, better make sure everything is compliant.
List of "do nots":
- do not charge a fee
- do not require any other information additional to the e-mail address
- do not require subscribers to log in or ask them to visit more than one page to submit their request
Additional warning: by not having an easy un-subscribe process, your e-mail domain may be blacklisted for sending spam. Many companies choose to do so to prevent abuse.
4. Keep consents documented as evidence
GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents.
Article 7 (1): “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
In some countries, the burden of proving consent has always been the responsibility of the company that collected the opt-in. For many other marketers, however, this requirement is a new challenge to tackle.
Keeping evidence of consent means that you must be able to provide proof of: who consented, when they did it, what they were told that made them do so, how they did it and if they further have or tried to withdrawn consent.
5. Make sure you know when to re-use consent
Recital 171: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”
GDPR applies to all existing EU subscribers on your e-mail list. If your existing subscribers have given you consent in a way that’s already compliant with GDPR—and if you kept record of those consents—there’s no need for you to re-collect consent from those subscribers. If your existing records don’t meet GDPR requirements, however, you have to take action.
So, in conclusion, you should audit your existing e-mail lists and figure out who on your e-mail list already provided GDPR-compliant consent and who needs to do it.
Overmind
- 8,779
- 3
- 19
- 28