You've probably heard about the General Data Protection Regulation (GDPR), and you might have a few questions about it. Here’s some information about the law and how it affects Mailchimp and our users.
This article is provided as a resource, but it’s not legal advice. We encourage you to speak to legal counsel to learn how the GDPR may affect your organization.
What and who
The GDPR is a European Union (EU) privacy law that affects businesses around the world. It regulates how any organization that is subject to the Regulation treats or uses the personal data of people located in the EU. Personal data is any piece of data that, used alone or with other data, could identify a person. If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you'll need to comply with the GDPR.
The GDPR replaces an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect Mailchimp users.
You need to have a legal basis, like consent, to process an EU resident's personal data. If you rely on consent, it must be freely given, specific, informed, and unambiguous.
In order to verify that you have obtained adequate consent, you will need a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-checked consent boxes.
About individual rights
The GDPR also outlines the rights of individuals around their personal data. EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data. You should be prepared to support these requests in a timely manner. Individuals have the right to request their personal data be corrected, provided to them, prohibited for certain uses, or removed completely.
You should also be able to tell someone among other things, how their personal data is being used. If they ask, you’re obligated to share the personal data you hold on an individual, or offer a way for them to access it.
What does Mailchimp do to comply?
- Appointed a Data Protection Officer (DPO) to oversee our compliance program.
- Continuously review our security measures to ensure any personal data we collect and process on our systems is adequately protected.
- Ensure our Global Privacy Statement clearly explains Mailchimp's commitment to the GDPR, is transparent about how we use personal data, and gives individuals information about how they can exercise their data subject rights.
- Provide our customers with GDPR-ready terms in our Data Processing Addendum and update our contracts with third party vendors to ensure they are GDPR-compliant.
- Maintain formal processes around data subject rights to ensure we can help customers fulfill requests they receive.
- Respond to and fulfill data subject rights requests in our role as a controller.
- Complete Data Protection Impact Assessments to identify and minimize any risks from our processing activities.
- Maintain accurate records of our processing activities, both as a processor and controller of personal data.
- Pay close attention to regulatory guidance around GDPR compliance and making changes to our product features and contracts when they're needed.
- Certify annually with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks and continue to protect EEA, UK, and Swiss data in compliance with the Privacy Shield Principles. You can view our Privacy Shield certification here.
What can I do to comply?
Mailchimp offers tools related to consent and individual rights to help you comply with the GDPR. We encourage you to consult with legal or other professional counsel about your GDPR compliance.
Transparent data processing is mandatory, and it’s also an opportunity to strengthen your marketing relationships. We’ve updated Mailchimp signup forms to help you stay compliant with the latest laws.
If you’re going to rely on consent to process the personal data of EU citizens, the GDPR says you must obtain specific consent from your contacts and clearly explain how you plan to use their personal data. Our GDPR-friendly fields include checkboxes for opt-in consent, and editable sections that allow you to explain how and why you are using data.
Mailchimp stores your forms and contact data in case you need it in the future. If someone signed up to your audience through a Mailchimp hosted form, you can export that audience and view information related to the signup. For additional evidence of consent, you may choose to turn on double opt-in.
If you rely on consent to process contacts' personal data, double check whether the consent that you obtained meets the GDPR's standards. For example, check third-party integrations to be sure they don't automatically add people to your Mailchimp audience without an opt-in checkbox that clearly states how you'll use that person's data. You should also review the terms associated with any Mailchimp add-ons or third-party integrations you use.
To learn more about permission data, check out Export Proof of Consent
To learn more about using GDPR-friendly forms, check out Collect Consent with GDPR Forms
Understand individual rights
All Mailchimp users can access their Mailchimp audiences to correct or update information upon the request of their contacts. Your contacts can continue to update their own data, too, by contacting us or updating their preferences in any email they receive from you.
We want to help our users, but it’s important to note that the GDPR's provisions could affect your business outside of how you use Mailchimp. Here are some additional resources.