GDPR Compliance

Data Control

The foundation of this GDPR element is the principle that, ultimately, individuals are the owners of their own personnel data. This means that whether an organization is selling through the channel or is a channel partner of that organization, it has no intrinsic right to the personal data it possesses. The data owner may provide temporary consent to a vendor or its partner to use that data for the purpose of providing services, but no marketing or sales contact can be made without explicit written (digitally accepted) authorization for such contacts. The law specifically says that each instance of consent by the data owner must be explicit, and cannot be bundled with terms and conditions or with any other agreements. If no such explicit authorization exists, then use of the data is non-compliant. If an organization or reseller reaches out to a prospect for sales and marketing activities with explicit authorization, this may lead to a potential violation. This could have a profound impact in channel marketing, because in most cases channel partners use email or event marketing as the primary way of sharing information with their existing customers or potential new prospects. If they require the explicit authorization of the target recipients in every instance, most of these vehicles of marketing will be pretty much useless. So, while the world of buying and selling has moved to a digital platform, it is possible one of the most common and easiest means of reaching end prospects may now have become one of the hardest means (from a legal perspective).

Data Security

GDPR also covers in explicit terms how data needs to be secured and protected, including various mechanisms for disaster recovery that are designed to properly store end-user contact data. As per Wikipedia, “[u]nder the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33)…. However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).” This creates the second major challenge, because in many cases, while channel partners may have consent from their customers and prospects, they may not have the right level of technology to comply with data security policies.

Data Privacy

Among the primary updates imposed by the GDPR are new rules related to “Privacy by Design” and “Privacy by Default.” Significantly, data privacy assessments need to be conducted during design stages of all channel marketing processes, and the lifecycle of the relevant data process will be needed to be taken into account. The primary obligation is that the data controller/processor must take appropriate measures in order to protect personal data from unlawful processing. Privacy by Design provides the recognition of this right and how it is to be enforced. With the GDPR Privacy by Design requirements, channel marketing businesses need to design policies, procedures and systems that comply with the GDPR from the inception of a product’s or process’s development. When designing these, businesses are supposed to consider factors regarding the processing of personal data, including the ease of collection, how the data can be suppressed (for example, if a customer chooses to not receive direct marketing) and how portable the data is. Privacy by Design lays the groundwork for the Privacy by Default obligation. Under the latter obligation, data controllers must implement appropriate measures on both the technical and organization levels to ensure that personal data collected is used only for the specific purpose mentioned. Channel marketers must implement a privacy impact assessment template which can be formulated for each new system that comes into being.

Summary of Regulations

The GDPR regulates the “processing” of data extending to collection, storage, transfer or use. The processing of the personal data of EU individuals by organizations is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Data can be processed only if there is at least one lawful basis to do so. The lawful bases for processing data are:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Privacy Law Updates and Non-Compliance

The key updates related to Privacy Law can be summarized as follows: expanded data privacy rights for EU individuals, data breach notification, added security requirements for organizations, customer profiling and monitoring. The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, the organization could face a fine of up to 20 million euros or 4 percent of worldwide annual turnover (revenue), whichever is higher.

Five Rings of GDPR

Definitions

1. Personal Data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
4. Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data.
5. Data Processor – the entity that processes data on behalf of the data controller.
6. Data Subjects – “identified or identifiable natural person[s]”; in other words, data subjects are people—human beings from whom or about whom information is collected in connection with a business and its operations.
7. Anonymous Data – sets of data that can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) by any means or by any person, ensuring that there is no way in which individuals can be identified. This is a technically complex task.
8. Consent – GDPR requirement that businesses have a defined purpose for collection of personal information. This reason (or purpose), should always be supported by a legal basis. A legal basis can be a contractual obligation, a legitimate interest for storing and using data, or that explicit consent has been given.

The General Data Protection Regulation (GDPR) is a new set of laws aimed at strengthening the protection of personal data of EU citizens and increasing the obligation for organizations to process this data transparently and securely. The GDPR applies not only to businesses in the EU, but to any business that controls or processes the data of EU citizens. At ZINFI, our entire organization works hard to ensure our own practices are GDPR compliant. But it’s equally important for us to help you, our partners and customers understand what GDPR means for your business and create compliance processes yourself. A big part of that is making sure the UPM platform sets up GDPR compliance for you. We are fully committed to providing features in ZINFI UPM that facilitate GDPR compliance.

Disclaimer: This website is not a tome on EU data privacy, nor is it intended to serve as legal advice for your business to comply with EU laws. EU on data privacy such as GDPR. Instead, it provides background information to help you better understand how HubSpot deals with some important legal issues. This legal information is not the same as legal advice, in which a lawyer applies the law to your specific situation, so if you need advice on your interpretation of this information or its accuracy, we strongly recommend that you consult a lawyer. In short, you should not consider this article as legal advice or a recommendation of a legal concept. The products, services and other features described here are not available in all situations and their availability may be limited.

Below is a detailed list of features that we have designed to help you meet your needs. But first, a quick primer on the legalese associated with the GDPR.

Let’s say that Partner X is a contact of yours and an EU citizen. Similarly Prospect Y is a Lead/Prospect of yours and an EU Citizen. The Partner X and Prospect Y are called the “data subject,” and your company (let’s call you X Corp.) is called the “controller” of that data. If you’re a ZINFI customer, then ZINFI acts as the “processor” of Partner X’s and Prospect Y’s data on behalf of X Corp. With the introduction of the GDPR, data subjects like Partner X and Prospect Y are given an enhanced set of rights, and controllers and processors like X Corp and ZINFI, respectively, an enhanced set of regulations.

GDPR Fundamentals

Now that we have the product details, a quick note on our mindset as GDPR marketers. When a new set of rules is first introduced, our first reaction is often fear. Fear of compliance, penalties, and bureaucracy. But here’s the thing: All the recent data protection laws, from the CCPA to the GDPR and more, were enacted for one simple reason: to provide a better experience for our customers and those who trust us. In this way, they are fully aligned with the concept of inbound.
Be relevant, be helpful, be transparent and you’ll be well on your way to compliance. Spam, annoy people, be aggressive and you’re in trouble. Complying with the GDPR takes effort, and that effort can create stress between now and the deadline. But at the end of the day, if GDPR makes life better for your customers, your business will grow too.

Here are some key business interests to consider in the process:

• GDPR has specific rules that allow your contacts to specify exactly what they want to receive from you.
• From a business perspective, this makes perfect sense. Don’t send to contacts who don’t want to hear from you, and make sure those who do choose what they want. This will significantly reduce unsubscribes and improve deliverability.
• GDPR requires greater transparency in the collection and processing of data. In legal terms, these are “right to access” and “portability”, which means that your contacts can request a copy of their data in a common format.
• In other words, your contacts should be able to ask you what they’ve recorded and get a fast, accurate, and easy-to-understand response. In the end, it’s not that crazy, right? Transparency breeds trust, pure and simple.
• GDPR requires you to give contacts the “right to be forgotten”. They may ask you to delete them from your database. This will not only keep relevant contacts happy, but it will save you from wasting time trying to market and sell to people who aren’t interested in your product or service. That means more time to focus on your best prospects and customers.
• Perhaps more importantly, the GDPR requires a lawful basis for processing. In other words, you must have a legitimate reason to use a contact’s data, such as consent or a legitimate interest. If you’re buying ads, here’s the bad news: not only does HubSpot’s acceptable use policy allow it, but now GDPR doesn’t allow it either.
• This may seem like a pain in the short term, but it’s great news for your business in the long run. Think about it. Who is more likely to buy from you: a set of email addresses gleaned from the internet who may have heard of you before, or a set of engaged contacts already interested in your product or service? We’ll try our luck with option two. Ensuring you’ve built a legitimate base will lead to a more engaged list, better email delivery rates, and fewer irritated contacts.