When it comes to GDPR and emails things can get confusing! You need to make sure you completely understand the GDPR email terminology potential users/customers/businesses could be using so you can action accordingly.
Although not an exhaustive list, here are some of the terms that will be most useful to understand. We’ve taken this list from our Free GDPR Email Protection Course you can find here.
Consent – This means permission! GDPR’s aim is to allow users more control over their data and is big on consent which means if you don’t have it, you can’t use it. Now there are some situations where direct consent isn’t needed, for example if someone makes a purchase from you, you’re allowed to send them a relevant email about their order without their consent as it’s a necessary byproduct of the purchase. Another example is when a company or business has a business specific email address on their “Contact Us” page. This is considered consent as long as the email is a business and not personal address e.g. email@example.com NOT Bob@businessname.com. One thing to note here is you still can’t add them to a mailing list but you can contact them with something of genuine interest.
Data Breach – This is where information has been accessed by unauthorised third parties due to a security issue. This usually refers to confidential or sensitive information.
Data Controller – The ICO define a data controller as:
“A person who (either alone or jointly or in common with other persons) determines the
purposes for which and the manner in which any personal data are, or are to be processed”
Data Portability – This is the right of the user to move personal data to competitors and businesses have to comply. It must be readable and universally accepted by the other party and once moved, the original business may not store it (unless for legal/tax purposes.)
Data Processor – The ICO define a data processor as:
“In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”
Data Processing – When information is handled, physically or digitally for any action. For example, collecting it, uploading it into an automatic algorithm, using it to segment etc.
Data Protection Authorities (DPA) – These will be appointed in individual EU-based countries to enforce and support the new data protection laws.
Data Protection Officer (DPO) – Data controllers will appoint an employee (or sometimes hire externally) a DPO whose responsibility is to make sure data protection and processing is met and understood throughout the organisation.
Data Subject – This is any person that the personal data is about.
Erasure – When an individual makes an erasure request, this means to have all of their personal data removed from your organisation (and third party organisations you use to manage this personal data) Not complying with this can leave you open to fines.
Encryption – A way of making information protected to prevent unauthorised entities or people being able to access, read or extract the data.
Pseudonymisation – A way to make personal data less identifiable to an outside party by using pseudonyms and preset identifiers in place of the data itself.
Recipient – The receiver of your email
Subject Access Request (SAR) – Contrary to popular belief, this isn’t actually new. A SAR request is something a user can do via email which entitles them to ask what information is stored about them. You may find the “Subject Access Code of Practice” by the ICO useful. Also known as a “Right to Access Request”
For more information on email protection in the age of GDPR, check out our FREE COURSE HERE to guide you through it!