EU’s new data privacy law, the very famous GDPR, goes into effect on May 25, 2018 and applies to anyone who has customers or contacts in the EU.
We have prepared the following guide to help you make your direct marketing GDPR bulletproof.
- What is the General Data Protection Regulation, or GDPR?
- GDPR Myths.
- Common Terms for understanding GDPR.
- New functionalities within the PUSHTech platform which help´s Data Controllers meet GDPR requirements.
- Checklist and TO-DOs for your GDPR compliance.
- FAQs GDPR
- B2B vs B2C Consent / Permission differences.
1. What is General Data Protection Regulation, or GDPR?
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. GDPR is a privacy law that harmonizes and modernizes data protection requirements. The new rules have a broad definition of personal data and a wide reach, affecting any company that markets products or services to individuals in the EU. Among other things, GDPR provides for enhanced rights of individuals, who can now ask companies to access, correct or delete their personal data, and object to any future data collection.
PUSHTech has updated tools, processes, and technologies to help our customers easily fulfill any requests regarding data stored in our PUSHTech platform.
2. GDPR Myths.
There’s quite a bit of misinformation when it comes to GDPR. This point is dedicated to debunking the myths.
Marketers need consent for everything.
Marketers don’t necessarily need consent for everything and this will depend on the nature of the data collection practices. There is some scope to rely on other bases for processing, like legitimate interest, for certain marketing activities. Companies should work with their counsel to explore the best approach to support their marketing initiatives.
Marketers will need to get all new consents for their marketing database.
GDPR changes how brands obtain consent and may require some consents to be refreshed or updated. For instance, if a brand’s current consent practices meet or exceed the obligations outlined by GDPR then no changes to consent may be needed. However, if a brand’s consent practices fall short of the enhanced obligations, then those consents should be reevaluated and modernized.
GDPR dictates that data must stay in Europe.
Not true. GDPR requires that the privacy protections afforded to European data flow with it wherever is transferred or accessed. PUSHTech servers and data are based in the EU.
GDPR only applies to European companies.
GDPR is not only applicable to companies based in Europe. GDPR it applies to any company, no matter where its headquarters are, that offers goods and services or markets to individuals in the EU.
3. Common Terms for understanding GDPR.
ACCESS
Also known as Subject Access Right or Right to Access, access entitles the Data Subjects to have access to, and information about, the personal data that a controller has concerning them.
CONSENT
Signifies the agreement by the Data Subjects to the processing of their personal data. Obtaining appropriate consent is the responsibility of the Data Controller.
CORRECTION
Also known as Right to Rectification, correction is the right of Data Subjects to obtain from Data Controllers the rectification of inaccurate personal data concerning them.
DELETE
Also known as Data Erasure or Right to be Forgotten, delete entitles the Data Subjects to have the Data Controller erase their personal data. The right of Erasure or Right to be Forgotten will be only applicable if the legal relationship with your end customer allows it. In many cases, a contractual relationship and other legal requirements enforce business and Data Controller to maintain the personal data registered for an specific time.
DATA SUBJECT
In the context of PUSHTech Marketing Platform, Data Subjects are PUSHTech’s customers’ consumers, end users or contacts. PUSHTech will not be receiving requests directly from Data Subjects, but rather only from Data Controllers.
DATA CONTROLLER (YOU)
In the context of PUSHTech Marketing Platform, Data Controllers are PUSHTech’s customers. They own and control the data they house on their consumers (Data Subjects).
DATA PROCESSOR (PUSHTech)
PUSHTech Marketing Platform is a Data Processor. PUSHTech processes data based on the permissions and agreements we have with our enterprise customers (Data Controllers).
4. New functionalities within the PUSHTech platform which help´s Data Controllers meet GDPR requirements.
Listed below from 1 to 4, a set of new functionalities and technologies are available within your PUSHTech account, in order for your company to meet GDPR requirements.
4.1. Apply actions and update personal data to individual contacts or segments of contacts.
In order for you the “Data Controller”, to be able to fulfil your customers Right to Rectification, Data Erasure or Right to be Forgotten; please find the following functionalities on the Segments section of your PUSHTech account:
- Manually unsubscribe individual contacts or segment of contacts.
- Update any data parameters (for example: Marketing Consent) of your individual contacts or segments of contacts.
- Delete individuals or segments of contacts from your database.
- Download personal data of individual contacts or segment of contacts in a machine-readable format.
GDPR ready?: This functionalities gives you the ability to fulfil your contacts or “data subjects” as per GDPR definition, requesting their Right to Rectification, Data Erasure or Right to be Forgotten, under GDPR regulation.
Find here more information about this functionality.
4.2. Email Preference Center.
By setting up your email preference center you will allow your contacts to:
- Choose the type of content they want to receive, as well as when they want to receive it. This options will give you a second opportunity before they completely opt out or unsubscribe from your database.
- Access, review and download their information.
- Request their Right to Rectification.
- Request their Data Erasure or Right to be Forgotten.
GDPR ready?: This functionality completely fulfils your contacts or “data subjects”, Right to Access as well as allows them to request to the Data Controller (you) their Right to Rectification, Data Erasure or Right to be Forgotten.
Find here a how to guide for setting up your Preference Center and your Data Protection Email.
4.3. Record and store consent using PUSHTech “Consent Tag” on your email templates and web forms.
Recording and storing your contacts consents will allow you to answer any regulator request asking for this data.
Find here a how to guide for using the Consent Tag on your email templates.
Find here a how to guide for recording consent using PUSHTech web forms.
4.4. API & SDK update for recording and storing consent.
Record and store your contacts consents using our new API and SDK functionalities.
5. Checklist and TO-DOs for your GDPR compliance.
This checklist is meant to help you review the common implications of the GDPR regulation, for your email marketing activities.
Note: GDPR rules affects how your company process personal data in every area of your business, while marketing communications are the less affected by this new regulation (as E-privacy in the EU or national data protection regulations were already effective), we recommend that your company receives legal counsel regarding specific implications for your company. Please note that this guide does not constitute legal advice.
5.1. Update your privacy policy and terms and conditions as per GDPR requirements. The most common necesary adittions are:
A. Including the rights of the data subjects for accessing and modifying their personal data.
B. Clear information about your company use of personal data for your business and marketing activities.
C. Information about your digital user tracking technologies.
See here an example of an updated privacy policy. Note: You might need legal advice to properly cover specific implications for your company, under GDPR framework.
5.2. Make sure that your website forms include your updated privacy terms and conditions URLs.
5.3. Review that your website forms don’t have the checkbox of consent / permission pre-checked.
5.4. Include in all your communications the Opt Out / Unsubscribe link.
5.5. Record and store your contacts consent for receiving your marketing communications.
5.6. Create a data protection email for example dataprotection@yourcompany.com
5.7. Setup your email Preference Center for allowing the Right to Access as well as allows them to request to the Data Controller (you) their Right to Rectification, Data Erasure or Right to be Forgotten.
6. FAQs, Frequently Asked Questions GDPR.
Do I need to contact my existing subscribers to re-establish consent?
The short answer is NO. Consent obtained before GDPR is continuous (i.e. renewed consent is not required) provided the previous conditions of consent themselves were GDPR compliant and the purpose of consent has not changed for future intentions. However this must still be reviewed, justified and the impact assessed.
Do I need to add a double-opt when adding new subscribers?
Again the short answer is no. There’s no requirement under GDPR to have a double opt-in process. Double opt-in may not be a GDPR requirement but in some cases we do recommend it as a Permission Marketing best practice. We recommend a double-opt in process or a confirmation email when you are collecting new data – for example, new subscriptions from a website service.
Double opt-in is a simple process to implement. The usual process is that on submission of a data collection form an automated email is sent to the submitted email address. Many marketers also include often a thank you type of confirmation that the process is now complete. This can also be used to supply additional introductory information or to encourage the new subscribers onwards to the brand website.
There is no need for always using double-opt in. For example if you are collecting additional data from existing subscribers (updating preferences or collecting additional profile information). Double-opt in does add another step to the process and this potentially introduces an additional point at which interest and opportunity might be lost.
Can I email my customers without consent?
The scenario of ‘legitimate use’ builds on previous definitions of ‘legitimate interest’ and allows a scenario for processing where specific consent is not specifically in place. In this respect it’s similar to the current ‘soft opt-in’. GDPR requires a clear relationship, genuine mutual interest, balance of interests, expected and appropriate processing and without infringement of individual rights and freedoms of the individual.
Is direct marketing a legitimate scenario?
GDPR specifically references direct marketing as a possible scenario for legitimate use, provided that the conditions described above are met. The specific inclusion of this clarification has been welcomed by businesses and marketing organisations.
What else is a legitimate scenario?
Contractual refers to data processing which is required or directly relates to the fulfilment of an existing contract between the business and individual. The (appropriate) processing of data for this purpose is lawful without further specific consent.
Which are the main individual rights and freedoms of the individuals also known as Data Subjects?
ACCESS
Also known as Subject Access Right or Right to Access, access entitles the Data Subjects to have access to, and information about, the personal data that a controller has concerning them.
CONSENT
Signifies the agreement by the Data Subjects to the processing of their personal data. Obtaining appropriate consent is the responsibility of the Data Controller.
CORRECTION
Also known as Right to Rectification, correction is the right of Data Subjects to obtain from Data Controllers the rectification of inaccurate personal data concerning them.
DELETE
Also known as Data Erasure or Right to be Forgotten, delete entitles the Data Subjects to have the Data Controller erase their personal data. The right of Erasure or Right to be Forgotten will be only applicable if the legal relationship with your end customer allows it. In many cases, a contractual relationship and other legal requirements enforce business and Data Controller to maintain the personal data registered for an specific time.
Has the principle of consent changed?
Although the principle of ‘consent’ is largely unchanged, GDPR introduces better clarification regarding what constitutes consent and how it might be obtained and used. These tighten the definition but they are still largely in line with any existing good-practice ‘permission marketing’ strategy.
How is consent now defined?
GDPR requires that consent must be a clear and affirmative opt-in action, freely given with full knowledge of owner and intended purpose of processing. It can’t be implied, assumed, bundled or otherwise connected and only applies for a specifically identified purpose.
Who Are The Data Subjects?
In the context of PUSHTech Marketing Platform, Data Subjects are PUSHTech’s customers’ consumers, end users or contacts. PUSHTech will not be receiving requests directly from Data Subjects, but rather only from Data Controllers.
Who Are The Data Controller?
In the context of PUSHTech Marketing Platform, Data Controllers are PUSHTech’s customers. They own and control the data they house on their consumers (Data Subjects).
Who Are The Data Processor?
PUSHTech Marketing Platform is a Data Processor. PUSHTech processes data based on the permissions and agreements we have with our enterprise customers (Data Controllers).
Do I need a specialist?
Those businesses either processing data on a large scale or as a systematic course of their activity are required to appoint a Data Protection Officer (DPO). The DPO is responsible for compliance and liaison with the local Supervisory Authority (SA) (also known as the Data Protection Authority (DPA).
What is GDPR?
GDPR is the General Data Protection Regulations (officially (EU) 2016/679). Although it has new aspects it is not fundamentally new. It represents the latest evolution of regulations on data privacy and protection in Europe. It replaces the current EU Data Protection Directive (95/46/EC, known as DPD) of 1995 and sits alongside the EU e-Privacy Directive (2002/58/EC and 2009/136/EC) of 2002 and 2009.
What is the current law?
As EU ‘Directives’ the current DPD and e-Privacy are translated into various national level laws.
Is GDPR the new law?
Yes. Harmonising fragmented laws and relieving the legislative burden on individual member states is one of the objectives of GDPR. Unlike previous ‘Directives’, as a ‘Regulation’ GDPR does not need separate national level legislation in order to become law in each member state.
Why is it needed?
The reform of the 1995 Data Protection Directive was proposed in 2012 in order to address significant changes in the way personal data is now available, collected and used and to reflect the changing nature of the EU and its individual member states.
Is it about marketing?
GDPR is not fundamentally about marketing or email. It is a wide ranging policy regarding the privacy and protection of EU individuals, specifically relating to how personal data about them might be collected, stored and used. GDPR refers to these uses as ‘processing’.
Who does it apply to?
GDPR is applicable equally across all sizes of business, public authorities and all industry sectors. It applies to any business located in the EU and also to businesses located outside of the EU who are processing the personal data of EU individuals.
Does it make things harder?
It’s not meant to be restrictive to good people. As a defined objective GDPR intends to help and guide those with legitimate business interests, but also to more easily identify and more severely penalise those who deliberately or consistently avoid compliance.
What are the key principles?
Apart from privacy and protection GDPR is based on several fundamental principles, eg. processing of personal data only under specific consent or other lawful conditions, a balance of interests between businesses and individuals and an overall environment of fairness, appropriateness and transparency.
What is Personal Data?
GDPR only applies to ‘personal data’ i.e. data which can or could identify an individual person (the data subject). Personal data includes previous items like name, email address etc and also introduces new definitions for biometric and genetic identifying data. It also includes encrypted data and ‘online identifiers’ like cookies.
When is processing lawful?
GDPR defines 6 scenarios for the lawful processing of personal data – these are legal obligation, public interest, vital interest, contractual, legitimate use and consent. Of these, contractual, legitimate use and consent are the most significant for most email marketers.
7. B2B vs B2C Consent / Permission differences.
While for B2C contacts record of consent and permission is necessary, do I need double opting or re-consent for b2b email marketing?
The short answer is not, you don’t need regain your consent or ask for a double optin for those contacts that have a legitimate interest on your business. Direct marketing is recognised as a legitimate interest under Recital 47 of the GDPR and is deemed a legal basis for processing the data. This effectively means that GDPR defers to the existing Data Protection Act in respect of B2B, with the principal requirements being to identify yourself as the sender and to provide a clear and easy way for the recipient to opt-out.
Can send an email to an individual’s business email address without prior consent?
Yes, always giving the opt out option from your first communication. The ICO, which is responsible for upholding GDPR in the UK, say this in its direct marketing guidance: “The rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ …… The only requirement is that the sender must identify itself and provide contact details.”
Furthermore, the ICO’s direct marketing checklist reveals that as long as “individual employees can opt out” than you can email them, without a confirmed opt-in.