GDPR Means Revisiting Email Marketing

Uploaded on 2018-08-30 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Data security always has meant different things to different people. Most have agreed on the importance of using firewalls, but for decades, businesses have been able to choose the level of data encryption they employ. If they didn’t think a VPN was necessary, they simply didn’t use one. If they didn’t think they needed end-to-end data encryption, they would skip it and take their chances. That is, until recently.

Thanks to the newly enforceable General Data Protection Regulation (GDPR), data security is starting to have a legal definition, making it a legal requirement to have certain types of data security.

The GDPR regulations exist to protect the data of EU citizens and applies to enterprises globally because EU citizen data is stored by businesses all over the world.

Since a majority of personal data is collected and stored when people sign up for newsletters, businesses can no longer approach email marketing strategies casually and need to take extra precautions.

Don’t skip the double opt-in

A double opt-in process gives you tangible proof that each user joined your list of their own free will. Under GDPR, you are required to be able to prove every user chose to sign up.

Wanting to skip the double opt-in process for your new leads is understandable. Will the confirmation email go to spam? What if they forget to check for it, or the email is delayed? How many signups will you lose because people don’t want to go through the extra step?

These questions are valid concerns. However, they’re based on flawed logic. The incorrect perception is that getting as many leads as possible is a productive approach to email marketing. The truth is, if your leads don’t take the time to confirm their choice to join your email list, they’re not likely to be good customers.

Good customers are the heart of every successful business. For most businesses, 80% of sales come from about 20% of their customers. You really don’t want to keep every customer, and experts even recommend “firing” 10% of your customers each year.

Leads that don’t take the time to confirm opt-in probably don’t care much about the information in the first place. Or, they were just looking for a freebie. Your best leads will be people who are passionate about what you’re sharing and can’t wait to receive your confirmation email.

Encrypt internal email messages, too

No matter how private you think your emails are, every email you send and receive is stored on a remote hard drive you have no control over. If your email provider doesn’t encrypt your emails from end-to-end, (most don’t), all company emails are at risk.

Encrypting employee email communications plays a huge role in maintaining GDPR compliance. The average employee won’t think twice about emailing co-workers about sensitive issues that may include data from the business database. For example, someone might send a customer’s credit card information to the sales department for processing a return.

To protect your internal emails and maintain GDPR compliance, buying general encryption services isn’t enough. You need to know exactly how and when the data is and isn’t being encrypted. Not all encryption services are complete.

For instance, if you’re using Microsoft 365, you’ve probably heard of a data protection product called Azure RMS. This product uses TLS security to encrypt email messages the moment they leave a user’s device. Unfortunately, when the messages reach Microsoft’s servers, they are stored unprotected.

“This means that Microsoft and other intermediary third-party providers can access the securely-sent data,” say security experts at Virtru, “making certain data residency, privacy, and compliance requirements more difficult to meet.”

How you secure your Data is no longer your choice

GDPR regulations require businesses to take specific measures to protect data, including:

  • The pseudonymisation and encryption of data;
  • The ability to restore users’ access to their own personal data after a breach;
  • The frequent testing of a business' security measures;
  • The right to have personal data deleted (although it’s already a law (Google Spain vs. Costeja).

Fines for ignoring these requirements can be hefty at up to 10 million euros or 2% of the business’ annual turnover, whichever is higher. Additionally, that fine may rise to 4% if certain obligations are ignored.

Employing data security according to your own preferences is simply no longer worth the risk.

Information-Management:

You Might Also Read: 

GDPR Survey Shows 80% Non-Compliance:

Get Ready For ePrivacy Regulation:

 

« Satellite Imagery + Social Media = A New Way To Spot Emerging Nuclear Threats
AI Driven Security Is Much More Than An Algorithm »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Bastille

Bastille

Bastille’s patented software and security sensors bring visibility to devices emitting radio signals (Wi-Fi, cellular, IoT) in your organization.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

TÜV Informationstechnik (TÜViT)

TÜV Informationstechnik (TÜViT)

TÜViT is a leading service provider in the IT sector offering unbiased and independent tests and certifications of IT products, hardware, software, systems and processes.

TrainACE

TrainACE

TrainACE, is a professional computer training school offering courses in information technology with a focus on Advanced Security training.

Tigera

Tigera

Tigera provides zero-trust network security and continuous compliance for Kubernetes platforms that enables enterprises to meet their security and compliance requirements.

Blancco Technology Group

Blancco Technology Group

Blancco Technology Group is a leading global provider of mobile device diagnostics and secure data erasure solutions.

Penacity

Penacity

Penacity, LLC provides strategic consulting technology services and Information Security Services to commercial and government organizations.

Asvin

Asvin

Asvin provides secure update management and delivery for Internet of Things - IoT Edge devices.

CloudOak

CloudOak

CloudOak is a cloud channel provider for hybrid cloud Backup as a Service (BaaS), Disaster Recovery as a Service (DRaaS) and Archiving to Small to Medium Business (SMB).

Aptiv

Aptiv

Aptiv is a global technology company that develops safer, greener and more connected solutions enabling the future of mobility.

Cyber Resilience Centre for Wales (WCRC)

Cyber Resilience Centre for Wales (WCRC)

The Cyber Resilience Centre for Wales (WCRC) is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

Luta Security

Luta Security

Luta Security implements a holistic approach to advance the security maturity of governments and organizations around the world.

Althammer & Kill

Althammer & Kill

Althammer & Kill offers pragmatic solution concepts for data protection and digitization. We advise in the field of data protection, information security and compliance.

Action Fraud

Action Fraud

Action Fraud is the UK’s national reporting centre for fraud and cyber crime where you should report fraud if you have been scammed, defrauded or experienced cyber crime.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

rThreat

rThreat

rThreat is a cloud-based SaaS solution that challenges your cyber defenses using real-world and custom threats in a secure environment, ensuring your readiness for attacks.