center Guide to GDPR

Transcription

1 Guide center Guide to GDPR For Marketers

2 Contents Introduction...3 What Is GDPR & Why Is This Happening?...4 What Is Going To Change?...5 How You Obtain Addresses...6 How You Store Personal Data...7 How to Use the Data...8 Changes Marketers Will Have To Make Going Forward...9 Transparent Sign-up...10 Accountability...11 Data Protection...12 What Do You Need To Do With Existing Data?...13 Existing Data...14 Opt-Ins - Single vs Double...16 Will You See A Reduction In Signups Due To This Process?...17 What Else Do I Need To Be Aware Of?..18 Real Life Data Collection...19 The Right To Be Forgotten...20 GDPR Checklist - How To Ensure You Are Compliant...21 How Can center Help?...22 Contact Details

3 Introduction The majority of businesses will be affected by the General Data Protection Regulation (GDPR) coming into force on 25th May 2018 and it heavily affects how Marketers collect, store and use individuals personal data. What do you need to know in order to ensure your company is prepared and in-line with the new regulations? Our guide covers what you need to know about GDPR, particularly focussing on the impact it will have on marketing processes and ensuring your data complies with the new changes.

4 What Is GDPR? GDPR is a new privacy law from the EU aiming to regulate privacy rules across Europe to make them more consistent throughout each country. As GDPR is a regulation, it is a legal requirement and will immediately be enforceable as a law in all EU countries on the 25th May Why Is This Happening? The new regulations are designed to reduce the risk to consumers and individuals in the event of data breaches by only allowing businesses to collect data that is required, and only keeping it for as long as necessary.

5 What Is Going To Change? GDPR will have an impact on every single company that uses personal data from citizens within the EU. As this includes addresses there are changes that Marketers and Marketers in particular will have to adhere to. They inclued the following items.

6 How You Obtain Addresses At the moment it s acceptable for Marketers to provide a pre-ticked checkbox when asking for permission to send regular newsletter or marketing s, but as of May 2018, this will no longer be allowed. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. - Article 32 of the GDPR The language used in these permission forms should also be transparent, meaning it must be easy to understand and must declare all intentions/methods of contact that may occur in the future. 6

7 How You Store Personal Data A large part of GDPR surrounds the storage of personal data and ensuring it is secure. Some companies may even be required to obtain a Data Protection Officer. This is usually for public authorities, companies that process regular and systematic data subjects on a large scale and companies that process sensitive data or data relating to criminal convictions/ offences on a large scale. Going forward Marketers will need to take the following into consideration: If asked, you will be required to prove that you have consent to use an address or other personal data Provide a simple and easy way for users to unsubscribe Data controllers are businesses that handle information of employees, clients, suppliers etc. that includes personal details, financial details, employment details. Report a breach in security to the data protection officer or supervisory authority within 72 hours of it being discovered Give users the right to be forgotten - completely wiping their personal data from your system leaving no trace of information at all 7

8 How to Use the Data Once the GDPR is in place, it will forbid the selling of any personal data that belongs to EU citizens. It also blocks the use of addresses being used for other purposes that have not been consented to by the individual. 8

9 Changes Marketers Will Have To Make Going Forward Going forward Marketers may have to change the way data is collected and how subscriber s consent is stored.

10 Transparent Sign-up As mentioned above, under GDPR content must be more transparent than ever before. The term informed consent requires that the subscriber must at least be told who the controller (data owner) is, and the purpose for processing their data. If the data will be used for more than one purpose, then all intentions must be made clear, consent given for each purpose and processing restricted to those purposes. Privacy notices must be easy for everyone to understand. When collecting data, they must explain who you are, why you are collecting data and the rights of an individual to control that data. A multi-part notice where each section is separate and in plain english or other appropriate language is the best way to structure something this complex. Records must be kept of privacy notices, consent information and all processing activities in order to prove you are adhering to the legislation. 10

11 Accountability This is a principle running through every aspect of the regulation. Accountability promotes good practice, a responsible attitude and an interest in the rights of individuals. Record and document data processes. Not only does this satisfy the demands of the GDPR, but it also forms a useful route to understanding exactly how you are using data, how well it is protected and how good your practice around data gathering really is. For most it should just be a case of formalising or correlating what you already do. 11

12 Data Protection Protecting your data, be it customer, staff, contract or any other business information should always be a priority in any business. There are long existing standards, like ISO/IEC or PCI-DSS, that focus on system and process wide protection. These go a long way in demonstrating appropriate security and control of data. GDPR also calls for a Data Protection Officer (DPO) to be employed in certain circumstances: Where the organisation is a public body or authority; The DPO can be a part-time worker or additional role to an existing employee, but importantly must have independence in reporting to board level without interference, and have expert knowledge of data protection law and practice. Again, if this scope is out of in-house reach then services to supply such an officer are available. Where Data processing requires regular monitoring of data subjects on a large scale; or Where the core activities or the processing involves large amounts of special (sensitive) data or data relating to criminal convictions or offences Should something go wrong in your protection of personal data then you have an obligation to report any breach as soon as you become aware of it to a Supervisory Authority, where feasible, no later than 72 hours of becoming aware. You must also report the breach to the individual concerned, where it is likely to result in a high risk to the rights and freedoms of the natural person, in order to allow him or her to take the necessary precautions. 12

13 What Do You Need To Do With Existing Data? As of May 2018, you will need to have standards compliant consent from every individual on your list.

14 Existing Data If your existing processes and records meet the standards required by the GDPR, then there is no need to acquire any further consent for your data. However, an ongoing programme to re-confirm permission should be put into place. If your database includes subscribers whose permission hasn t been attained by the GDPR standards, or if you cannot provide adequate proof of consent for your data, you run the risk of significant fines starting at 10 million or 2% of the company s global annual turnover not to mention not being able to send marketing to those subscribers going forward. The best method to ensure you meet standards is to run an incentivising opt-in confirmation programme as soon as possible. This way you can gain confirmation of recipients who are happy to continue receiving marketing s from you. 14

15 If a recipient has already opted-in and confirms to a GDPR related they will be classed as a double opt-in. Example Of An Opt-in Workflow Using Maxautomation 15

16 Opt-Ins - Single vs Double A single opt-in process is completed when a visitor enters their address on a page and clicks submit. At this stage, they are added to your newsletter or marketing list. However they could have made a mistake in their address, or intentionally entered an incorrect address. A double opt-in process resolves this by including an additional step. After entering and submitting their address, they must respond to an in order to opt-in. This sounds lengthy but gives you proof that they did sign up, and you are able to store this along with a timestamp for reporting and auditing purposes. What needs to be stored? Record of date/time of consent and the method. A copy of the form, including its wording, should also be accessible if necessary. 16

17 Will You See A Reduction In Signups Due To This Process? Unfortunately, there is no doubt that this will slow the growth of your lists. However, there is a quality over quantity benefit here these double opt-ins are far more likely to engage in the future. To counter the slower list growth, there are a few options to try and improve your signup rates. Some examples are: Popup forms - which should be used within reason and not as soon as someone lands on your website Offering the visitor a chance to opt-in before being provided with an article or download Using inbound channels such as social media to send visitors to forms 17

18 What Else Do I Need To Be Aware Of? Following are a few things you need to be aware of in your marketing.

19 Real Life Data Collection The rules apply to addresses and other personal data that you have been given in real life too. The correct way to collect addresses requires that people have given you the same positive affirmation required for collecting addresses online and you must be able to prove it if necessary. One possible solution for in-store or exhibition data collection is to use a tablet with a correctly designed sign-up form. It is worth noting that you can still addresses with no personally identifiable data such as info@oxfordstones.com. 19

20 The Right To Be Forgotten GDPR also requires companies to adhere to the right to be forgotten *. This means you must be able to delete and remove all personal data of an individual when requested. This applies when: Personal data is no longer necessary in relation to the purpose it was originally collected for The individual withdraws their consent Personal data is unlawfully processed The individual objects to the processing and there is no overriding legitimate interest for continuing the processing Personal data must be erased for a legal obligation Personal data is processed in relation to the offer of information society services to a child * 20

21 GDPR Checklist - How To Ensure You Are Compliant Make sure you are compliant by using our checklist. Check your current data and find out if you are using addresses that fall within the EU. Send a new opt-in campaign to existing EU customers to confirm permission from them. Review and analyse your current forms that request data including pop-up windows and sign-up forms to ensure language is transparent and covers all intentions of data. Ensure all records of individual sign-ups and permissions are collected and stored ready to be presented if asked. Review current data storage and security processes then take measures to protect against potential security breaches if necessary.

22 How Can center Help? Our sophisticated marketing software, Max and our visual marketing automation tool, Maxautomation are both engineered with security as a fundamental design principle. center as a company have ISO accreditation that underlines the security practice we put around our operation, from network and infrastructure, through platform design and support, to our staff. Our hands-on expert Maxservices team are also putting together programmes and insights to help you get the best out of your preparations for May They will be on hand to advise and to help implement recommended practice in your marketing.

23 Contact Details Get in touch to find out more and arrange a demo info@ centeruk.com Powerful Marketing Software center UK Limited West Tithe, Pury Hill Business Park Alderton Road, Towcester Northamptonshire, NN12 7LS Visual Marketing Automation Software / center / center Behavioural Marketing Software /company/ center / center /user/ center Professional Marketing Services 23

24 / center / center /+ centeruk /company/ center center UK Limited is registered in the UK at West Tithe, Pury Hill Business Park, Towcester, Northamptonshire, NN12 7LS centeruk.com center UK Limited 2017 Reg No C158