Let’s talk about GDPR

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) was adopted 27 April 2016 and will enter into application on 25 May 2018, giving organisations a two-year transition period.

Wait – what’s going on?

The General Data Protection Regulation is the new set of laws that governs both how you communicate, interact with and store prospect and customer data for any of the 750 MILLION people and 1 BILLION email accounts that are associated with European member states.

Or email marketing armageddon.

Or is it? What has everyone got so fussed about?

Well first let’s define everyone… Because people aren’t nearly as worried about this as they should be.

Last year we did a google search for General Data Protection Regulation (GDPR) and some of the most common Marketing platforms (Hubspot, Infusionsoft, Salesforce, Ontraport, Mailchimp, Active Campaign, Aweber, Drip, ConvertKit, Agile CRM) and NONE of them had any resources preparing their customers for the upcoming deadline on 25th May 2018 (that came up on the first page anyway). Infusionsoft has a page that tells you a little bit about its commitment to data protection, but not what GDPR actually is…

So if you still have no idea what I’m talking about, I am not surprised!

Getting into it, let’s talk about what this actually is:

Currently, the way you communicate with people in America via email is governed by CANSPAM, in Canada by CASL, and in the European Union, by the Directive on Privacy and Electronic Communication (also known as the EU E-Privacy Directive). Catchy title guys!

That’s going to be changing. As of 25 May 2018, The General Data Protection Regulation (GDPR) will come into force, replacing the EU E-Privacy Directive. And it’s bigger and scarier, with even harsher penalties than both CANSPAM and CASL combined.

So why is the EU upsetting the apple cart when it’s been trundling along so nicely with the EU E-Privacy Directive?

Partly because it’s seriously outmoded security wise.

Mainly because the E-Privacy thing is a Directive. It outlines goals that each of the 28 EU member states (the UK included for the time being) should adhere to. Each of those states then interprets the Directive differently, and so the result is: Different email laws for each of the 28 EU member states.

That’s a nightmare to manage and adhere to.

GDPR is the answer to this mess. And as GDPR is a regulation, not a directive, it has binding legal force.

Here’s what the EU has to say:

​The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.

Everyone has the right to the protection of personal data.

Therefore, common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.

The result is one of the strictest regulations to ever come into force with some of the heaviest penalties ever seen.

And it’s coming straight at you.

So why is this so scary? I mean what’s the big deal?

What it means:

The big change is on protecting the rights of individuals with relation to their personal data:

” …everyone has the right to the protection of personal data concerning him or her”

This means new rights given with relation to the following:

  • The right to be forgotten
    • you will have to delete all the data of an individual requesting this.
  • The right to object
    • individuals can say no to certain data use such as profiling for marketing purposes.
  • The right to rectification
    • individuals can have incomplete data completed.
  • The right of access
    • individuals will have the right to know what data is being processed and how.

And the right to data portability

The word you need to take home from all of the above is TRANSPARENCY.

The laws are affording people the right to know what you’re up to with their personal data.

Is that really a bad thing?

Absolutely not. After all, this relates to you too.

So what’s the big deal then?

Well it’s how personal data is defined, and what you have to do in order to first obtain that information (at the point of opt-in), how you can store that information, what you’re allowed to do with it, and what penalties you face if you don’t take this seriously (hint, 20 Million Euros in fines…)

FIRST – What is ‘personal data’?

GDPR has a very strict definition of personal data:

Any information that could be used, on its own or in conjunction with other data, to identify an individual.

This means that even a phone number stored on its own or a social media ID without an associated name or address may fall under the regulation and needs to be properly protected.

Then there comes the processing of data. Anything you do after you get someone to sign up is considered processing:

GDPR considers ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

And in order to do ANY of that, you need unambiguous, or explicit permission to do so. You need to tell your audience EXACTLY what you’re going to do with it.

Are you going to add them into an email campaign which tracks which links they click on? You need to tell them. Adding tags to email opens? You need to tell them. Tracking email opens? You need to tell them. Offering certain products based on behaviour? You need to tell them.

So yeah. Everything you do.

Now no need to panic – this is the sort of information that you can *easily* put in your terms and conditions. (there are sample terms and conditions that are GDPR compliant in the resources section at the bottom of this post).

The importance is that you have to get them to AGREE to your terms and conditions, and you have to have PROOF that they have done so.

And this is where everyone loses their minds.

The confusion has arisen from “unambiguous” and “explicit” consent or permission mentioned in the official regulation documentation.

It mentions that you have to have unambiguous permission for contact and processing purposes, and then later on that you have to have explicit consent.

Each of these is very different and mean very different things in the marketing world.

For example – explicit consent means double opting-in in the email marketing industry. And due to this terminology blip, there are a bunch of myths floating around.

Thankfully there has been some clarification on the matter:

“On the final outstanding issues that were discussed intrilogue, the following balance was achieved. The way in which consent is to be given by data subjects remains “unambiguous” for all processing of personal data, with the clarification that this requires a “clear affirmative action”, and that consent has to be “explicit” for sensitive data.

There you have it! The difference is in the TYPE of data.

If you are handling sensitive data, you need explicit consent to process that data (remember processing being anything really). If you are handling personal data you need unambiguous consent.

What does that even mean! The legalese is strong in this case, and I feel it’s going to trip up many many people. To help I found a great article from Field Fisher, Privacy, Security and Information Law Specialists:

“If someone says “Yes, I agree” or ticks an unchecked box to say “I consent”, they have indicated their consent through an affirmative action. Not only that, but they have done so through an explicit affirmative action – sufficient to satisfy the consent requirements for both ordinary personal data AND sensitive personal data processing.”1

GDPR clarifies that an affirmative action signalling consent may include checking a box on a website, ‘choosing technical settings for information society services,’ or ‘another statement or conduct’ that clearly indicates consent to the processing. ‘Silence, pre-ticked boxes, or inactivity,’ however, is not adequate.
– James Koons

The GDPR demands that the recipient is provided with adequate information on how their data will be used. For example, if you intend to profile someone’s data to determine what offers they receive, you must now tell your customer that is how you intend to use the data and give them the opportunity to object.
– Tim Roe

So there we go. You DON’T have to double-opt all your contacts in, but you DO HAVE to get them to agree to your terms and conditions, and be clear and transparent in those conditions, in easy to read information, as to what you will be doing with personal and sensitive information.

That is the biggest issue with the new regulations. Transparency and permission.

I really don’t think that’s a bad thing at all.

The bit that is really bothering me is this:

You have to get ALL your EXISTING data up to the new standards

GDPR also applies to all existing data.

If you currently have EU subscribers with permissions that are not up to the GDPR standards, and you can’t provide proof of it – you will NOT BE ABLE TO LEGALLY EMAIL THEM.

Not after May 25 2018.

There is no allowance for data captured before GDPR. Once the GDPR comes into play, if you don’t have sufficient consent, you won’t be able to legally process the data. It’s time to bring all of your customers’ data and business processes up to the correct standard.
– Tim Roe2

That’s the bit everyone should be worried about.

Then there is the next little bit:

New requirements for consent record keeping

Under the GDPR, the burden of proof that sufficient consent has been given lies with the company. This means that you will need to prove and show reasonable evidence that you have complied with the GDPR if you are challenged.
– Tim Roe

Storing consent forms is something that most data owners have never had to do before, but in the future, all forms will have to be presented if requested.
– James Koons

I suggest it would be sensible for marketers to include a screengrab of the page or app where the consent was obtained. That is something your platform is not likely supporting out of the box today.
– Andrew Bonar3

You need to prove that you have complied in case you are challenged. I like Andrew Bonar’s suggestion.

If you’re using Infusionsoft, when a contact fills out a webform this is tracked on the contacts record, along with what their opt-in status is.

What if I don’t want to do any of that stuff?

The penalties are really quite harsh:

Non-compliance with GDPR can lead to fines of up to €20 Million or 4% of a brand’s total global annual turnover (whichever is higher).

They will rely heavily on consumers to report breaches, and will likely focus their efforts on the most serious violations.4

Ignoring this really isn’t an option.

But BREXIT will save me, right?

Nope!

From the Cloud Lawyer:

The Secretary of State Karen Bradley MP recently confirmed that the UK Government will be opting in to the General Data Protection Regulation (see Q72) and the Information Commissioner has said “I see this as good news for the UK…The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.”
The Information Commissioner’s Office wants GDPR. In fact, it wants custodial sentences too for data breaches: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/01/information-commissioner-rep…5

All in all pretty serious! No avoiding this!

So what do you need to do?

You could just delete all your EU contacts before 25 May 2018…

But that’s silly. The legislation affects 750 million EU citizens and over 1 Billion email accountsDon’t shoot yourself in the foot by locking yourself out of those markets.

Your only real option is to bring your list(s) up to scratch with the GDPR standards.

As Litmus states:
If your program complies with GDPR, it’s likely that you’re compliant with other international email regulations as well.6

Get your strategy in place:

Here’s how we suggest you make sure you’re compliant:

1. Define how you opt contacts in

  • Check boxes accepting terms and conditions on all forms (NOT pre-checked)
    Add check boxes that a prospect has to accept your terms and conditions (with a link to those conditions) before the form can be submitted. This checks you for your unambiguous consent. However having the box pre-checked is in direct violation of the regulation! They have to tick the box themselves…

According to marketing tech news, the following statements should cover you (I’d still speak to a lawyer though!):

I would like to receive future communications from COMPANY. Privacy Policy. Cookie Policy. Terms & Conditions.

Sign me up for personalised emails from COMPANY. By signing up, I agree to company’s Privacy & Cookie Policy, as well as their Terms and Conditions.

I would like COMPANY to continue to send me relevant materials. You can withdraw your consent at any time.7

  • Clear terms and conditions, data protection and privacy policies, cookie policy and data retention policies
    You’ll need to overhaul your policies. I’d suggest going to a specialist lawyer for this. The information that is included in your policies needs to be very transparent as to how you intend to use the collected data. And it needs to be ineasily understandable language. This relates back to your checkbox, and is what is giving you permission to process their data.
  • Confirmations/double opt-ins
    Make double opting-in your contacts a standard policy. No email confirmation no entry sort of thing.This will check you for your explicit permission. And it doesn’t have to be the ugliest email someone has ever seen either. Personalise it, and make it a great user experience by customising your double opt-in emails.

2. Make sure you can prove the above

  • Define and document your processes
    If you have clearly documented processes it makes it much easier to prove you are compliant. We advocate documenting every campaign anyway as a standard business procedure! Get in touch with an expert if you don’t know where to start (contact us).
    Don’t forget to include records of your opt-in boxes into this process.

3.Strategise ways to get your existing data up to scratch

  • Double opt-in campaigns
    Bringing your existing data up to scratch doesn’t have to be hard. You simply have to get your existing contact list to double opt-in.You can do that by running prize draw campaigns, or offering up leadmagnets to your existing list in exchange for a double opt-in. As long as you provide value, your list will not mind reaffirming their consent with you.

This will do two things:
1. Get you CDPR compliant
2. Re-engage your existing list

Use this as an opportunity to cleanse your list, increase your engagement and make some money!

4. Make sure your Data Handling and Processing is GDPR compliant

In other words, make sure your data storage and use are acceptable. The big key here is security. Where is your data stored? Who has access to that?

Here is a handy list of checkpoints for this from Cyber Council:

  • What personal data do you hold?
  • Where is the data stored?
  • What is the data used for?
  • Who is the data controller?
  • Who is the data processor?
  • Do you have valid consent and or other legal reason for processing?
  • Can you still use this data or will you need to obtain consent?
  • Who uses the data?
  • Where was the data obtained from?
  • How was it obtained?
  • Is there any data belonging to under 16s?
  • Are there any special categories of data?
  • Do you have adequate security controls around the data?

They also suggest ways of figuring out where your data is stored:

1. External data (In your CRM, like Infusionsoft)

2. Internal data:

  • Google Drive
  • Box
  • Microsoft OneDrive
  • Hightail
  • Citrix ShareFile
  • Dropbox Business

3. Social Media:
“Don’t forget the social media presence, security monitoring logs, analytics, web chats, emails, security logs will contain some personal data”8

All in all, it seems like a lot to do. But in reality, this is all just good housekeeping and security. Just make sure your data is secure, you know where it all is, and you’re all good to go.

5. Be prepared to get asked for Data by your contacts

GDPR states that your contacts can request to see what data you hold on them:

“1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

Now that sounds overwhelming, but really it’s just good record keeping. If you’re keeping track of your marketing activities – then this should be a breeze.

Why GDPR is a good thing:

While GDPR seems a bit scary, and a bit frustrating – I really believe this will be of overall benefit to the whole marketing landscape.

I’m sure you’ve heard of people saying “email is dead”. While that couldn’t be further from the truth, the inbox is getting more and more cluttered with nonsense. GDPR is going to help cut through quite a lot of that.

If you’re compliant, you’re going to be in the inbox with higher engagement. That’s never a bad thing.

Secondly, GDPR is forcing you to practise good list hygiene. Let’s face it, list hygiene is not a top priority for most – until it’s a problem. Then it becomes all-consuming, and the reality that it’s easier to keep up a good sending reputation than to claw your way back to one is a harsh lesson to learn.

Then there are the benefits for privacy and security. To be able to say you are compliant, and make people feel like you take their data privacy and security seriously, is only ever going to make people feel more comfortable giving you their data and spending their online time and money with you.

And lastly, there is your value. Quite frankly, if you are providing value to your audience, they will be quite happy give you their data. Combined with making them feel secure with you and you are on the way to building trust. And trust is one of the foundations of a solid relationship.

All these reasons and more are why I don’t see GDPR as a bad thing at all. I am welcoming it with open arms, it’s your opportunity to get ahead of the competition!

Resources for learning more

If, like me, you have a burning desire to know more and to make sure you have all your bases covered, here is a list of good resources:

GDPR mega resource – This is a nifty compilation of resources from the DMA (Direct Marketing Association UK) – and it even has a GIANT timer to exactly how long you have left to become compliant.

Privacy policy example courtesy of Cyber Council

Some great steps you can go through if you have a larger organisation to ensure you become GDPR compliant – also from Cyber Council

http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

The actual GDPR guide

The Information Commissioner’s Office preparation document – a great 12 step process for ensuring compliance

The Infusionsoft document you should consider signing if you are in the UK

And the Infusionsoft Data Protection FAQ

In summary

GDPR is not really the Email Armageddon everyone is making it out to be. It’s an opportunity. One that you can take full advantage of by getting your business compliant.

Regulations and laws like this are in all of our best interests, they help keep the internet a safer and nicer place to be. It’s not rocket science seeing how that is a positive for all of us.

In the end, you provide value to your audience, you won’t have a problem with GDPR.

Follow the steps, and you got this!

If you’d like help getting your Infusionsoft application up to scratch then drop us a line!

 

 

 

 

 

 

Content courtesy of Automation Ninjas