What is GDPR?
GDPR stands for “General Data Protection Regulation”, and it will be enforced from May 25 2018. As you would expect, technology has changed significantly in the last two decades, especially in the way organisations store and process personal data. GDPR expands on the General Protection Directive (1995), and brings it forward to address present-day digital storage solutions, and consumer privacy challenges.
Aside from providing guidelines of how organisations should store and collect personal data, GDPR also equips the customer with extended rights, one of which is the “right to be forgotten”, which essentially grants the customer the right to have all of their data erased completely from the organisation which controls and processes it.
How does this affect you?
It is important to note that the EU GDPR applies to you regardless of your geographic location if you are processing personal data of individuals located in the EU. If, for example, you’re an Australian company that also collects and stores EU data, then for those customers, you must remain compliant. These laws foster transparency, and gives individuals confidence that their privacy has been protected with careful consideration.
Controllers vs Processors
Understanding the roles of processors and controllers can help better position you to address the key requirements of your data protection duties.
Controllers are the principal party that is directly responsible in collecting their customer’s data. As mailing list owners, they must be able to show evidence of how and when consent was received, and that it was done by making a clear affirmative action. Controllers typically are the ones who interact with their customers directly, and decide how to use their personal data.
Processors are required to process and store personal data in compliance with GDPR, and ensure that their controllers are also acting in accordance with the regulations. The controller may also appoint a data protection officer to ensure that technical and policy driven decisions are GDPR compliant throughout the organisation.
Vision6 is a processor, and our users are the controllers.
If you are offering products or services, here are some things to be mindful of when obtaining consent:
- You must have a clear explanation of use. Meaning there cannot be any ambiguity of how you will use your subject’s personal data.
- You cannot have pre-ticked opt-in boxes. This is not considered valid consent.
- Allow for an easy opt-out process. Customer's have a right to withdraw their consent.
Right to be forgotten
The right to be forgotten is one of your customer’s biggest GDPR rights. They have a right to have all of their data erased from all stored locations. This task will be handled by the processor, being Vision6, by lodging the request.
The individual has a right to have their data erased without any delay if they meet one of the following requirements (Article 17):
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the individual withdraws consent
- the individual objects to the processing and there are no overriding legitimate grounds for the processing
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services to a child. (Article 8 for more information)
Some other ways to remain compliant
The unsubscribe features in Vision6 already go some way to complying with GDPR. For example, if someone unsubscribes, they will be automatically excluded from future email campaigns, giving you the peace of mind that you won’t accidentally disturb anyone who has opted out. We’re going to take it one step further and now allow you to upload a bulk list of contacts, and unsubscribe them from either one, or every single list in your account. This is particularly useful if you manage your lists as separate preferences. But if this isn’t enough, then you have blocked contacts.
Blocked Contacts will allow you to block email addresses, and entire domains, from receiving your emails. This can be used in a response to someone complaining, and wishing to no longer receive any mail from you. Before adding them to this list, you must make it clear that they will no longer receive mail, even if they subscribe to the list again. That is the key difference between between blocking a contact, and simply unsubscribing them - even if they’re technically subscribed to your list, they will still not be sent any mail.