This is the first in a number of articles that we'll be sharing with you to help you, our clients and gCast users understand GDPR better and what steps you can take to ensure that, by using gCast and Gen3Media's services you remain GDPR-compliant when the legislation comes into effect.
Please remember that this article should not be considered as legal advice. We encourage you to seek your own independent legal advice around GDPR and whether it affects your business activities.
What is GDPR and Why is it Important?
The GDPR (General Data Protection Regulation) is new data privacy legislation for individuals in the EU that comes into force on May 25th, 2018. Its goal is to harmonise, modernise, and strengthen data privacy and processing policies across the European Union. The GDPR replaces Directive 95/46/EC (Data Protection Directive) which is now out of date due to evolving technology standards.
The GDPR is not about businesses, it is about the ‘data subject’ (that’s the GDPR’s terminology for a real person) whose personal data is collected and processed by businesses, and about that individual’s rights as owner of their data.
The GDPR seeks to protect all the personal data belonging to a data subject, arming and empowering data subjects with the means to understand the what, how, when, where, and why their personal data is collected and processed.
‘Data’ under the GDPR extends beyond the traditional data such as contact information and other identifiers to include any information relating to an identified or identifiable real person, now also including pseudonymised data (the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and behaviour-based analysis of a data subject (such as clicks, opens, and reads of emails).
Does the GDPR Affect Your Business?
The GDPR affects all organisations that collect, process, store, and use data from people who are citizens of or are residing in the European Economic Area (EEA). There is also evidence to suggest that the term ‘in the EU’ (as used in the legislation) may also cover tourists and other people visiting the EU.
Your business doesn’t have to be based or operating in the EEA to be affected by the GDPR. By having customers who are in the EEA, you need to be compliant with the GDPR requirements. So, basically, the GDPR will impact any business that meets one or more of the following conditions:
- The business is established in the EU
- The business offers paid or free goods and/or services to individuals ‘in the EU’
- The business tracks or monitors the behaviour of individuals ‘in the EU’ (profiling)
- The business collects, stores, and/or shares data of individuals ‘in the EU’
If you’re unsure about whether your customer base or the people you communicate with through your business could be ‘in the EU’, then it is safer to err on the side of caution and ensure that you are GDPR compliant.
How Could Your Business be Affected by the GDPR?
The GDPR sets a high standard for consent and customers must be given choice and control over how their data is handled. You can no longer rely on pre-ticked checkboxes and soft or implied opt-ins. The GDPR also requires organisations to diligently protect personal data, as well as provide proof about how that data is protected, and requires organisations to put data breach policies and procedures into place for those moments we all hope we never encounter – serious data breaches.
Not being prepared or compliant with GDPR could land your business in hot water with significantly hefty fines for violation – none of us want that.
What Steps Can You Take Towards GDPR Compliance?
1. Seek Independent Legal Advice
Don’t rely on this document or other articles on the web as your only source of knowledge or preparation for the GDPR. Whether you have a dedicated legal team, a preferred legal consultant/representative, or are a member of a business advisory group that has access to such resources, we recommend that you consult with professional legal entities or individuals who are adequately qualified to give you sound and solid advice on the GDPR and what you must do to become or remain compliant. With the GDPR citing possible violation fines of 4% of your business’s annual turnover (or 20 million euros (whichever is higher)), investing some money in appropriate legal advice is a small price to pay in comparison.
2. Review Your Data Collection Practices
If you keep or process any information about real people and you decide what personal information is going to be kept and the use to which the information will be put, then you are a Data Controller under the GDPR legislation. Data controllers must meet several responsibilities and requirements under the GDPR. Of significance is ensuring that you have a legal basis for collecting/processing personal data.
a. Review Your Consent and Opt-in Practices
GDPR tightens up the requirements for gaining consent from data subjects and materially changes the way in which consent can be given or gained. Previously EU marketers could pre-check their opt-in boxes when signing people up to receive emails (although this hasn’t been the case in Australia for many years), relying on ambiguous language or inaction for opt-in purposes. Under GDPR, you will now be required to:
- Provide a genuine and free choice to opt-in that relies on a clear affirmative action that signifies agreement to the collection and processing of personal data relating to the data subject
- Provide the data subject with an informed choice to opt-in, describing who the data controller is, all the potential uses of their personal data, in a language that the data subject would reasonably be able to understand and with clear information on the data subject’s right to withdraw consent
- Provide the data subject with the specific purposes and reasons for the data collection and processing that will occur, including any processing that may be undertaken by third parties on your behalf (such as processing of personal data for direct marketing purposes (covered under ‘legitimate interest’)
- Remove contract conditions that indicate the contract is conditional on consenting to the processing of personal data that is not necessary for the performance of the contract
Retain and maintain accurate records of consent – who, when, how, and what you’ve told data subjects at the time they opted-in (including a written record of the necessity and balancing conclusions relied upon)
- If you collect data at Point of Sale (POS), the ePrivacy Directive still applies for now but could change in the future
b. Review and outline your data storage policies
- Does your storage of personal data vary by region – if so, document and outline how they vary
c. Data Storage and Processing Outside of EU
- GDPR recognises that personal data of individuals ‘in the EU’ is being exported, shared, and processed outside of the EU. The European Commission has recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the US (limited to Privacy Shield Framework) as providing adequate protection.
- In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs)
d. Appoint a Data Protection Officer
- Appoint a DPO (Data Protection Officer) if you have regular and systematic processing of a data subject’s data
- The DPO acts as an advocate for the data subject, arguing on their behalf
- The DPO is accountable for what data is processed, where, for what purposes, and how it’s protected
- The DPO can even work to protect data subjects from their own potential missteps
- Businesses inside and outside of the EU must designate a representative in the EU who will ‘act on behalf of the controller or processor and may be addressed by any Data Protection Authority (DPA)’. The representative can be subject to enforcement proceedings in the event of non-compliance by a non-EU controller or processor
- Contact information for an organisation’s privacy or Data Protection Officer must be easily findable so data subjects have a vector for exercising their rights of access, deletion, portability etc
3. Data Processing Practices
If you hold or process personal data but don’t exercise responsibility for or control over the personal data, then you’re a data processor. It is possible for an organisation or individual carrying on business to be both a data controller and a data processor. Understanding how you interact with your data in terms of processing and campaign sending will help you identify whether GDPR applies to your database and sending practices, some of the practices you can look at include:
a. Review and outline your sending policy
- Do your sending policies vary by audience?
- How do your sending policies vary by audience?
b. Campaign sending defaults
- What are the defaults that you have in place that will be applied to any campaign send no matter what?
c. Where are the opportunities to make decisions about who you send campaigns to?
- Do you extract your data in list format from, for example, a CRM prior to sending?
- Do you target segments of your customer or database in a third-party product, if so, how do you target who your campaign will send to?
- Identify your DPO and provide an easy mechanism that data subjects can use to reach out to your DPO should they need to
- Outline the process for redress if the response a data subject receives is unsatisfactory or indicates company negligence
- Identify your breach process and what security protections exist on data and data processing systems
- Clearly inform data subjects how their data will be processed and shared
- Outline exactly how data subjects can exercise their right to access or remove data
- Review and update your consumer purchase and application conditions – be transparent about how data is shared with third parties and how that data is used to ensure that data subjects are making an informed choice. Consider including an unchecked checkbox near the signup/download of the product
5. Document and Educate
- Consult with your legal team, business advisory service, or local regulatory body to ensure that you are GDPR compliant
- Map out an internal communication strategy – including the steps you’re taking to ensure compliance, how any changes will impact your existing procedures, and what you’re doing to mitigate negative impacts (such as a reduction of mailing list size)
- Document your processes for personal data collection, personal data processing, sharing of personal data with third parties and vendors, and for personal data breach responses and notifications
- Educate your entire team on GDPR and how it affects your business and current email sending and data storage/processing strategies
What are Gen3Media Doing to Ensure We’re GDPR Compliant?
Gen3Media wears two GDPR hats:
- As the owners and creators of gCast we are a data processor - we provide the gCast platform for our end users (that’s you) to use for collecting and processing personal data about your members. We handle your data and process it on your behalf, enabling you to gather more information about your members per the agreement laid out in our gCast Terms and Conditions
- As a business entity that provides support and services to our clients (you) we are a data controller – much like your business, we use software applications and products to collect and process some personal data about the people who have contacted us or whom we have contacted through the course of normal business operations
- The advice we’ve outlined for you in this document is also what we’re undertaking for ourselves – on behalf of you as our clients and for our own business’s security under GDPR
- We are undertaking our own data mapping and cybersecurity evaluations, reviewing the gCast terms and conditions of use and our privacy and anti-spam policies (which form part of the gCast terms and conditions), undertaking our own internal education program of our staff, and drafting up our data breach notification policy. You can also be assured, that we’re evaluating the current gCast functionality to ensure that you, our clients, can easily address and resolve GDPR-related data subject enquiries
- We have already assigned a Data Protection Officer and we are also working with our legal team to ensure that we, as an ‘outside-EU’ data processor/controller, can provide you with as much peace of mind as possible in the lead up to and after May 25th when the GDPR comes into effect.
We’ve been doing a lot of research to bring you this information. During our research, we came across a number of articles that we thought you, our customers, would find useful too. Don’t stop here though, please be sure to seek your own independent legal advice on GDPR to ensure that you are adequately prepared and protected in time for the GDPR’s launch date on May 25th, 2018.
GDPR Impact on Your Business’s Marketing Efforts
Return Path are market leaders in deliverability. Founded in 1999, Return Path have solid information on all things deliverability and email marketing
GDPR for Non-EU Businesses
Return Path Blog Articles - https://blog.returnpath.com/gdpr-impact-for-non-eu-companies/
Australia’s OAIC (Office of the Australian Information Commissioner) Article - https://www.oaic.gov.au/resources/engage-with-us/consultations/australian-businesses-and-the-eu-general-data-protection-regulation/consultation-draft-australian-businesses-and-the-eu-general-data-protection-regulation.pdf