How to Get GDPR Consent for Marketing

What does Mailchimp do to comply with the GDPR?

• Appointed a Data Protection Officer (DPO) to oversee our compliance program.
• Continuously review our security measures to ensure any personal data we collect and process on our systems is adequately protected.
• Ensure our Privacy Policy clearly explains Mailchimp's commitment to the GDPR, is transparent about how we use personal data, and gives individuals information about how they can exercise their data subject rights.
• Incorporate the EU's Standard Contractual Clauses in our Data Processing Addendum which automatically forms part of our Standard Terms of Use (our contract with you) and applies to customer data protected by EU laws.
• Provide our customers with GDPR-ready terms in our Data Processing Addendum and update our contracts with third party vendors to ensure they are GDPR-compliant.
• Maintain formal processes around data subject rights to ensure we can help customers fulfill requests they receive.
• Respond to and fulfill data subject rights requests in our role as a controller.
• Complete Data Protection Impact Assessments to identify and minimize any risks from our processing activities.
• Maintain accurate records of our processing activities, both as a processor and controller of personal data.
• Pay close attention to regulatory guidance around GDPR compliance and making changes to our product features and contracts when they're needed.
• Certify annually with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks and continue to protect EEA, UK, and Swiss data in compliance with the Privacy Shield Principles. You can view our Privacy Shield certification here.

Data protection and GDPR FAQs

Why is data protection important?

Aside from the fact that you may be required to follow certain data protection laws based on your business operations, data protection offers several benefits. Following data protection best practices is especially important if your business deals with customers’ personal data.

Data breaches aren’t just a pain for your customers, they also can also be financially devastating for businesses. A data breach can cause you to lose customers, which means fewer sales and more money spent on new customer acquisitions. System downtime as a result of a data breach means you can lose even more money.

When it comes to GDPR compliance and data protection, you also have to consider the reputation of your company. Data breaches—especially repeated data breaches—can lead to customers losing trust in your business, especially if you’re dealing with sensitive identification or financial information. Some businesses have suffered a huge loss in terms of their reputation as a result of multiple data breaches. A commitment to protecting customers’ data also helps build trust with your customers, which helps you keep customers around for a long time and reduce customer acquisition costs.

Data protection is also great because it can help you change the way you manage your data and ensure it’s secure but always readily available. Proper data collection and management are cornerstones of data protection, so protecting your data and implementing things like GDPR consent can help you improve your data management as a whole. This means data is always available when you or your customers need it, so business operations aren’t interrupted.

What are the benefits of GDPR consent?

First and foremost, it’s essential that you’re following GDPR guidelines if you’re required to based on the data you collect. If your business collects personal data from anybody in the European Union, GDPR consent is an important part of making sure you’re collecting that data legally

Data must be processed using appropriate measures, which means you have to make sure your cybersecurity is up to standards to maintain GDPR compliance. While there are no specific guidelines you have to follow in terms of cybersecurity when it comes to following GDPR guidelines, you’re expected to maintain a certain level of cybersecurity to protect customers’ data. If you’re currently overlooking cybersecurity, this is the perfect time to work on it.

The last thing you want is for customers to think of your business as susceptible to data breaches. Many consumers are already skeptical enough about using credit and debit cards online without having to question the data protection practices of the company they’re doing business with. With GDPR consent, customers know their data is protected because you’re required to follow certain regulations. Plus, avoiding data breaches helps you keep your reputation intact, so people aren’t afraid to shop with you.

Improved data management is another benefit of GDPR compliance. When you use GDPR consent and collect data according to GDPR guidelines, you also have the opportunity to adopt data management best practices that you may not have used before. And because GDPR compliance requires you to collect, store, and manage data in a particular manner, it helps improve your data management by default. If you’re already overhauling your data collection and management processes, you can take the opportunity to make sure you’re on top of GDPR compliance as well.

Do I, as an individual, have to comply with GDPR?

As an individual, you are required to maintain GDPR compliance as long as you meet the criteria. As long as you collect data from people who are residents of the European Union, you’re required to follow GDPR guidelines when it comes to the collection, storage, and management of that data. That being said, there are certain cases where an individual isn’t required to maintain GDPR compliance even if they’re collecting data from people in the EU.

One of the most important things to keep in mind is that certain types of data are exempt from GDPR guidelines. Essentially, you’re only required to follow GDPR guidelines if you’re collecting personal information from residents of the EU for business purposes. Other types of data collection aren’t subject to GDPR guidelines. This includes personal data collection, such as lists of phone numbers, addresses, and other information that is intended for personal use. That being said, it’s still a good idea to maintain GDPR compliance if you’re collecting any type of data from EU residents. At the very least, maintaining GDPR compliance will help you make sure your data protection and management systems are up to date.

If you’re an individual, but you’re not collecting data from people in the EU, you don’t have to worry about GDPR compliance. However, following GDPR marketing and data protection guidelines can help you make sure you’re protecting customers’ private data, which goes a long way toward increasing customer loyalty and boosting your brand’s reputation.

Even as an individual, it’s important to understand whether or not you’re required to maintain GDPR compliance. You might think you’re collecting a small amount of data that isn’t particularly valuable, but data protection is crucial when you’re dealing with any type of sensitive information.

Are there regulations besides GDPR that I need to follow?

In addition to GDPR compliance for EU resident data collection, there are other regulations you need to follow when it comes to running an online business. Different states and countries have different laws, so the regulations you have to follow vary depending on your business operations.

California has the most well-known data protection law in the United States, which is called the California Consumer Privacy Act (CCPA). Although California residents are protected by the CCPA, the United States itself doesn’t have any national laws regarding data protection. Of course, you’re still required to maintain GDPR compliance and follow other regulations if you’re operating out of the United States but collecting data from customers in certain states or countries. CCPA compliance is a little different in terms of requirements. Your company isn’t required to maintain CCPA compliance unless you deal with California residents and have an annual revenue of at least $25 million, or collect and use data from at least 50,000 residents.

There’s also a Canada law regarding data protection that’s called the Personal Information Protection and Electronic Documents Act (PIPEDA). This law is often referred to as the Canadian equivalent of GDPR, so maintaining PIPEDA compliance is also important for many businesses. Like GDPR compliance, you’re required to maintain PIPEDA compliance if you collect, use, or disclose the personal information of Canadian citizens for business purposes.

The last thing to remember is that there are countless regulations when it comes to running a business, whether you’re running an online business or not. If you have an email marketing campaign, you have to follow the CAN-SPAM Act of 2003. And just like data protection regulations, there are different email marketing regulations for different countries. If you’re doing a lot of business internationally, it may be worth talking with an expert about which laws you’re required to follow.

More about Mailchimp and GDPR compliance.

• A very helpful guide from our Legal team, which covers the GDPR generally and certain parts that are relevant to using Mailchimp.
• GDPR FAQ
• Mailchimp and European Data Transfers
• Mailchimp’s Statement on the Bavarian DPA’s March 2021 Decision
• Privacy Policy
• Cookie Statement
• Security Page
• Data Processing Addendum
• Official text of the GDPR
• The full text of the GDPR