Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.
GDPR: What is it and when does it go into effect?
GDPR (or, the General Data Protection Regulation) is the European Union’s new privacy law regulating the privacy and security of personal data of individuals in the EU. It goes into effect May 25, 2018. Just to make sure this is absolutely clear: YES, the GDPR applies to you if you collect, record, organize, store, or perform any operations on data relating to an individual in the EU — even if you are located outside of the EU.
Will GDPR affect your email marketing program?
Yes, but first, some definitions: The GDPR is looking to add accountability to the practices of data controllers and processors A controller is the one who “determines the purposes and means of the processing of personal data” (that’s you, and possibly us). A processor is one who “processes personal data on behalf of the controller” (that’s us when you send Delivra mails) While there are other options for lawful data collection and processing, for marketers, consent will be the strongest and the most familiar. What does that mean for your email marketing strategies? While a lot will remain the same, there are some GDPR considerations you’ll want to take. We strongly recommend consulting with your legal team, general counsel, and/or a privacy professional to fully understand your GDPR obligations, but we’ve included some best practices and tips we think are valuable:
Review and update your signup forms
We’ve built a Trust Center to provide more info and detail about consent as it relates to the GDPR. The regulation clearly defines how consent can and, equally important, cannot be given. As marketers, we’re used to using the term “explicit” in regards to consent, but GDPR outlines a set of informed consent to reinforce data subject’s (your subscribers) rights, and places specific obligations on the controller. As we get closer to the May 25, 2018 GDPR compliance date, now is the perfect time to review how you’ve received consent in the past, and how you’re going to get it in the future per GDPR’s requirements. Realistically, this will just means adding a few more items to your to-dos:
- Evaluate how you’ve gotten consent for existing subscribers. You won’t have to re-ask for their consent if it was originally given in a GDPR-compliant manner.
- Review your signup/subscription forms to make sure any new information collected about a subscriber is GDPR-compliant.
Evaluate and update your privacy notices
- Make sure your privacy notices aren’t lengthy, difficult to understand, or hidden
- Be transparent, intelligible, and concise with all info regarding to processing activities using clear and plain language
- All personal data processing activities processed by you and any third parties on your behalf should be clearly defined
Create a formal system to respond to your subscribers requests
Data subjects (your subscribers, as they relate to your use of Delivra) also have the right to: the deletion, correction, and portability of their data; and the right to restrict (or entirely revoke) consent for processing of their data. This also includes being able to object to automated systems in place based on their personal data.
Given that right, you’ll need to operationalize a system to both respond to and address their requests to exercise these rights.
- Make it easy and clear for them to exercise their rights as a data subject. Make sure instructions for the process are where they’re expected to be and that the mechanism to make the request is easy to use and does not require special knowledge beyond that needed to verify the request.
- As the data controller, you’ll want a way to confirm the identity of the requester so that you’re not disseminating personal data to the wrong person or an illegitimate request.
- Responses should be timely and accurate.
- There could be lawful grounds that prevent you from modifying or deleting, in part or whole, the record. Consider these carefully and fully document your reasoning.
- Communication back to your data subjects should be clear and unambiguous.
- Deliver their data in a common, readable, and portable format, in case they want to store that data elsewhere for their own purposes.
- Fulfill that request within one month (though there are allowances for additional time under certain circumstances).
- All steps in the above process should be documented.
Keep records of Data Processing
Just like with any sensitive and valuable information, save a record of your signup forms, data collection mechanisms, and processing activities. This could be taking a screenshot, saving the underlying code, a PDF, and/or use-case description of any data collection mechanism you’re currently using or use in the future. These records could also help you prove the nature of consent between you and your subscribers. Again, these tips we’ve listed are not meant to be legal advice, and are not a comprehensive standard in making your email marketing efforts GDPR-compliant.
Delivra’s GDPR-compliant changes.
At Delivra, we are pursuing GDPR-compliance by May 25, 2018. What this means is we’re implementing robust GDPR training of all of our employees, managers, and executives, and are currently building GDPR-compliant features to the platform to make sure you’re able to comply with your obligations as a controller of your subscriber’s personal data. We will be GDPR-compliant ahead of the May 25, 2018 effective date. We’ve been hard at work giving thorough GDPR and privacy training to all of our employees, managers, and exec team. And we’re currently adding GDPR-compliant changes into the Delivra platform that ensure you’re able to fulfill your obligations as a controller of your subscriber’s personal data.
- Privacy by design: To ensure that data privacy principles are taken into account during the earliest stages of feature and product development, we’re implementing internal guidelines and training to our product and engineering teams on GDPR.
- Data subject’s rights: We’re updating the Delivra platform with product changes that help you fulfill that subscriber’s request to exercise their rights, for example, of erasure or rectification, in a timely manner. Stay tuned for more details as these features get released.
- Security measures: We are auditing and documenting all of our current security measures and practices, and where security measures can be further strengthened, our team is working quickly to implement updated security measures before May 25, 2018 to ensure appropriate technical and organizational measures are in place for the safeguarding of personal data. We are also re-evaluating all of our sub-processors to ensure they have adequate security measures in place for the onward processing of any personal data processed by them.