May 25, 2018 is a very important day. This is when the General Data Protection Regulation (GDPR) goes into effect in Europe. It will affect not only European companies, but just about any organization that does business globally. This regulation is bound to change channel marketing in a fundamental way. Before we dive into the details, let’s take a look at a brief summary—an excerpt from Wikipedia—of how this regulation applies: “The regulation applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of data controller like cloud service providers), or the data subject (person) is based in the EU. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. According to the European Commission, ‘personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” With this as a backdrop, here is a simplified interpretation of how GDPR will impact three core areas and how it will change channel marketing forever.
The foundation of this GDPR element is the principle that, ultimately, individuals are the owners of their own personnel data. This means that whether an organization is selling through the channel or is a channel partner of that organization, it has no intrinsic right to the personal data it possesses. The data owner may provide temporary consent to a vendor or its partner to use that data for the purpose of providing services, but no marketing or sales contact can be made without explicit written (digitally accepted) authorization for such contacts. The law specifically says that each instance of consent by the data owner must be explicit, and cannot be bundled with terms and conditions or with any other agreements. If no such explicit authorization exists, then use of the data is non-compliant. If an organization or reseller reaches out to a prospect for sales and marketing activities with explicit authorization, this may lead to a potential violation. This could have a profound impact in channel marketing, because in most cases channel partners use email or event marketing as the primary way of sharing information with their existing customers or potential new prospects. If they require the explicit authorization of the target recipients in every instance, most of these vehicles of marketing will be pretty much useless. So, while the world of buying and selling has moved to a digital platform, it is possible one of the most common and easiest means of reaching end prospects may now have become one of the hardest means (from a legal perspective).
GDPR also covers in explicit terms how data needs to be secured and protected, including various mechanisms for disaster recovery that are designed to properly store end-user contact data. As per Wikipedia, “[u]nder the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33)…. However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).” This creates the second major challenge, because in many cases, while channel partners may have consent from their customers and prospects, they may not have the right level of technology to comply with data security policies.
Among the primary updates imposed by the GDPR are new rules related to “Privacy by Design” and “Privacy by Default.” Significantly, data privacy assessments need to be conducted during design stages of all channel marketing processes, and the lifecycle of the relevant data process will be needed to be taken into account. The primary obligation is that the data controller/processor must take appropriate measures in order to protect personal data from unlawful processing. Privacy by Design provides the recognition of this right and how it is to be enforced. With the GDPR Privacy by Design requirements, channel marketing businesses need to design policies, procedures and systems that comply with the GDPR from the inception of a product’s or process’s development. When designing these, businesses are supposed to consider factors regarding the processing of personal data, including the ease of collection, how the data can be suppressed (for example, if a customer chooses to not receive direct marketing) and how portable the data is. Privacy by Design lays the groundwork for the Privacy by Default obligation. Under the latter obligation, data controllers must implement appropriate measures on both the technical and organization levels to ensure that personal data collected is used only for the specific purpose mentioned. Channel marketers must implement a privacy impact assessment template which can be formulated for each new system that comes into being.
Summary of Regulations
The GDPR regulates the “processing” of data extending to collection, storage, transfer or use. The processing of the personal data of EU individuals by organizations is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Data can be processed only if there is at least one lawful basis to do so. The lawful bases for processing data are:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Privacy Law Updates and Non-Compliance
The key updates related to Privacy Law can be summarized as follows: expanded data privacy rights for EU individuals, data breach notification, added security requirements for organizations, customer profiling and monitoring. The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, the organization could face a fine of up to 20 million euros or 4 percent of worldwide annual turnover (revenue), whichever is higher.
Five Rings of GDPR
Rights of EU Data Subjects Enhanced rights for data subjects in the EU include access, rectification, erasure and portability within one month of a request. Data subjects are provided with controller identity and contact details, the purposes and legal basis of the processing, the categories of data concerned, the recipients and the expected storage period.
Security of Processing 72-hour breach reporting is required. Pervasive and intelligent internal restrictions are implemented to reduce data risks, including monitoring and encryption techniques.
Lawfulness and Consent Lawful processing is done on the following pretexts: consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest. Data subjects must be kept informed and requests managed in a transparent, efficient and effective manner.
Accountability of Compliance Proof of compliance with the principles relating to personal data processing is required.
Design and Default Data controllers must implement technical and organizational measures to demonstrate compliance with GDPR core principles.
- Personal Data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
- Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data.
- Data Processor – the entity that processes data on behalf of the data controller.
- Data Subjects – “identified or identifiable natural person[s]”; in other words, data subjects are people—human beings from whom or about whom information is collected in connection with a business and its operations.
- Anonymous Data – sets of data that can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) by any means or by any person, ensuring that there is no way in which individuals can be identified. This is a technically complex task.
- Consent – GDPR requirement that businesses have a defined purpose for collection of personal information. This reason (or purpose), should always be supported by a legal basis. A legal basis can be a contractual obligation, a legitimate interest for storing and using data, or that explicit consent has been given.
How does GDPR impact the sending of marketing campaigns to persons on an existing contact list?
The GDPR applies not only to the data collected on its effective date—May 25, 2018—but also to the data gathered before that date. Consent records of existing contact lists must prove that the channel marketer has clear authorization to send marketing campaigns to each contact. Any ambiguous records would mean obtaining new and explicit permission from the outdated contacts.
Can contact lists be bought under GDPR?
While certain purchased lists with a clear affirmative statement of consent within the original subscription may be allowed under GDPR, GDPR still strongly recommends against this procedure for deliverability concerns.
How should organizations process client “unsubscribe” requests?
In order to be compliant with the EU GDPR, every channel marketer is supposed to ensure a proper process for their contacts to unsubscribe. The unsubscribe process under GDPR needs to be clear and simple. Each marketing campaign should include a visible unsubscribe link in each marketing campaign whereby the subscriber can unsubscribe to all communications.
How do you write a clear and concise consent message?
A consent message needs to be easily understandable to individuals. Practices such as pre-ticked opt-in boxes, confusing or vague language (double negatives or inconsistent language) and disruptive mechanisms are banned by the Regulation. An example of a clear and concise consent message: “You agree that [your organization name] may collect, use and disclose your personal data which you have provided in this form for providing marketing material that you have agreed to receive, in accordance with our data protection policy [available at link]. Please check the relevant boxes below if you agree to receive: [boxes].”
Are soft opt-ins allowed?
Soft opt-ins are not considered as explicit consent under GDPR, and using them is not an acceptable practice. Soft opt-ins are a form of temporary consent given by individuals while providing their email details.
What is double opt-in?
Double opt-in is when individuals need to confirm their email address before being added to a marketer’s email list and receiving communications. It is the double confirmation of their subscription to newsletters or any services needing their personal details. Double-opt-ins are a good way to ensure compliance regarding consent under GDPR.
What is the process for storing consent information under GDPR?
A record of the process of obtaining the express consent of the data subject is mandatory. That includes: the data subject who gave the consent, when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given.
How should I manage consent?
You should review consent data regularly to check that the relationship, the processing and the purposes have not changed, and you should consider using privacy dashboards to make it easy for individuals to update their consent preference. Any consent withdrawal requests should be processed as soon as possible, and records kept.
What about consent and third-party providers?
If you provide or transfer personal data to third parties, the data controller must have agreed to this data sharing. Consent for categories of third parties is not enough for the new European regulation, because you now need to list the third-party providers involved. If you use personal data from third parties, you must confirm that each individual’s consent was collected properly.
What are legitimate interests?
Based on Article (6)(1)f, private-sector organizations can process individuals’ data without their consent if they have a legitimate and genuine reason to do so, and such act must not be outweighed by unwarranted impact on the individuals. The subject’s fundamental rights and freedom should not be harmed; i.e., processing of personal data for the purpose of preventing fraud is considered a legitimate interest whilst direct marketing purpose is not. Check out the Consent Checklist to make sure you follow the right guidelines for your transition to GDPR.
What happens when a profiling data subject requests the halt of the profiling?
Under Article 19, upon the data subject’s request to halt the profiling, the processing must cease unless the controller demonstrates that the objection overrides the interests, rights and freedoms of the data subject.
How can I profile my data under GDPR to send personalized and targeted emails?
Because the new European regulation impacts profiling, you must comply with its requirements in order to send personalized and targeted emails. For more information, check out the GDPR and Profiling section. Check out the Email Marketing Checklist to make sure you’re working with third-party providers correctly as your business transitions to GDPR.
Can I still send email marketing campaigns to my existing contact list?
The GDPR applies not only to the data collected on its effective date—May 25, 2018— but also to the data gathered before.
Does the consent record of your existing contact lists prove that you have clear authorization to send email marketing campaigns to each contact?
Any ambiguous records would mean obtaining new and express permission from the outdated contacts in order to ensure the sending of email marketing communications is compliant.
Can I buy contact lists under GDPR?
While certain purchased lists with a clear affirmative statement of consent within the original subscription may be allowed under GDPR, ZINFI strongly recommends against this because of deliverability concerns. What is permitted may not be good for your email strategy.
How can I get my email unsubscribe process right?
Every email marketer should ensure a proper way for their contacts to unsubscribe in order to be compliant with the GDPR. The unsubscribe process under GDPR needs to be clear and simple. You should include a visible unsubscribe link in each marketing email where your subscriber can:
- Unsubscribe to this marketing communication
- Unsubscribe to all of your communications
- Contact a return email address
Allowing your contacts to easily subscribe and unsubscribe are equally important in achieving compliance with GDPR.
Can I work with third-party solution providers outside of the EU under GDPR?
Yes, as long as these third-party solution providers adhere to GDPR guidelines on data processing and storage. Personal data can only be transferred outside of the EU to countries that satisfy the adequacy requirement, or if you can assure an adequate level of privacy protection through Binding Corporate Rules.
What are Binding Corporate Rules (BCRs)?
Binding Corporate Rules are the EU gold standard for data privacy. BCRs allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of it where an adequate level of protection is not ensured. The BCRs must be in line with the requirements of the Article 29 Working Party (on BCR):
- Privacy principles (transparency, data quality, security…)
- Tools of effectiveness (audit, training, complaint handling system…)
To ensure approval for their BCRs, companies must choose a lead data protection authority to approve BCRs and coordinate securing approval from other relevant data protection authorities.
What should I do if I use third-party solutions to handle data under GDPR?
- Make a list of all the third-party cloud solutions you currently use.
- Map out the path of your data during the lifecycle of the process to ensure adequate levels of security at every step.
- Assess the level of risk you could pose to individuals should your data be compromised.
- Determine whether you need to appoint a data protection officer.
- Review all your contracts to understand where your data and applications are stored and whether your data is ever processed out of the EU.
- Include strict confidentiality, data privacy and data residency clauses in your contract.
- Ask your solution providers, especially those based outside of the EU, whether they are compliant with the GDPR regulation.
- Start evaluating and planning the switch to GDPR compliant solution providers if your current solution providers do not have plans to be GDPR compliant by May 25.
How will Brexit impact compliance for businesses based in the UK?
In June 2016, a majority of UK voters voted in favor of leaving the EU in the “Brexit” referendum. In March 2017, Theresa May gave notice to leave the EU under Art. 50, triggering commencement of the Brexit negotiations. As it stands now, the UK is scheduled to leave the EU at 11 p.m. UK time on March 29, 2019. This means if you’re based in the UK, you’ll need to work on your compliance as if Brexit never occurred. The UK has drafted legislation to update the current Data Protection Act (DPD) in line with the GDPR. The bill is currently working its way through the UK Parliament. If you’re based outside the UK but have vendors or affiliates in the UK with whom you share personal data, you’ll also need to keep an eye on developments in this area. When the UK leaves, cross-border data flows may not automatically have adequate safeguards, and therefore additional protections may be required to protect data you transfer to the UK.
How will the Rights of Individuals be affected by the GDPR?
Individuals already have numerous rights which protect their personal data under the 1995 Data Protection Directive, but the GDPR significantly strengthens these rights such that data subjects can now:
- Obtain details about how their data is processed by an organization or business;
- Obtain copies of personal data that an organization holds on them;
- Have incorrect or incomplete data corrected;
- Have their data erased by an organization, where, for example, the organization has no legitimate reason for retaining the data;
- Obtain their data from an organization and have that data transmitted to another organization (data portability);
- Object to the processing of their data by an organization in certain circumstances;
- Not to be subject to (with some exceptions) automated decision-making, including profiling.
Partner Terms and Conditions for GDPR
Compliance Read the terms and conditions integral to the Master Subscription Agreement or other written or electronic agreement between ZINFI, OEMs and partners for the mutual processing of online channel management services. These updates reflect the parties’ agreement with regard to the processing of personal data.View Document
ZINFI and GDPR Readiness
As the developer of the #1 Unified Channel Management (UCM) platform, ZINFI provides channel marketers with visibility into and control of their customer data, helping organizations accelerate compliance with GDPR while unleashing the power of that data to optimize channel performance.View Document
ZINFI and GDPR Readiness
If you haven’t yet started your journey to GDPR readiness, now is the time to put your plan into action. To help, we have created a checklist to guide your decision-making, enable fast-track GDPR readiness and track your progress.View Document
GDPR Count down and You
ZINFI recently held a Q&A with customers about the implications of the impending GDPR requirements. The new rules are intended to strengthen and unify data protection for individuals within the European Union (EU), and they will have a major impact on marketers who do business with EU citizens.View Document
GDPR and Marketers
If you’re a marketer doing business with EU clients, it’s important that you carefully analyze your current data acquisition and customer contact practices, and consider modifications to these practices in order to ensure compliance. Read our overview of the new GDPR requirements and our tips for ensuring readiness.View Document
Unified Channel Management (UCM)
How ZINFI Can Help Protect Your ChannelLearn More