How does GDPR impact the sending of marketing campaigns to persons on an existing contact list?
The GDPR applies not only to the data collected on its effective date—May 25, 2018—but also to the data gathered before that date. Consent records of existing contact lists must prove that the channel marketer has clear authorization to send marketing campaigns to each contact. Any ambiguous records would mean obtaining new and explicit permission from the outdated contacts.
Can contact lists be bought under GDPR?
While certain purchased lists with a clear affirmative statement of consent within the original subscription may be allowed under GDPR, GDPR still strongly recommends against this procedure for deliverability concerns.
How should organizations process client “unsubscribe” requests?
In order to be compliant with the EU GDPR, every channel marketer is supposed to ensure a proper process for their contacts to unsubscribe. The unsubscribe process under GDPR needs to be clear and simple. Each marketing campaign should include a visible unsubscribe link in each marketing campaign whereby the subscriber can unsubscribe to all communications.
How do you write a clear and concise consent message?
A consent message needs to be easily understandable to individuals. Practices such as pre-ticked opt-in boxes, confusing or vague language (double negatives or inconsistent language) and disruptive mechanisms are banned by the Regulation. An example of a clear and concise consent message: “You agree that [your organization name] may collect, use and disclose your personal data which you have provided in this form for providing marketing material that you have agreed to receive, in accordance with our data protection policy [available at link]. Please check the relevant boxes below if you agree to receive: [boxes].”
Are soft opt-ins allowed?
Soft opt-ins are not considered as explicit consent under GDPR, and using them is not an acceptable practice. Soft opt-ins are a form of temporary consent given by individuals while providing their email details.
What is double opt-in?
Double opt-in is when individuals need to confirm their email address before being added to a marketer’s email list and receiving communications. It is the double confirmation of their subscription to newsletters or any services needing their personal details. Double-opt-ins are a good way to ensure compliance regarding consent under GDPR.
What is the process for storing consent information under GDPR?
A record of the process of obtaining the express consent of the data subject is mandatory. That includes: the data subject who gave the consent, when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given.
How should I manage consent?
You should review consent data regularly to check that the relationship, the processing and the purposes have not changed, and you should consider using privacy dashboards to make it easy for individuals to update their consent preference. Any consent withdrawal requests should be processed as soon as possible, and records kept.
What about consent and third-party providers?
If you provide or transfer personal data to third parties, the data controller must have agreed to this data sharing. Consent for categories of third parties is not enough for the new European regulation, because you now need to list the third-party providers involved. If you use personal data from third parties, you must confirm that each individual’s consent was collected properly.
What are legitimate interests?
Based on Article (6)(1)f, private-sector organizations can process individuals’ data without their consent if they have a legitimate and genuine reason to do so, and such act must not be outweighed by unwarranted impact on the individuals. The subject’s fundamental rights and freedom should not be harmed; i.e., processing of personal data for the purpose of preventing fraud is considered a legitimate interest whilst direct marketing purpose is not. Check out the Consent Checklist to make sure you follow the right guidelines for your transition to GDPR.
What happens when a profiling data subject requests the halt of the profiling?
Under Article 19, upon the data subject’s request to halt the profiling, the processing must cease unless the controller demonstrates that the objection overrides the interests, rights and freedoms of the data subject.
Is profiling allowed on children?
No. Profiling and automated decision-making are not allowed on children, irrespective of their age.
How can I profile my data under GDPR to send personalized and targeted emails?
Because the new European regulation impacts profiling, you must comply with its requirements in order to send personalized and targeted emails. For more information, check out the GDPR and Profiling section. Check out the Email Marketing Checklist to make sure you’re working with third-party providers correctly as your business transitions to GDPR.
Can I still send email marketing campaigns to my existing contact list?
The GDPR applies not only to the data collected on its effective date—May 25, 2018— but also to the data gathered before.
Does the consent record of your existing contact lists prove that you have clear authorization to send email marketing campaigns to each contact?
Any ambiguous records would mean obtaining new and express permission from the outdated contacts in order to ensure the sending of email marketing communications is compliant.
Can I buy contact lists under GDPR?
While certain purchased lists with a clear affirmative statement of consent within the original subscription may be allowed under GDPR, ZINFI strongly recommends against this because of deliverability concerns. What is permitted may not be good for your email strategy.
How can I get my email unsubscribe process right?
Every email marketer should ensure a proper way for their contacts to unsubscribe in order to be compliant with the GDPR. The unsubscribe process under GDPR needs to be clear and simple. You should include a visible unsubscribe link in each marketing email where your subscriber can:
- Unsubscribe to this marketing communication
- Unsubscribe to all of your communications
- Contact a return email address
Allowing your contacts to easily subscribe and unsubscribe are equally important in achieving compliance with GDPR.
Can I work with third-party solution providers outside of the EU under GDPR?
Yes, as long as these third-party solution providers adhere to GDPR guidelines on data processing and storage. Personal data can only be transferred outside of the EU to countries that satisfy the adequacy requirement, or if you can assure an adequate level of privacy protection through Binding Corporate Rules.
What are Binding Corporate Rules (BCRs)?
Binding Corporate Rules are the EU gold standard for data privacy. BCRs allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of it where an adequate level of protection is not ensured. The BCRs must be in line with the requirements of the Article 29 Working Party (on BCR):
- Privacy principles (transparency, data quality, security…)
- Tools of effectiveness (audit, training, complaint handling system…)
To ensure approval for their BCRs, companies must choose a lead data protection authority to approve BCRs and coordinate securing approval from other relevant data protection authorities.
What should I do if I use third-party solutions to handle data under GDPR?
- Make a list of all the third-party cloud solutions you currently use.
- Map out the path of your data during the lifecycle of the process to ensure adequate levels of security at every step.
- Assess the level of risk you could pose to individuals should your data be compromised.
- Determine whether you need to appoint a data protection officer.
- Review all your contracts to understand where your data and applications are stored and whether your data is ever processed out of the EU.
- Include strict confidentiality, data privacy and data residency clauses in your contract.
- Ask your solution providers, especially those based outside of the EU, whether they are compliant with the GDPR regulation.
- Start evaluating and planning the switch to GDPR compliant solution providers if your current solution providers do not have plans to be GDPR compliant by May 25.
How will Brexit impact compliance for businesses based in the UK?
In June 2016, a majority of UK voters voted in favor of leaving the EU in the “Brexit” referendum. In March 2017, Theresa May gave notice to leave the EU under Art. 50, triggering commencement of the Brexit negotiations. As it stands now, the UK is scheduled to leave the EU at 11 p.m. UK time on March 29, 2019. This means if you’re based in the UK, you’ll need to work on your compliance as if Brexit never occurred. The UK has drafted legislation to update the current Data Protection Act (DPD) in line with the GDPR. The bill is currently working its way through the UK Parliament. If you’re based outside the UK but have vendors or affiliates in the UK with whom you share personal data, you’ll also need to keep an eye on developments in this area. When the UK leaves, cross-border data flows may not automatically have adequate safeguards, and therefore additional protections may be required to protect data you transfer to the UK.
How will the Rights of Individuals be affected by the GDPR?
Individuals already have numerous rights which protect their personal data under the 1995 Data Protection Directive, but the GDPR significantly strengthens these rights such that data subjects can now:
- Obtain details about how their data is processed by an organization or business;
- Obtain copies of personal data that an organization holds on them;
- Have incorrect or incomplete data corrected;
- Have their data erased by an organization, where, for example, the organization has no legitimate reason for retaining the data;
- Obtain their data from an organization and have that data transmitted to another organization (data portability);
- Object to the processing of their data by an organization in certain circumstances;
- Not to be subject to (with some exceptions) automated decision-making, including profiling.