The EU data privacy law, the famous GDPR, came into force on May 25, 2018 and applies to anyone who has customers or contacts in the EU.
We've put together the following guide to help you make your direct marketing GDPR foolproof.
-
What is the General Data Protection Regulation, or RGPD?
-
GDPR myths
-
Common terms to understand the GDPR
-
Functionalities within the platform that help Data Controllers comply with GDPR requirements
-
Checklist and pending tasks to comply with the GDPR
-
GDPR FAQ
-
B2B vs B2C Consent/Permission Differences
1. What is the General Data Protection Regulation or RGPD?
On May 25, 2018, the General Data Protection Regulation (GDPR) of the European Union came into force. GDPR is a privacy law that harmonizes and modernizes data protection requirements. The new rules have a broad definition of personal data and a wide scope, affecting any company that markets products or services to people in the EU. Among other things, the GDPR establishes enhanced rights for individuals, who can now ask companies to access, correct or delete their personal data and object to any future data collection.
We have updated tools, processes, and technologies to help our customers easily fulfill any request related to data stored on our platform.
2. GDPR myths
There is quite a bit of misinformation when it comes to GDPR. This point is dedicated to demystifying the myths.
Marketers need consent for everything
Marketers do not necessarily need consent for everything and this will depend on the nature of the data collection practices. There is some scope to rely on other bases for processing, such as legitimate interest, for certain marketing activities. Companies should work with their advisors to explore the best approach to support their marketing initiatives.
Marketers will need to obtain all new consents for their marketing database
GDPR changes the way brands obtain consent and may require some consents to be updated or refreshed. For example, if a brand's current consent practices meet or exceed the obligations outlined by the GDPR, changes to consent may not be needed. However, if a brand's consent practices do not meet the enhanced obligations, then those consents need to be reassessed and modernized.
GDPR dictates that data must remain in Europe
Is not true. GDPR requires that the privacy protections afforded to European data flow with it wherever it is transferred or accessed. Our servers and data are located in the EU.
GDPR only applies to European companies
GDPR is not only applicable to companies based in Europe. GDPR applies to any company, no matter where its headquarters are located, that offers goods and services or markets to people in the EU.
3. Common terms to understand the GDPR
ACCESS
Also known as a Subject Right of Access or Access Right, access entitles Data Subjects to access and information about the personal data a controller holds about them.
CONSENT
Means the consent by the Data Holders to the processing of their personal data. Obtaining the appropriate consent is the responsibility of the Data Controller.
CORRECTION
Also known as the Right of Rectification, rectification is the right of Data Subjects to obtain from the Data Controllers the rectification of inaccurate personal data concerning them.
REMOVE
Also known as data erasure or right to be forgotten, erasure entitles data subjects to have their personal data erased by the data controller. The right of Deletion or Right to be Forgotten will only be applicable if the legal relationship with your end customer allows it. In many cases, a contractual relationship and other legal requirements oblige the company and the Data Controller to keep the personal data registered for a certain period of time.
DATA SUBJECT
In the context of our Marketing Platform, data subjects are consumers, end users or contacts of our CRM. We will not receive requests directly from data subjects, but only from data controllers.
RESPONSIBLE FOR DATA PROCESSING (YOU)
In the context of our Marketing Platform, data controllers are clients of our CRM. They own and control the data they hold about their consumers (data subjects).
DATA PROCESSOR (Our CRM)
Our Marketing Platform is a Data Processor. Our CRM processes data based on the permissions and agreements we have with our business customers (data controllers).
4. Features within the platform that help Data Controllers comply with GDPR requirements
Listed below from 1 to 4, a set of functionalities and technologies are available within your account, for your business to be GDPR compliant.
4.1. Apply actions and update personal data to individual contacts or contact segments.
So that you, the "Data Controller", can comply with your clients' Right to Rectification, Deletion of Data or Right to be Forgotten; find the following functionalities in the Segments section of your account:
-
Manually unsubscribe individual contacts or contact segments
-
Update any data parameters (for example: Marketing Consent) of your individual contacts or contact segments
-
Delete individuals or contact segments from your database
-
Download personal data of individual contacts or segments of contacts in a machine-readable format
4.2. Email Preference Center.
-
By setting up your email preference center, you will allow your contacts to:
-
Choose the type of content you want to receive, as well as when you want to receive it. These options will give you a second chance before they are completely unsubscribed or removed from your database.
-
Access, review and download your information
-
Request your Right of Rectification
-
Request Data Deletion or Right to be Forgotten
-
4.3. Record and store consent using the "Consent Label" in your email templates and web forms.
-
Registering and storing the consents of your contacts will allow you to respond to any request from the regulator requesting this data.
-
Find a guide on how to use the consent label in your email templates here.
-
Find here a guide on how to record consent using our web forms.
4.4. API and SDK update to record and store consent.
Record and store your contacts' consents using our new API and SDK features
5. Checklist and pending tasks to comply with the RGPD.
This checklist is intended to help you review the common implications of the GDPR regulation for your email marketing activities.
Note: The GDPR rules affect the way your company processes personal data in every area of your business, while marketing communications are the least affected by this new regulation (since e-privacy in the EU or regulations national data protection regulations were already in force), we recommend that your company obtain legal advice on specific implications for your company. Please note that this guide does not constitute legal advice.
5.1. Update your privacy policy and terms and conditions as per GDPR requirements. The most common necessary additions are:
-
Including the rights of data subjects to access and modify their personal data
-
Clear information about the use of personal data by your company for its commercial and marketing activities
-
Information About Your Digital User Tracking Technologies
See an example of an updated privacy policy here. Note: You may need legal advice to adequately cover the specific implications for your company, under the GDPR.
5.2. Make sure your website forms include the most up-to-date URLs to your privacy terms and conditions.
5.3. Check that the forms on your website do not have the consent/permission box checked.
5.4. Include the Opt Out/Unsubscribe link in all your communications.
5.5. Record and store your contacts' consent to receive your marketing communications.
5.6. Create a data protection email, for example dataprotection@yourcompany.com
5.7. Configure your email Preference Center to allow the Right of Access, as well as allowing them to ask the Data Controller (you) for their Right to Rectification, Deletion of Data or Right to be Forgotten.
6. GDPR FAQ
Do I need to contact my existing subscribers to reinstate consent?
The short answer is no. Consent obtained prior to GDPR is ongoing (i.e. no renewed consent is required) as long as the prior conditions of the consent complied with the GDPR and the purpose of the consent has not changed for future purposes. However, this still needs to be reviewed, justified and impact assessed.
Do I need to add a double option when adding new subscribers?
Once again, the short answer is no. There is no requirement under GDPR to have a double opt-in process. Double opt-in may not be a GDPR requirement, but in some cases we recommend it as a best practice. We recommend a double opt-in process or confirmation email when you collect new data, for example, new subscriptions to a website service.
Double opt-in is a simple process to implement. The usual process is that when you submit a data collection form, an automated email is sent to the submitted email address. Many marketers also often include a kind of thank you confirmation that the process is now complete. This can also be used to provide additional introductory information or to encourage new subscribers to visit the brand's website.
It is not necessary to always use double opt-in. For example, if you are collecting additional data from existing subscribers (updating preferences or collecting additional profile information). Double opting in adds another step to the process and this potentially introduces an additional point where interest and opportunity can be lost.
Can I send emails to my clients without consent?
The 'fair use' scenario builds on previous definitions of 'legitimate interest' and allows for a scenario for processing where there is no specific consent. In this sense, it is similar to the current 'soft subscription'. GDPR requires a clear relationship, genuine mutual interest, balance of interests, expected and proper processing, and no infringement of individual rights and freedoms of the individual.
Is direct marketing a legitimate scenario?
GDPR specifically references direct marketing as a possible scenario for fair use, provided the conditions outlined above are met. The specific inclusion of this clarification has been well received by companies and marketing organizations.
What else is a legitimate scenario?
Contractual refers to data processing that is required or directly related to the performance of an existing contract between the company and the individual. The proper processing of data for this purpose is lawful without additional specific consent.
What are the main individual rights and freedoms of people also known as Data Subjects?
ACCESS
Also known as a Subject Right of Access or Access Right, access entitles Data Subjects to access and information about the personal data a controller holds about them.
CONSENT
Means the consent by the Data Holders to the processing of their personal data. Obtaining the appropriate consent is the responsibility of the Data Controller.
CORRECTION
Also known as the Right of Rectification, rectification is the right of Data Subjects to obtain from the Data Controllers the rectification of inaccurate personal data concerning them.
REMOVE
Also known as data erasure or right to be forgotten, erasure entitles data subjects to have their personal data erased by the data controller. The right of Deletion or Right to be Forgotten will only be applicable if the legal relationship with your end customer allows it. In many cases, a contractual relationship and other legal requirements oblige the company and the Data Controller to keep the personal data registered for a certain period of time.
Has the principle of consent changed?
Although the principle of "consent" has remained largely unchanged, the GDPR further clarifies what constitutes consent and how it can be obtained and used. These fit the definition, but are still largely in line with any existing best practice 'permission marketing' strategy.
How is consent now defined?
The GDPR requires that consent be a clear and affirmative opt-in action, freely given with full knowledge of the owner and the intended purpose of the processing. It may not be implied, assumed, bundled or otherwise connected and is only applied for a specifically identified purpose.
Who are the stakeholders?
In the context of our Marketing Platform, Data Subjects are consumers, end users or contacts of our customers. We will not receive requests directly from data subjects, but only from data controllers.
Who are the data controllers?
In the context of our Marketing Platform, data controllers are clients of our CRM. They own and control the data they hold about their consumers (data subjects).
Although the principle of "consent" has remained largely unchanged, the GDPR further clarifies what constitutes consent and how it can be obtained and used. These fit the definition, but are still largely in line with any existing best practice 'permission marketing' strategy.
Who are the data processors?
Our CRM is a Data Processor. Our CRM processes data based on the permissions and agreements we have with our business customers (data controllers).
Do I need a specialist?
Those companies that process data on a large scale or as a systematic course of their activity are required to appoint a Data Protection Officer (RPD). The DPO is responsible for compliance and liaison with the local Supervisory Authority (SA) (also known as the Data Protection Authority (DPA).
What is GDPR?
GDPR is the General Data Protection Regulation (officially (EU) 2016/679). Although it has new aspects, it is not fundamentally new. It represents the latest evolution of privacy and data protection regulations in Europe. Replaces the current EU Data Protection Directive (95/46/EC, known as DPD) from 1995 and sits alongside the EU Electronic Privacy Directive (2002/58/EC and 2009/136/EC) from 2002 and 2009.
What is the current law?
As EU 'Directives', the current DPD and e-Privacy translate into various laws at national level.
Is GDPR the new law?
Yes. Harmonizing fragmented laws and easing the legislative burden on individual member states is one of the goals of GDPR. Unlike previous 'Directives', such as 'Regulations', the GDPR does not need separate national legislation to become law in each member state.
Because it is necessary?
The 1995 Data Protection Directive reform was proposed in 2012 to address significant changes in the way personal data is now available, collected and used and to reflect the changing nature of the EU and its individual member states.
Is it about marketing?
GDPR is not fundamentally about marketing or email. It is a wide-ranging policy regarding the privacy and protection of EU individuals, specifically relating to how personal data about them may be collected, stored and used. GDPR refers to these uses as 'processing'.
Who does it apply to?
The GDPR applies equally across all sizes of companies, public authorities and all industry sectors. It applies to any company located in the EU and also to companies located outside the EU that process personal data of EU individuals.
Does it make things more difficult?
It is not intended to be restrictive for good people. As a defined goal, the GDPR is intended to help and guide those with legitimate business interests, but also to more easily identify and punish more severely those who deliberately or systematically avoid compliance.
What are the key principles?
In addition to privacy and protection, the GDPR is based on several fundamental principles: processing of personal data only under specific consent or other legal conditions, a balance of interests between companies and individuals, and an overall environment of fairness, appropriateness, and transparency.
What is personal data?
GDPR only applies to "personal data", that is, data that can or could identify an individual person (the data subject). Personal data includes the above elements such as name, email address, etc. and they also introduce new definitions for biometric and genetic identification data. It also includes encrypted data and 'online identifiers' such as cookies.
When is the treatment lawful?
GDPR defines 6 scenarios for the legal processing of personal data: legal obligation, public interest, vital interest, contractual, fair use and consent. Of these, contractual and legitimate use and consent are the most significant for most email marketers.
7. B2B vs B2C consent/permission differences
While B2C contacts require a consent and permission record, do I need a double opt-in or new consent for B2B email marketing?
The short answer is no, you do not need to retrieve your consent or request a double opt-in for those contacts who have a legitimate interest in your business. Direct marketing is recognized as a legitimate interest according to recital 47 of the GDPR and is considered a legal basis for data processing. This means that the GDPR differs from the existing Data Protection Law with respect to B2B, and the main requirements are to identify yourself as the sender and provide a clear and easy way for the recipient to opt out.
Can an email be sent to a person's business email address without prior consent?
Yes, always giving the option to unsubscribe from the first communication. The ICO, which is responsible for upholding GDPR in the UK, says this in its direct marketing guidance: "The rules around consent, soft opt-in and the right to opt-out do not apply to direct marketing messages." emails sent to 'corporate subscribers'.' ...... The only requirement is that the sender identifies himself and provides contact details.
Furthermore, the ICO direct marketing checklist reveals that as long as “individual employees can opt out”, you can send them an email, without a confirmed subscription.
0 comments
Please sign in to leave a comment.