14 Things You Wanted To Know About GDPR And Were Too Afraid To Ask
A couple of days ago, Moosend held a free webinar on GDPR compliance basics for email marketers.
Moosend’s DPO, John Stefanidis, and the company Communications Manager (la moi), presented a GDPR compliance overview for data privacy and personal data protection.
In this webinar we defined compliance with EU GDPR through practical tips, and cover all GDPR-related requirements.
We also summarized the key points of all 99 articles of the regulation corresponding to changes in procedures and practices that data controllers and data processors must make by May 25.
- What does EU mean? – a quick definition
- GDPR compliance: Friend or Foe?
- What are the differences between the EU directive and the GDPR?
- Why do we need GDPR compliance?
- Is company data considered personal?
- Our clients are companies. Are we in for GDPR compliance?
- Our main source of income is Email Marketing. How can we be GDPR-compliant?
- Is it necessary to re-gain customers consent for the existing lists?
- How to run GDPR-compliant contests on social media
- What is the third party to certify us for GDPR compliance?
- What did Moosend do for GDPR compliance? Which actions did you take?
- I’ve heard that “Unsubscribe” is different from “Delete” – Do you support email delete request?
- Are opted-out users automatically removed from automation campaigns or is this a manual procedure?
- Looking for another answer? – here’s where you can reach our DPO!
What does EU mean?
To define the European Union is no simple task as it represents a matrix of unions of countries on a number of levels.
Put simply, EU stands for European Union and the political and economic union that its 28 member states share.
The EU flaunts a standardized system of laws which apply to all 28 member states.
Since the EU started, its policies have aimed to safeguard the free movement of people, goods, and capital within the area.
Also, the union of these states helped establish common policies in various sectors, namely trade or agriculture.
The monetary union of 19 of these states was effected in 1999 through the euro currency and came into effect by 2002.
GDPR compliance: Friend or Foe?
GDPR compliance is a source of opportunity for whitehat marketers.
In other words, marketers who haven’t purchased lists or scraped lists are well-placed for GDPR compliance.
In effect, GDPR harmonizes different data privacy laws across European countries.
Destined to protect privacy for individuals and empower them over their personal data, granting them complete control over who processes this data and in what way.
At the same time, GDPR compliance requires businesses to reshape their approach to data privacy.
Essentially, it requires businesses to re-evaluate what they do, instead of exploiting data.
What are the differences between the EU directive and the new data privacy regulation (EU GDPR compliance)?
On the GDPR 101 webinar, we covered all of the major differences between the directive currently in effect.
There are actually a lot of differences, the major of which can be summarized under:
The EU Directive currently in effect does require consent of the users – however, it being a directive, it means it can be opted-out of.
The EU GDPR, on the other hand, is a regulation.
This means that it is mandatory and applied to all. A regulation, then, cannot be opted-out of.
More specifically, according to the GDPR:
– Consent is given by statement or affirmative action (e.g. no pre-ticked boxes)
– Consent must be separate from other matters. In other words, consent should not come in the same box-to-tick as a participation in a competition.
– Also, consent must be freely given, and if it is not obtained, there should be no penalty for the individual.
– It should be made easy for individuals to withdraw their consent at any time (i.e. Unsubscribe link).
– Data controllers must be able to prove how and when consent was given.
Another major change under GDPR is 7 major user rights.
These include the following:
- Users have the right to be informed,
- The right of access,
- The right to rectification,
- Users also have the right to erase,
- There is a right to restrict processing,
- Users have the right to data portability, and
- Finally, the right to object.
- Right to be informed
Data processors can inform data subjects of their information in a concise way that reads easily and in simple language, for free.
- Right of access
Under GDPR, individuals have the right to access their personal data, confirm that their data is being processed, for free.
In cases of unfounded, persistent requests, a reasonable fee can be charged.
- Right to rectification
Inaccurate or incomplete data must be rectified – if this data has been disclosed to third parties, they too must be notified for the rectification.
- Right to data portability
A data subject can request their data processor to transfer their personal data over to another organization in an open format that is common as it is readable, such as CSV files.
This information must be provided for free and no later than one month, two tops.
- Right to erase (right to be forgotten)
If the data subject wishes to have their data erased, withdraws their consent, when the original purpose for the collection/processing of the data is no longer applicable, when the subject objects to the processing, or if there has been a data breach, or is related to a child, then they can request erasure.
The erasure can be processed unless there is objections regarding a legal obligation or claim, or public-interest-related matters.
- Right to restrict processing
Data subjects can ask for restricted processing of their data and data processors must comply when there is a legal claim, or no longer need the data, and so on.
This should also be communicated across all third parties processing data to restrict processing.
- Right to object
Objecting processing can occur in cases whereby profiling, direct marketing, or statistical purposes take place
Under GDPR, data security is imperative.
Adopt high security standards and ensure that partners and all third parties implement the same security standards.
Moosend has subjected its processes to rigorous external audits for data security purposes.
Moosend now is ISO 27001 certified, a certification that is designed specifically to ensure data security.
Data transfer – Third parties
First of all, transferring data is not selling data.
It is transferring data with third parties which are also GDPR-compliant and provide the necessary safeguards required by the framework, if they are outside the EU.
The destination of this data transfer is not illegal, even if it is not within the EU, as long as all stakeholders comply with the regulation’s practices.
It is in data controllers’ responsibility to check whether the third parties they transfer data to are GDPR compliant.
Data Protection Officer (DPO)
Finally, the last major change of the GDPR is the appointment of a DPO.
Appointing a person to oversee all data-protection related procedures is key to achieving GDPR compliance.
A Data Protection Officer can be either an employee of the company or a third party (depending on the size of the organization) and must have the following qualifications:
- DPOs must be knowledgeable of all aspects of GDPR
- They should not receive instructions regarding the performance of their duties
- A DPO should not report to a direct superior (rather than top management)
- Another characteristic of a DPO is that he or she should have full access to all necessary resources within the organization needed to complete their tasks
- DPOs should have the authority to investigate personal-data-related operations
- Finally, there must be no conflict of interest between one’s duties as a DPO and other duties
A DPO’s agenda involves the following:
- Ensuring that data subjects are well informed of their rights
- Maintaining that all employees handling personal data are aware of their obligations and responsibilities and raise awareness about the GDPR
- Giving advice and ensuring data protection compliance throughout the organization
- Cooperating with the data protection authority when needed
- Serving as a key point of contact
- Handling or advising the institution on how to handle any data protection related complaints or requests
Why do we need GDPR compliance?
The directive currently in effect first came into force in 1995.
Since then, the digital landscape has unequivocally changed.
This means that the definition of personal data of what was no longer encompasses what is.
To account for personal data in the contemporary time, the GDPR compliance roadmap was designed.
GDPR revolves around personal data.
By “personal data” we mean anything that can be traced back to a specific individual or any piece of information that allows for an individual being identified as such.
Personal data could refer to a number of details such as:
- Home address,
- Email address,
- Bank details,
- Medical information,
- IP address,
- even nicknames!
Under the General Data Protection Regulation, users are now empowered over their personal data.
Essentially, the new regulation requires that businesses bake data privacy settings into their product, and improve their ways of requesting permission to use this data.
This way, the law ensures that businesses do not exploit personal data to leverage their marketing communication strategies and campaigns.
Is company data considered personal?
Company data is not personal.
For example, VAT number, billing details, general email addresses like (firstname.lastname@example.org) or other business-related information is not considered personal.
However, employee data such as their position in the company, email of a specific individual in the organization, or billing information of an employee of a company is considered personal data.
Our clients are companies. Are we in for GDPR compliance?
If you can be sure that you only access, process, and store company-related data, then GDPR doesn’t affect you.
But this is a rather unlikely scenario, for a number of reasons.
Like we said on the webinar, anything that relates to one’s personal, professional, or public life is considered personal data.
Even if you have a single email from a person within another company, or a telephone number in your records, then this is personal data.
For example, a signature of, say, a general manager on a contract can be considered personal data because it shows that this individual holds the GM position in the company.
Does my company have to be GDPR compliant to do Email Marketing?
That’s a good one. There are four scenarios:
- UK company – US citizen
- US company – UK citizen
- UK company – UK citizen
- US company – US citizen
1st scenario: UK company – US citizen
If you are a UK-based company (or EU-based, for that matter), and send emails outside the EU, you don’t have to be GDPR compliant.
Since you do not process European citizens’ personal data, then you do not have to comply.
2nd scenario: US company – UK citizen
If your company is based in the US and you send email campaigns to European citizens, you must be GDPR-compliant.
At the same time, processing Europeans’ personal data means you must also ensure that all your partners and third parties have achieved GDPR compliance.
Otherwise, you must look for GDPR compliant businesses to collaborate and do business with.
3rd scenario: UK company – UK citizen
All GDPR, everything! Especially if you are in the UK, you must be compliant with the UK Data Protection Bill, which is UK-specific. The Data Protection Bill comes into effect on the same day as the GDPR, that is, May 25th.
Again, it is imperative to ensure beforehand that your partners and all third parties are GDPR compliant, as they will be processing EU citizens’ personal data.
4th scenario: US company – US citizen
Nothing to see here! You can get on with your day!
Bottomline: Whether the data controller (business) is based in the EU or outside, if the personal data belongs to a European citizen, then the data controller’s practices must be GDPR-compliant.
The same goes for the data processor (for example, the Email Service Provider) that Acme.com is doing business with.
For all European clients of Acme.com, their data processor and third parties processing data must be GDPR-compliant.
Practically, you must choose GDPR-compliant partners, to be GDPR-compliant.
Is it necessary to re-gain customers consent for the existing lists?
Well, can you vouch for the practices previously carried out at your business?
Are you sure that your mailing lists are complete with users’ consents?
And if so, did they grow this list organically?
Then, you have nothing to worry about.
On the other hand, if you haven’t been with the company since forever and are unsure of the processes through which your predecessors obtained these emails, we recommend you try to get consent through soft double opt-in or double opt-in.
Remember, it is not compulsory to have double opt-in for GDPR compliance purposes.
As long as you can prove users’ consent, then you can have certain mailing lists as single opt-in.
This is entirely up to you!
We, at Moosend, offer three opt-in alternatives:
If you are still wavering over your opt-in options, remember we’re only a live chat message away!
How to run GDPR-compliant contests on social media
A fast way to grow your user base and capture the data of many engaged fans of your brand.
Is this GDPR hype going to prevent you from doing so, though?
One would expect that since they are putting something up for grabs, then you could have your own terms. Right?
✓ Well, when it comes to GDPR compliance, you can’t really “enforce” users to subscribe to your newsletter.
In other words, if refusing consent to subscribe to a newsletter you cannot enter the competition, GDPR practices are not observed.
✓ Another example is including consent to receive further communication in the same box as age certification (“I certify that I am older than 18 years of age”), or participation intention (“I wish to participate in this competition”), terms and conditions (“I agree with the Terms and Conditions”).
✓ Here’s another example: all boxes should come un-ticked.
There should be no pre-ticked boxes as they do not manifest explicit and conscious choice on behalf of the user.
✓ Are we out? We sure ain’t! Another no-no is rendering further communication a mandatory field or box to check. This cannot be a condition to participate.
✓ Another thing is that you should not have users check a box to opt out, instead of opting in.
Simply put, you cannot have consent to receive emails as a starting point.
The best way to go?
✓ To enter the competition, users will need to:
- provide a username and email and provide you with the correct answer.
- choose whether to tick the box of further communication or not.
- read an explicit message about terms and conditions for the competition (with a direct link) and
- a data privacy disclaimer.
What is the third party to certify us for GDPR compliance?
The fact of the matter is that there is no GDPR compliance certification per se.
However, what might seem as a gray zone to some, is really straightforward: render your processes as transparent as possible.
For example, if the Marketing Manager requests the graphic designer for the credentials of an online design tool, you must have a record of this request.
In other words, with programs such as LastPass you can request or send log in details with the rest of your team, while maintaining a log in track record automatically!
With respect to Email Marketing, when your users must sign up to access information on your website, then you should not use this email address in another mailing list to send them more content.
Unless they have specifically checked a box that they wish to receive further communication from you, you should only send them emails that are of interest to them.
To that extent, an email preference center might be of help.
In essence, subscribers will not unsubscribe from all of your lists at once, rather they will be able to update their profile and customize it accordingly.
Data controllers (:B2B and B2C businesses collecting and holding personal data of users) and data processors (:processing large scale personal data of clients) must take as many actions as possible to ensure that their actions are transparent.
GDPR compliance is essentially a sum of best practices around user experience and privacy.
As far as Moosend is concerned, in our capacity as both data controllers and data processors, we are ISO 27001 certified.
To successfully pass this ISO examination, we subjected all of our processes to rigorous external audits, specifically designed to safeguard data security.
This certification outranks, so to speak, GDPR as it requires rigorous processes throughout the company practices.
What has Moosend done for GDPR compliance? What actions did you take?
Err… how much time do you have?
You see, the thing about us is that Moosend is both a data controller and a data processor.
That being said, our roadmap was ISO-bound, far beyond GDPR.
1. First of all, to be GDPR-compliant, our mailing lists stay within the EU and we don’t share them with anyone. (We only transfer data through our partners and third parties which is for the purposes of doing business in the first place, and delivering!)
2. When we started taking the first steps to GDPR compliance, we mapped the data flow both within the organization and outside of it, namely, how data flows in the organization, who has access to what and for what reason, with who we share this data (e.g. Google Analytics, etc.).
3. Following this, we made changes internally, mostly in order to change the data flow map.
4. This way, every employee now has access only to the specific data that they need.
5. We had already signed NDAs with all employees, so our next consideration was to ensure maximum data security for our users, as part of our preparation for the rigorous external audit for the ISO 27001 certification.
To achieve that, we worked on the following:
6. We established maximum security on our servers (firewalls, restricted access, pen tests, antivirus, logs, etc.)
7. All of our employees received training and certifications on security-related matters.
8. We underwent special training for handling personal data.
9. We upgraded a strict IT policy for every employee.
10. Another action involved our revamped back-up policy, as well as
11. Renewed procedures for checking data breach, and
12. A brand new CCTV.
13. We may share account-related data with third parties only for business purposes (e.g. Intercom)
14. We double-checked every third party provider we use and asked them for security and GDPR compliance-related certifications
16. Last, we appointed a DPO.
I’ve heard that “Unsubscribe” is different from “Delete” – do you support email delete request?
You got that right: deletion of data is different from the Unsubscribe link when we send an email marketing campaign.
Now, when a subscriber hits Unsubscribe, then the action taken automatically on the platform is to remove them from the list.
A user will have to specifically ask for deletion of their data (aka “right to be forgotten) for you to remove them from your records. But – there is a but.
When the user asks for the deletion of their data, you should stop all communications.
In the meantime, you don’t generate new data or process existing ones.
But utterly deleting this data is another story. You see, it might not be entirely up to you to delete this data altogether.
– As a case in point, there could be a regional law that this data must stay with the company for X months before they can delete it, as it could pertain to it serving as evidence, for legal claims or other purposes.
– Another example is that you may need this data as proof of compliance or non-compliance with the company terms and condition or the anti-spam policy etc.
So, you should delete the data as soon as it’s certain that there is no reason to keep it.
Are opted-out users automatically removed from automation campaigns or is this a manual procedure?
Moosend is an ISO 27001 certified company and GDPR compliant. Therefore, on Moosend’s Email Marketing and Automations platform, opted-out users are automatically removed from automation campaigns and mailing lists.
Looking for another answer?
You can always reach out to our DPO here: email@example.com.
We, at Moosend, see this regulation as a positive development in the field of good practices for email marketing, and whitehat email marketing.
The new regulation is bound to raise the bar for quality content.
In the meantime, do consult with an attorney to ensure your business is legally covered.
As for all Email Marketing matters, you’ve got us to rely on!