What is GDPR?
GDPR is a legalisation that is going to affect email marketers. Businesses failing to comply may face huge fines.
Learn here how to choose an email verification service to avoid being fined!
GRPD (General Data Protection Regulation) is a legalisation approved by the European Parliament in 2016 that clearly defines how European personal data must be handled. European Parliament provides 2 years for businesses worldwide to comply with its regulation. The GDPR becomes enforceable in May 2018.
It affects all businesses worldwide, not only European!
GRPR comes with the extended jurisdiction, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.
The 28 EU countries are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
Why should you care?
Well, first of all it is to protect personal data, it is in everyones interest. But to make sure the regulation is absolutely followed to the letter, companies not complying with the regulation may face a significant fine. Whether you are running an European business or you handle (control or process) European personal data, you must comply with the regulations to avoid your business being taken out.
Under GDPR organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (approximately 24.5 Million USD) (whichever is greater).
Who Needs To Comply With GDPR?
For the first time, the European Commission is exporting European data protection principles to the rest of the world.
- European Businesses controlling or processing personal data.
- A business anywhere in the world that controls or processes personal data of European citizens, regardless where they live.
So if you are a company based in the US, and all your customers live in the US, you still have to comply with GDPR if any of your customers is an European citizen.
If you collect personal data, such as name, address, phone number, email address, picture of customers or subscribers, and any of them happen to be European you must comply with GDPR.
If you use email marketing, or direct mail, or have a call centre reaching out to your EU customers you must comply with GDPR.
Approximately 95% of our customers must comply with GDPR, whether they are running a business in the EU, US or anywhere in the world.
Privacy Shield Framework Provides NO Guarantee
PrivacyShield provided a self certification method for US companies to provide services even if dealing with European data.
However, at the time of writing this article (February 2018), it does not automatically guarantee, that a US company with PrivacyShield certification comply with GDPR. And there are no signs showing that PrivacyShield will ever provide guarantee that a certain US business can be trusted in terms of GDPR.
In October 2017 the European Commission has conducted a review of PrivacyShield and found major gaps that requires immediate action. E.g.:
- Prevent false self-certification
- Raising public awareness how to exercise rights
- Closer cooperation between privacy enforcers
- Appoint a Privacy Shield Ombudsperson
Most of these concerns are still awaiting to be addressed.
Until false self-certification is prevented in the US, a PrivacyShield logo doesn't provide any proof for the company complying with European standards of data protection.
GDPR & Email Verification Services
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Email address is personal data.
You must have a valid lawful basis in order to process personal data, such as a solid opt in process, and to make sure you keep data secure.
In terms of email verification service the user / customer who verifies email addresses is the data controller.
If you are a controller, you are not relieved of your obligations where an email verifier service is involved – the GDPR places further obligations on you to ensure your contracts with the email verifier comply with the GDPR.
A processor is responsible for processing personal data on behalf of a controller. In our case the email verification company is the data processor.
Email verification services are required to maintain records of personal data and processing activities. They have legal liability if responsible for a breach.
Sharing Personal Data With An Email Verifier
It is not enough if your business complies with GDPR, but the email verification service you use must comply with GDPR too.
Watch who you share your data with, it can get you into bigger trouble, than not having proof for opt in.
Before sharing personal data with an email verifier you must make sure:
- You are dealing with a legitimate business;
Having a shiny website doesn't mean there is a legitimate company behind it. Do your research. What is the company name, where it is registered. Research the company name, if they actually exist.
- There is a written contract in place;
This ensures so that both parties understand their responsibilities and liabilities. You are liable for the email verifiers compliance with the GDPR and must only appoint an email verification service who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
- The email verifier has sufficient privacy and data protection policies in place;
Many email verifier "company" runs without any public policies and responsible persons. If it is not clear what you are dealing with, don't deal with them. If a company doesn't have a policy in place, they definitely will not follow it, and you will be responsible why you have handed European personal data to them.
- The email verification service have appointed a data protection officer;
Businesses that carry out large scale processing of special categories of data must appoint a Data Protection Officer (DPO). All email verifiers process large scale of personal data! If they have not appointed a DPO, they are not allowed to process EU data. And once again you will be held responsible if you hand personal data to them.
- Use an email verifier in a trusted country, OR YOU make sure that the email verification service fully complies with GDPR;
It is your responsibility to choose the right email verifier. If an email verification service is based in the EU, has policies published and a DPO, you should be on the safe side.
Using an non-EU based business for email verification is also possible, as long as the 3rd party country follows EU data protection standards (e.g. USA does not follow EU standards) or the email verification company is fully compliant with GDPR. It is your responsibility to make sure the company you choose is compliant.
Don't Become A GDPR Headline!
Your business may face up to 20 Million Euro (24.5 Million USD) fine if you fail to comply with GDPR, even if you are a non-EU business.
Whether you are based in the US, India, Brazil, or anywhere else in the world, you must make sure you follow GDPR.
Let's say you don't have proof for opt in and there are hundreds of complaints on you. You are likely to get a fine. Probably a small one.
But if you upload tens of thousands of EU personal data into a shady website, and they sell those details. You will get the big fine. The €20 Million ticket will be given to those who committed or cooperated in a data breach.
Don't risk your entire business by using shiny but shady email verifiers.
Avoid Illegal Email Verifiers
There are hundreds of email verification services online. Some better than others, but most of them are illegal! Be careful, who you choose.
Remember, it is your responsibility as a data controller to use data processors (e.g. email verifiers), that comply with GDPR.
How to identify illegal email verification websites?
Before choosing an email verifier you must ask the following questions to avoid being scammed:
- Do they have a published company name? Address? Responsible person for data protection?
Many email verification "service" is being run without a company or responsible person. Do make sure before you sign up that they have published their company details on their website. Check the company name if it is real company. Find out if they have named a person responsible for data protection on the website. If any of these details are missing or misleading, do not use their services.
- Do they have a Data Protection Officer (DPO)?
Email verifiers deal with large scale of personal data, they are required by law to hire a DPO.
- Do they offer illegal services, such as data append?
Personal data append is a serious data protection breach. Do not sign up for any websites offering such a service. It is illegal.
- Do they try to trick you with made up services, such as spam trap or complainer removal?
This is common trick being used by scam email verifiers. They claim they can verify SPAM traps and identify habitual complainers.
First of all it is a sales scam, don't be mislead.
On the other hand if they hold any personal data to match with your personal data to highlight e.g. complainers, is illegal under GDPR.
HuBuCo is fully compliant with GDPR
Whether you are European or not, you can trust a well regarded British email verification company.
We will never sell or use your contacts. Our servers are based in the European Union. And we follow European data protection principles.
In our Data Protection Policy you can find the most important information you need about HubuCo and GDPR.
Should you need any further information or you need us to sign a GDPR contract, feel free to contact our support.