We have spent months talking about the General Data Protection Regulation (GDPR). The 25th of May, which is the day when it goes into effect, is fast approaching. During this time, we have provide you with tons of information related to adapting your email marketing strategy.
On April 11th, 2018, we held a webinar going through the key points in which the new General Data Protection Regulation (GDPR) affects the email marketing strategy.
Editor’s Note: Benchmark provides information during the webinar and in this article for informational purposes only. Such information cannot be understood as legal advice. To get advice on any issue or aspect related to the GDPR, you should contact your lawyer.
In this article, we’ll do a quick review of what GDPR is. We also want to do a recap of how has Benchmark has adapted to the GDPR and about all the changes we have implemented and which you might need to know.
What is the goal of the new GDPR?
The main goal of the new GDPR is to provide users with final control over their personal data.
What benefits does the new GDPR provide?
- One continent, one law: a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28.
- One-stop-shop: a ‘one-stop-shop’ for businesses. Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.
- The same rules for all companies – regardless of where they are established: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business in our Single Market. With the reform, companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market. This creates a level playing field.
- Technological neutrality: the Regulation enables innovation to continue to thrive under the new rules.
Roles and restrictions with the treatment of personal data
The GDPR lays out the responsibility on the “controller” who assumes the responsibility of the application of the Regulation. The controller is who determines the purposes and means of the processing of personal data. As a consequence the controller must also ensure that the way the personal data is treated is compliant with the GDPR.
If the controller for example has decided to use Benchmark as an email marketing software, he or she has to ensure that tools provided by Benchmark are GDPR compliant, granting the right of rectification, access or erasure. As you probably know, Benchmark provides that option through the “Manage subscription” link, which however does not appear as mandatory in the footer of the email. Therefore it’s the controller’s duty to activate and add it.
In this scenario, Benchmark is just a simple data processor software.
Until now, when a subscriber signed up through our signup forms it was not mandatory to inform him/her about the purpose of the data processing activities to be carried out. The GDPR mentions that the consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement and should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
In addition, where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.
The GDPR advocates for simplicity in data collection. As marketers we tend to ask for more details than required (e.g. for sending out a simple weekly newsletter). This new Regulation encourages to collect the minimum data necessary for the current marketing strategy and not to ask for unnecessary data that may (or may not) be useful in the future.
The controller should grant the easy execution of the data subject’s rights, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object.
Treatment of personal data
The controller must inform the data subject of the existence of the processing operation and its purposes to grant a fair and transparent processing.
How is Benchmark complying with the new GDPR?
- “Right to be forgotten”
This right is one of the biggest change of this Regulation. For the very first time, this right is regulated and obligated the controller to completely remove the data if the data subject requested. To exercise the right to be forgotten, we have two different scenarios:
Benchmark | Customer
In the case any of the customers of Benchmark wants to be “forgotten”, he or she needs to request the deletion of the data writing to firstname.lastname@example.org and we will proceed with the elimination of those.
Benchmark | Customer | Subscriber
Any of our client’s subscribers can request to be deleted from his lists and records. It’s the customer’s responsibility to delete the subscriber from our (and other) systems, with one exception: if the subscriber has already unsubscribed, the client will not be able to remove the data from the “Unsubscribe” list. If this happens, the customer should forward the user’s email to email@example.com and we will proceed with the elimination of the subscriber from the list.
- Accessibility / rectification / unsubscribe
The controller must include the “Manage Subscription” option on the campaigns:
Adding this option, the client gives the data subject the option to access, rectify and unsubscribe from his/her data. When the subscriber clicks on that link, he/she will find this screen:
The subscriber can exercise his/her rights here. At Benchmark, we are currently preparing to allow the data subject to be able to rectify the rest of the fields and not just the email, name and surname.
- International transfer of personal dataArticle 45 mentions that a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.This international transfer of personal data is guaranteed under the EU-US Privacy Shield Agreement whose certification is held by Benchmark:
- Servers location
It was actually NEVER an obligation to have servers in Europe, but with the new GDPR it is even less necessary. One of the goals of the GDPR is to equate the data protection that the European companies are fulfilling with the one applied by companies from abroad, in a way that all companies are obliged to compete in equal conditions.
Find the recording of our Webinar here:
If this article has been interesting for you, please, share it with your colleagues and friends.