Inxmail Professional GDPR Checklist

Transcription

1 Inxmail Professional GDPR Checklist This document provides an overview of the adjustments you should make in Inxmail Professional in connection with the provisions of the GDPR. It describes three different scenarios, and for each scenario you will find a checklist. You can therefore go through the checklist and make the corresponding settings in Inxmail Professional. This document is also part of the Inxmail Professional online help. The links there will help you to quickly become familiar with the individual topics. Version

2 1.1 Scenarios in connection with the GDPR When addressing the issue of which adjustments you should make in Inxmail Professional in connection with the provisions of the GDPR, the following three questions are of decisive importance: 1. Do the provisions of the EU GDPR apply to your company or organisation? 2. Do you store or process personal data that you obtain through personalised tracking? 3. Do you use data obtained through personalised tracking to create user profiles and target groups (recipient reactions), or is it sufficient if data obtained through personalised tracking is available in anonymised form? Depending on whether you answer Yes or No to these questions, three main scenarios emerge for using Inxmail Professional. These scenarios differ considerably in the scope of the measures you should take. The following diagram provides an overview of the main questions and scenarios. Be aware that the scenarios shown here may turn out to be somewhat more complex, depending on constellation. This can be the case if, for example, multiple scenarios may exist for your Inxmail Professional client. If you have international recipients, it may be that the provisions of the GDPR apply to some mailing lists but not to others. 1

3 Scenario 1 GDPR compliance is not required You have answered No to the first question. The provisions of the GDPR do not apply to you. Whether you store and process data obtained through person-based tracking is therefore insignificant for you in this connection. You should, however, observe any existing legal provisions that apply to your situation. The measures you must take for this scenario can be found in section Scenario 1 GDPR compliance is not required page 3. Scenario 2 GDPR compliance through anonymised data You have answered Yes to Question 1 and No to Question 2. The provisions of the GDPR apply to you. In addition, you store and process personal data obtained through tracking. However, it is sufficient if this data is available in anonymised form. The measures you must take for this scenario can be found in section Scenario 2 GDPR compliance through anonymised data page 4. Scenario 3 GDPR compliance through recipients consent You have answered Yes to Questions 1, 2 and 3. The provisions of the GDPR apply to you. You store and process personal data obtained through tracking. You use this data to create user profiles and/or target groups. The measures you must take for this scenario can be found in section Scenario 3 GDPR compliance through recipients consent page 5. 2

4 1.2 Scenario 1 GDPR compliance is not required The provisions of the GDPR do not apply to you. Whether you store and process data obtained through person-based tracking is therefore insignificant for you in this connection. You should, however, observe any existing legal provisions that apply to your situation. Scenario 1 Consent for person-based tracking The recipients consent is not relevant. Checklist Disable inclusion of consent for person-based tracking In the advanced properties of the mailing list, select the value Do not include (global settings will be ignored) for the Include consent for person-based tracking property. (As a result, the values in the Tracking Permission recipient column in Inxmail Professional are not evaluated, and the Tracking Permission recipient column is greyed out.) Additional information You do not need to take any measures other than that described in the point above, and can continue to work in the usual way. Nevertheless, you should note the following: As of Inxmail Professional 4.7, the Tracking permission recipient column exists in every standard mailing list. This is the case even if consent for personbased tracking is not relevant to you. The default value stored for every recipient is No. Similarly, this is not relevant to you. It is therefore possible to hide the Tracking permission column for Scenario 1. New functions related to the GDPR, such as the obtainment of consent for person-based tracking using the subscription form or the "Profile management" dynamic Web page, can be ignored (Scenario 1). 3

5 1.3 Scenario 2 GDPR compliance through anonymised data The provisions of the GDPR apply to you. In addition, you store and process personal data obtained through tracking. However, it is sufficient if this data is available in anonymised form. Scenario 2 Consent for person-based tracking Do not obtain the recipients consent. Checklist Enable inclusion of consent for person-based tracking In the advanced properties of the mailing list, select the value Include (global settings will be ignored) for the Include consent for person-based tracking property. (You can also apply the global settings if the Include consent for person-based tracking advanced property is enabled.) Do not obtain consent for person-based tracking Do not obtain consent for person-based tracking from your recipients. In other words, leave the values in the Tracking permission recipient column at This corresponds to the default setting. No. Additional information As a result of performing the above measures or settings, all data obtained through personalised tracking is anonymised. You can then continue to work in the usual way. You can continue to use unique count links to obtain personal data, for example, as the personal data is automatically anonymised in Scenario 2. 4

6 1.4 Scenario 3 GDPR compliance through recipients consent The provisions of the GDPR apply to you. You store and process personal data obtained through tracking. You use this data to create user profiles and/or target groups. Scenario 3 Consent for person-based tracking Obtain and maintain the recipients consent. For this scenario, you must take a series of measures. Here, it is a matter of obtaining consent for person-based tracking from your recipients. At the same time, you should familiarise yourself with new and extended functionalities that you should use, where appropriate, in connection with the GDPR for example, in relation to action sequences. The following checklist provides an overview of the required measures and extended functionalities of Inxmail Professional 4.7 and Checklist Act This means you need to take action. Enable inclusion of consent for person-based tracking In the advanced properties of the mailing list, select the value Include for the Include consent for person-based tracking property. (You can also apply the global settings if the Include consent for person-based tracking advanced property is enabled.) Obtain consent to person-based tracking Update existing "Subscription" dynamic Web page or create new "Subscription" dynamic Web page Integrate Tracking Permission element into the "Subscription" dynamic Web page Integrate Tracking Permission element into HTML subscription form ("Subscription Servlet") Update existing "Profile management" dynamic Web page or create new "Profile management" dynamic Web page Integrate Tracking Permission element into the "Profile management" dynamic Web page Integrate Grant tracking permission link type into mailings Include tracking permission in manual and automatic recipient import 5

7 Give recipients the possibility to withdraw their consent to person-based tracking Integrate Withdraw tracking permission link type into mailings Integrate Tracking Permission element into the "Profile management" dynamic Web page Include tracking permission in manual and automatic recipient import Configure and check Here you only need to take action if you use the corresponding functions. New Tracking Permission column in the recipient table The Tracking Permission column shows whether or not a recipient has granted consent for person-based tracking. You can change the values here manually. Be aware, however, that you may only set the tracking permission to the value Yes with the recipient s explicit consent. Action sequences Check actions based on the Click on a certain link event. Actions based on the Click on a certain link event will be executed only for those recipients who have granted consent for person-based tracking. It may be sensible to obtain your recipients consent for person-based tracking before continuing to work with such an action. You can change this standard behaviour if necessary. Familiarise yourself with the new events and actions in connection with the tracking permission, and check whether their use is meaningful in your application contexts. Synchronise consent for person-based tracking between mailing lists Create an action sequence with the Import Tracking Permission action. (The triggering event could be Subscription of a recipient, for example.) Target groups Check target groups based on recipient reactions. Target groups based on recipient reactions will contain only those recipients who have granted consent for person-based tracking. It may be sensible to obtain your recipients consent for person-based tracking before continuing to work with these target groups. When creating target groups, take account of the new Tracking Permission condition where appropriate. 6

8 Online parameters (encryption) The [%online_params] command encrypts the online parameters. If you wish to pass online parameters in unencrypted form (for example, to a Web application), you can do this using the [%online_params_unencrypted] command. Pass link parameters only when you have consent for person-based tracking Check whether you pass recipient attributes to Web applications. Make the data transfer dependent on consent for person-based tracking by integrating [attribute, considertrackingpermission]. Inform yourself Here you don t need to take action. However, you should be able to correctly understand or interpret the way in which Inxmail Professional behaves. Reports The results in the reports for data obtained through person-based tracking, such as the open rate or the clicks per evaluable link, remain unchanged, as anonymised clicks are also unique clicks. Mailing "Check" workflow step The results in the reports for data obtained through person-based tracking, such as the open rate or the clicks per evaluable link, remain unchanged, as anonymised clicks are also unique clicks. For integrators REST API/SOAP API Check whether you must adjust the API interfaces to external systems, in order to transfer the tracking permission (for example, to a CRM system). 7

9 About Inxmail With nearly 20 years of experience, we are a pioneer in software development for marketing. We support our customers and partners with fantastic service and grow their potential in a targeted way. In doing so, we draw upon a broad range of technology and services. Our solutions are influenced by our strong relationships with customers. We flexibly adapt our solutions to meet specific customer needs. Expertise that pays off: We have been implementing successful marketing and multichannel campaigns for over 2,000 customers in more than 20 countries since Contact Inxmail GmbH Wentzingerstr Freiburg Germany T F kontakt@inxmail.de 8