5 legal obligations for databases

Nov 6, 2024

The GDPR is all about protecting people’s data. As for companies, data is mainly pooled in their databases. 

How can you optimize the performance of your email strategy while protecting your audience’s privacy?  

 

Here’s a look at 5 GDPR requirements and how to apply them to optimize your database.

1. Collect data in compliance with the GDPR 

You can only collect data by complying with the principle of free and informed consent.

What is free and informed consent?

When signing up, users must be informed of several settings to allow them to choose to provide (or not) their information including:

  • What is the purpose of collecting their data?
  • Who is the data controller? 
  • How long will the data be kept?
  • Their right to withdraw consent at any time.

This information must be provided to the individual before they consent to sign up. 

 

In addition to these legal obligations, consider sharing additional information to reinforce trust in your brand and increase the results of your email campaigns: 

  • What types of communications will they receive (advertising, transactional, informational messages…),
  • How often messages are sent,
  • What topics are covered.

Above all, this information needs to be provided in a clear, legible and unambiguous manner.
Implement these rules for your database to comply with the GDPR but also to build a relationship of trust with your audience.

Mindbaz users can implement a newsletter sign-up pop-up to ensure data collection compliance.
Ask us how to add it to your website

2. Set up a plan to enforce the right of withdrawal

The second is the right of access, rectification and deletion.

User have the right to

  • access their data
  • rectify it
  • have them deleted under certain conditions, for example, if their personal data is no longer required for the purposes for which it was collected, if they object to the processing of their data for direct marketing purposes, or if a recipient proves that their data has been processed unlawfully (e.g., without valid consent), among others.

What does this right mean for brands?

If you manage one or more databases, you must put in place procedures to help users assert their rights.

For example, you must

 1. Be able to provide collection information on request: 

  • Collection date 
  • Collection time 
  • Collection IP

2.  Implement a strategy to make unsubscribing easier 

– A clearly visible and operational unsubscribe link in every email.
– A preference center where users can choose which notifications they want to receive.
– Send an unsubscribe confirmation to inform the recipient that their request has been taken into account and that they will receive no further communications.

You can also go a step further by providing proof that the unsubscribe request has been taken into account, using the date and time sent by your router.

lexique_email_termes_delivrabilite_email_expliques_simplement_par_mindbaz

3. Stop collecting useless information

Data allows you to better target your recipients and efficiently personalize your campaigns.

But the GDPR states that the data collected must be relevant, limited and in line with the purposes for which it is used.

Specifically, you cannot

  1. Collect the full postal address of your recipients if you only use the city in your email campaign targeting.
  2. Collect geographic information if you don’t send postal mail or geotargeted email campaigns
  3. Collect information without being able to justify its use

 

This rule is part of the data minimization policy, a key data protection policy. 

It is the purpose of the data processing that will enable you to justify its collection.

4. Prevent data security breaches

Limit the risk of data leakage

To prevent hacking or fraudulent use of data, data controllers must implement technical measures.

This means putting in place measures to prevent the loss, destruction, disclosure or unauthorized access of personal data in your possession. 

In other words, it’s a matter of preventing hacking from cyber-attacks, as well as internal data theft.

To protect yourself as much as possible against this type of risk, here are a number of measures to implement:

  • Data encryption, 
  • Strong password policy, 
  • Employee awareness, 
  • Limiting data access to authorized personnel only…

However, it is also necessary to prepare a data breach management plan. 

rgpd_obligations_bases_de_donnees_email_mindbaz_delivrabilite

8 actions to anticipate in the event of a data breach

  1. Identify the data breach
    Understand the nature, extent, context and possible consequences of the breach.

  2. Contain the breach
    Take immediate steps to limit the damage, such as correcting the security breach or recovering the data.

  3. Assess the risks
    Assess the risks to data subjects and determine whether the breach needs to be notified to the CNIL and to data subjects.

  4. Notify the breach
    If the breach is likely to generate a high risk for the rights and freedoms of individuals, it must be notified to the CNIL within 72 hours, and to the individuals concerned as soon as possible.

  5. Document the violation
    Document all actions taken in response to the breach, as well as its effects.

  6. Take preventive measures
    Once the breach has been dealt with, it is important to take steps to prevent future breaches, such as updating security systems or training staff.

  7. Cooperate with the CNIL (French Data Protection Authority)
    In the event of a CNIL inspection or request for information, the company must cooperate and provide all necessary information.

  8. Inform and communicate
    Inform data subjects of the measures taken to protect their data, and reassure them about how the situation will be managed.

5. Keep data for a limited time

Data must be kept for up to 3 years maximum after the last active contact

3 years is the duration required by the GDPR to respect the right to be forgotten.

 

 

Inactive users

Before reaching the 3-year mark, identify and specifically solicit your inactive customers. List the key information:

  • why they became inactive, 
  • what this information says about your targeting
  • your content, 
  • your marketing strategy…

✅Reactivating data is much cheaper than acquiring new data.

Discover other ways to improve your deliverability

 

What does your email router do to help you comply with the RGPD?

To ensure that you meet your legal obligation, Mindbaz has been developing a 3-year inactive purge service for all your databases.

Beyond your legal obligations, this deletion will help improve your email deliverability. 

Removing inactives from your databases has many benefits:

  • Improved sender reputation
  • Optimized campaign performance
  • Preventing blacklisting of your IPs and your sending domain

 

And it can even save you from far more serious problems:

These inactives include many hardbounces and undoubtedly also spamtraps.

The consequences are far more serious once you’re listed with Spamcop, Abusix or SpamHaus, which blacklist senders who don’t follow best practice.

Programmez votre purge en contactant les équipes de Mindbaz