What Is GDPR?
GDPR stands for "General Data Protection Regulation". It was enforced on May 25 2018. As you would expect, technology has changed significantly in the last two decades, especially in the way organisations store and process personal data.
GDPR expands on the General Protection Directive (1995), and brings it forward to address present-day digital storage solutions, and consumer privacy challenges.
Aside from providing guidelines of how organisations should store and collect personal data, GDPR also equips the customer with extended rights, one of which is the "right to be forgotten", which essentially grants the customer the right to have all of their data erased completely from the organisation which controls and processes it.
Does It Apply to You & Your Business?
It is important to note that the EU GDPR applies to you regardless of your geographic location if you are processing personal data of individuals located in the EU. If, for example, you’re an Australian company that also collects and stores EU data, then for those customers, you must remain compliant.
These laws foster transparency, and gives individuals confidence that their privacy has been protected with careful consideration.
- GDPR applies if you are an Australian businesses with EU customers as their target audience.
- GDPR applies if you are an Australian businesses with a designated office in the EU.
Controllers vs Processors
Understanding the roles of processors and controllers can help better position you to address the key requirements of your data protection duties.
- Controllers are the principal party that is directly responsible in collecting their customer’s data. As mailing list owners, they must be able to show evidence of how and when consent was received, and that it was done by making a clear affirmative action. Controllers typically are the ones who interact with their customers directly, and decide how to use their personal data.
- Processors are required to process and store personal data in compliance with GDPR, and ensure that their controllers are also acting in accordance with the regulations. The controller may also appoint a data protection officer to ensure that technical and policy driven decisions are GDPR compliant throughout the organisation.
We are a processor, and our users (eg. you) are the controllers.
Consent
If you are offering products or services, here are some things to be mindful of when obtaining consent:
- You must have a clear explanation of use. Meaning there cannot be any ambiguity of how you will use your subject’s personal data.
- You cannot have pre-ticked opt-in boxes. This is not considered valid consent.
- Allow for an easy opt-out process. Customer's have a right to withdraw their consent.
Right To Be Forgotten
The right to be forgotten is one of your customer’s biggest GDPR rights. They have a right to have all of their data erased from all stored locations. This task will be handled by the processor (being us), by lodging the request.
The individual has a right to have their data erased without any delay if they meet one of the following requirements (Article 17):
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the individual withdraws consent.
- the individual objects to the processing and there are no overriding legitimate grounds for the processing.
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services to a child (see article 8 for more information).
GDPR Checklist
To help you be compliant with GDPR and your marketing activities via our platform, there are a dedicated set of features available in the product.
These features are heavily focused on obtaining and proving that contacts on your list have provided consent in a GDPR compliant manner.
- Edit your lists and enable the GDPR option
- Add a dedicated consent checkbox to your forms
- Ensure consent text is added to your forms
Using the GDPR Consent Component on Forms
Obtaining Consent for New Subscribers
There are a number of important things to consider when obtaining consent from your subscribers and whilst we make is easy from a product perspective, you should consider what changes you may need to make to your subscription forms.
In short, you will need to be informing individuals about how their data is being processed and what it is that they are consenting to, to ensure that the real choice is provided to that individual.
At a minimum, you must present the following information to customers.
- A clear and concise option to provide consent
- The purpose for which consent is sought (what types of marketing will you be sending? Why do you need the information?)
- Types of data that will be collected and used (fields available on the form)
- How to withdraw consent (explanation on how to unsubscribe, with a link)
- Details on any third parties who will also receive the personal data (this can simply be a link to your privacy policy detailing any processors of data such as us)
- Is personal data being transferred overseas? (again, this can be information available in your privacy policy)
- Details that identify the company (a logo or company information)
It might seem like a lot of additional information that you need to add to your form but the reality is, you probably have ¾ of it already.
We also give you the ability to enable GDPR settings for your lists. This will:
- Enable a dedicated consent component to your forms.
- Enable dedicated consent disclaimer to your forms.
- Flag any contacts who subscribe and provide consent with 'GDPR'.
Other Ways To Remain Compliant
Bulk Unsubscribe
The unsubscribe features in our platform already go some way to complying with GDPR. For example, if someone unsubscribes, they will be automatically excluded from future email campaigns, giving you the peace of mind that you won’t accidentally disturb anyone who has opted out.
We’re going to take it one step further and now allow you to upload a bulk list of contacts, and unsubscribe them from either one, or every single list in your account. This is particularly useful if you manage your lists as separate preferences.
If this isn’t enough, then you have the ability to totally block contacts (read more below).
Blocked Contacts
Blocked Contacts will allow you to block email addresses, and entire domains, from receiving your emails. This can be used in a response to someone complaining, and wishing to no longer receive any mail from you.
Before adding them to this list, you must make it clear that they will no longer receive mail, even if they subscribe to the list again. That is the key difference between between blocking a contact, and simply unsubscribing them - even if they’re technically subscribed to your list, they will still not be sent any mail.