MailChimp – GDPR Compliance

MailChimp Logo
MailChimp Logo

So it’s time to start buckling down for GDPR, the countdown starts today. In doing so, Wittin is starting with MailChimp. This is our largest collection of personal data that requires having consent monitored. Now I’ve mentioned before that I’m not a lawyer, I have had to pay a few in my day though. So if I was a lawyer I wouldn’t have had to create Wittin, I’d just sit around in a hot tub filled with money eating Philly steak sandwiches. But life is not always kind to us tormented geniuses.

So let’s tackle GDPR MailChimp style today. MC has pulled together a bit of instruction for those that need a hand, and I noticed that it seemed a bit long in the tooth: So here goes my, at times slightly nit-picky, response.

MailChimp’s Notes – The Bad

The first sentence in and they frame that if you are a business based in the EU or you process personal data of EU citizens then GDPR affects you. I think the first mistake here is just bad grammar (I’m definitely not one to criticise here). It doesn’t affect all EU businesses willy-nilly, only if said business processes personal data. That’s being pedantic, but if you’d think anyone would have gotten this right it would have been MC.

The next issue they miss is that GDPR does not just apply to processing the personal data of EU Citizens. It actually applies to any natural person (data subject) in the EU. So, residents count. American’s on holiday count. Someone who was shipwrecked in international waters clung on to a piece of flotsam and was carried by the North Atlantic Current into EU territory counts as well.

So small hiccup aside we move into what MC is going to do to help us maintain specific informed consent and allow us to explain what dastardly things we are going to do with people’s personal data.

MailChimp’s Notes – The Good

This is where MailChimp exceeds expectations, you quickly run into a ‘Before You Start’ section and the first item in the list states, “Enabling GDPR fields on your signup forms does not make you compliant.” For everyone looking for the quick WordPress plugin they can set up to become compliant much like the good ol’ days of cookie consent is going to be very disappointed. And by extension don’t pay £50 for a WordPress extension that says they will make you compliant, they can’t and it won’t.

Also on that list, we see the now obligatory disclaimer that they are not lawyers. I don’t know if I’ve missed this in other big regulation changes in the past, but this seems particularly in line with the uncertainty that surrounds GDPR. The lack of definition we have here in the UK about how we are going to implement GDPR is particularly worrying, but we are not alone. The best list I could find was published at the end of January of this year and only shows Austria, Germany and Spain as having passed legislation in line with GDPR requirements.

I don’t want to alarm anyone, but I wonder if the ICO can fine the UK government for non-compliance with GDPR. Total revenue for the UK was £716 billion in 2016 so 4% of that would be £28.6 billion. We spend that on transportation or social care. If that fine could actually be levied the janitors and the tea ladies in the ICO office would be rolling up in personal Harrier jets wearing more bling than Flavor Flav. I digress.

Process in a Nutshell

After that MailChimp goes through the process of capturing and maintaining consent. And as it turns out is as simple as you’d think it would be. If you have a list of contacts in it you need to create a list segment. Label the segment so that you know it is for people you can contact. Then any signup form you use can be lined up with explicit consent putting new contacts into this segment. As for the old contacts already on the list you need to send out an email (much like we’ve seen everyone doing these last few weeks) and ask them to update their settings. Then going forward your marketing campaigns need to go to the segment of the list that has agreed to be contacted.

From their MailChimp’s tutorial of pulling everything together is fairly intuitive. I mean I mucked it up a bit, but I got there in the end. Absolutely brilliant.

Previous articlePlain Spoken GDPR – Chapter 11 or The Final Solution
Next articleStirling Council – Waste Services Case Study
Born into the wilds of mid-western America, Matthew has lived his life creating. The kind of kid that bought a tarp, some PVC pipe and a skate board; fashioned himself a windsurfing set-up and then saw an opportunity in a local tornado. "Sorry Mom." Undergraduate in Art and Design, Doctorate in Scottish History, Matthew came late to the realisation that if he's going to use his diverse skill set he'd have to employ himself.