Changes to how you export and delete contacts in advance of the GDPR

.imageborder {border: 2px solid #e9e9e9; border-radius: 2px; margin-bottom: 32px !important;}

Managing your contacts

As of today, we have new ways of exporting and deleting contacts. Some of these changes are to help you get ready for the GDPR, whilst some are to make managing your contacts easier and build on the new contact editor we launched earlier in the year.

Deleting

Previously, deleting a contact would hide her in your account. You couldn’t get her back unless you re-added her, at which point we’d resurrect the data you’d previously held on her.

But now, when you delete a contact, she’ll go into the recycle bin (previously called ‘Utilities’). She’ll stay there for 30 days, and you can undelete her at any time.

After 30 days, she’ll be removed permanently along with all her information held in contact data fields and Insight data.

If you want to, you can permanently delete her before the 30 days are up directly from the recycle bin.

This means you can now use the delete tool to comply with GDPR (or other) data deletion requests.

Additionally, we’ve made it possible to delete a contact from the contact editor, rather than just from the contact listing page – which should make things just a little bit simpler.


Deleting suppressed contacts

Delete suppressed contact

A suppressed contact is one you can’t email (maybe because she unsubscribed, your previous emails to her have bounced, or another one of a handful of reasons).

When a contact becomes suppressed, we don’t remove the data you’ve collected on her; if she was to become unsuppressed, her old data would be viewable again too.

However, we now offer the option of deleting a suppressed user.

This means you can comply with ‘right to be forgotten’ or similar regulatory requests.

But deleting a suppressed contact differs in one crucial way to deleting a normal contact: we won’t delete the email address. This is so we can continue to keep her suppressed, and so you don’t unintentionally email her in the future (by accidentally re-importing the contact to your account, for example).


Exporting

Export contact data

Up until now, exporting a contact meant exporting an address book they were in. This would give you the data held in your data fields (along with that of every other contact in the address book – which probably wasn’t what you wanted).

Exporting a contact is now easier and more complete. You can export an individual contact from the contact editor, and exports now additionally contain all Insight data you hold for them. This means that when you export a contact, you’ll now get a zip file with everything from the Email area of dotmailer – which will also be in a usable format for GDPR ‘Subject Access Requests’, should you need to fulfil one.

Note that if you have data held in the other areas of dotmailer (surveys and forms, SMS or transactional email) you’ll still have to export that separately.

Individual contact exports will also be kept for seven days in your export area, just like bulk exports.


More on the GDPR

Whether you’re in the midst of preparing for the GDPR, or if you’re yet to start, we have lots of articles to help you get ready. Check them all out here.

The post Changes to how you export and delete contacts in advance of the GDPR appeared first on The Marketing Automation Blog.

Reblogged 5 days ago from blog.dotmailer.com

What is this GDPR anyway?

Whenever GDPR comes up, I like to gauge the knowledge in the room by asking things like:

  • “Who has heard of GDPR?”
  • “Can anybody tell me what the letters stand for?”
  • “What do they think it will mean for their business?”

I was quite surprised that not everybody had even heard of GDPR. We recently published a series of four blogs on the twelve things you should be thinking about now to get ready for GDPR. If you are one of those who have not heard of GDPR however, keep calm and read on.

The basics

The GDPR or General Data Protection Regulation replaces the Data Protection Directive enacted in 1995. According to IBM, 90% of all of the data ever created in the history of the world has been created in the past two years. So, it is easy to see how a regulatory framework developed in the early 90s could be a little out of date.

These new regulations will come into force on 25th May 2018 and will apply to all companies processing the personal data of people living in Europe. The law applies to all businesses regardless of where they are based, which inevitably leads to the question: “what about Brexit?” First, the government has stated and reaffirmed numerous times that GDPR will become the data protection regulation for the UK after Brexit. Additionally, if you’ve done your maths, you have already figured out that the UK will still be in the EU in May 2018.

Who needs to think about GDPR

As I said above, these new regulations apply to any company processing data of people who live in the EU. In other words, like the Data Protection Directive, that’s all data controllers who hold and process data on people living in Europe or to put another way – you. Unlike the previous regime however, GDPR lifts the data processor’s veil. Under the old regime, data processers were protected as long as they were following the instructions of the data controllers. GDPR also includes data processors; in other words, us.

Personal data

Similar to the Data Protection Directive, the GDPR only applies to personal data but it does extend the definition of personal data to include things like online identifiers, location data and advertising IDs. GDPR also defines ‘special categories of personal data’ which is particularly sensitive such as genetic data which is not something most email marketers will have on their database but it also includes biometric data which could become more prevalent in marketing databases as we find ever better ways to use VR for marketing and entertainment.

Data processing principles

The Data Protection Directive set out a set of principles for processing personal data which are largely unchanged in GDPR. The new regulations do add some detail to these principles as well as add a new principle around accountability. This new accountability principle requires you to not only comply with the data processing principles laid out in the GDPR, but also show ‘how’ you comply with the principles.

The principle laid out in Article 5 of the GDPR that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with this
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Kept in a form which permits the identification of the data subject for no longer than necessary
  • Processed in a manner that ensures appropriate security for the data
  • The controller shall be responsible for and able to demonstrate compliance with the principles

Rights of the individual

The GDPR is an evolution rather than a revolution in data privacy regulation and this applies to how it defines the rights of individuals. Most of the rights stay the same; some strengthened and some new ones as well. Individual rights are:

  • Be informed about what data is collected, how it will be used and how it will be kept safe
  • Have access to the data stored on them
  • Correct any inaccuracies in the data
  • Erase the data when they don’t want to maintain a relationship with that brand
  • Restrict the processing of their data
  • Obtain and reuse their data across different services
  • Object to the processing of their data
  • Automated decision making and profiling

Conclusion

There you have it – a whistle stop tour of the GDPR. If you are curious as to what you should think about next, I encourage you the read our four-part blog series on the twelve things you should think about now:

The post What is this GDPR anyway? appeared first on The Email Marketing Blog.

Reblogged 4 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 4 of 4)

In Part 1 we covered raising awareness, data audits and privacy notices. While in Part 2 we covered how GDPR deals with individuals’ rights including subject access requests and legal basis. In the last instalment, we reviewed consent, marketing to children and data breaches. The last three things to think about are data protection impact assessments, data protection officers and international considerations.

10. Data Protection Impact Assessments

It has always been best practice to take a privacy-by-design approach when developing your data capture and processing strategies, as well as a key part of any technology implementation. Privacy impact assessments are fundamental to this approach by giving marketers a useful tool to consider properly the privacy risks that their data processing entails. All the GDPR does here is make privacy by design an express legal requirement and makes PIAs (renamed in the regulations as Data Protection Impact Assessment or DPIA) a requirement under certain circumstances where the data processing is likely to result in high risk to the data subjects such as:

  • where new technology is being deployed
  • where a processing activity is likely to significantly impact individuals
  • where there is large-scale processing on special categories of data

For most marketers, it will be the first two circumstances that will be most likely to trigger a DPIA but it is important to know the special categories of data if appropriate in the future.

In many if not most situations, the DPIA will indicate that the processing of the data is not high risk or if it is high risk, you will be able to address those risks. If you cannot mitigate the risk, you should contact the ICO for guidance on whether processing the data will comply with GDPR.

If you haven’t already, you should start to asses if any DPIAs are warranted within your organisation, who will lead them and who else needs to be involved. There is great guidance published by both the UK ICO and the Article 29 Working Party on DPIAs and privacy by design.

11. Data Protection Officers

US President Harry S. Truman had a sign on his desk that read “the buck stops here.” It was his assurance that he was ultimately responsible for how the government operated under his administration. Historically when it comes to data, the buck has not stopped anywhere due to the way that the collection and processing of data has grown organically within businesses and other organisations. I was speaking with one head of CRM recently who told me of the over 80 marketing databases that they currently have. It is going to come down to this CRM manager to get all of that data into a single place.

Every organisation should designate someone to “take the data buck” – to be ultimately responsible for data privacy and compliance. You should also have a think about where this role of Data Protection Officer (DPO) sits within the organisation and overall governance structures so that the person in this role has the freedom to act, should the need arise. In many instances, the GDPR has overcome this by specifying situations where a DPO is required such as:

  • public authorities
  • organisations that carry out large scale, regular and systematic monitoring of individuals
  • organisations that carry out large scale processing of special categories of data

Whomever the designated DPO, it is important that they have the knowledge, support and authority to carry out their role effectively. The article 29 working party has some good guidance on roles and responsibilities of a DPO.

12. International Considerations

The first thing to remember here is that Brexit will have little to no impact on GDPR. The government has confirmed on multiple occasions including as recently as the Queen’s Speech on 21st of June 2017, that GDPR will be the data protection law in the UK going forward. Moreover, the UK will still be an EU member when the law goes into effect on the 25th of May 2018.

If you operate in multiple EU member states, then you should determine which would be your lead data regulator. This is not meant to be a way to be under the auspices of the most favourable regulator. Your lead regulator should be the state where your central administration in the EU is based or the location where decisions about your data processing are taken. You can do this by mapping out where you take your data processing decisions and the country with the preponderance of those decisions is the one you should choose. If on the other hand you are not engaged in any cross border data processing, then your decision here is quite straightforward. Once again, the Article 29 Working Party has produced some guidance that will help you make the correct decision.

Conclusion

As I said at the beginning of part 1, data recently released by the DMA indicates that marketers are feeling less prepared for GDPR than they did in February. Marketers are also feeling less knowledgeable about GDPR in general and their four big concerns are:

  1. Consent
  2. Legacy Data
  3. Implementing a compliant system
  4. Profiling

I hope that this blog series has gone a little way to making you feel more prepared or at least has given you some things to think about and some things to start discussing internally. Over the coming weeks and months, dotmailer will be publishing useful guidance from recognised sources geared towards email marketers. Our approach is to keep our readers up to speed based on facts directly from this reputable guidance or vetted by the UK or other data regulators around Europe. In addition, our teams will be ready to help you implement the advice you receive from your professional advisors within the dotmailer environment.

The post GDPR – 12 months to go, 12 things to think about (Part 4 of 4) appeared first on The Email Marketing Blog.

Reblogged 4 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 3 of 4)

In Part 1 we covered raising awareness, data audits and privacy notices. While in Part 2 we covered how GDPR deals with individuals’ rights including subject access requests and legal basis. In this week’s installment, we will be reviewing consent, marketing to children and data breaches.

7. Consent

Under the Privacy and Electronic Communications Regulations, email marketing is consent-based. GDPR however, more fully defines how to get consent with the following stipulations:

  • Must be freely given – giving people genuine choice and control over how you use their data and “unbundling” consent from other terms and conditions; in other words, consent cannot be a precondition for a service unless it necessary to deliver the service.
  • Specific – clearly explain exactly what people are consenting to in a way they can easily understand (i.e. not with a load of legal mumbo jumbo) and in a way that does not disrupt the user experience.
  • Informed – clearly identify yourself as the data controller, identify each processing operation you will be performing, collect separate consent for each unless this would be “unduly disruptive or confusing”, describe the reason behind each data processing operation, and notify people of their right to withdraw consent at any time.
  • Unambiguous – it must be clear that the person has consented and what they have consented to with an affirmative action (i.e. no pre-checked boxes). Therefore, silence would not be a valid form of consent.

In the last instalment, we talked about deciding on the legal basis you will use to process your marketing data. Consent is not your only option. That said, it is always a good idea to know the source of all of your data, how that data flows through your various systems and what consent you have for the processing of that data. The ICO has published detailed guidance on consent and has produced a consent checklist to help you review your current practices.

8. Children

For the first time, the GDPR specifically calls out the rights of children and offers special protection for their personal data in the digital world. If you offer what the GDPR calls “information society services” to children and you rely on consent to process their data, you may have to get the permission of the parent or guardian before processing that child’s data. The GDPR set the age at which a child can consent for themselves at 16 but the UK may lower this to 13. One interesting thing to note is that the parent or guardian’s consent expires when the child reaches the age at which they can give consent, so you will have to refresh their consent at that milestone.

9. Data Breaches

The GDPR makes it the responsibility of all organisations to issue notifications for certain types of data breaches. You will have to notify the ICO if the breach is likely to impinge on the rights and freedoms of individuals such as financial loss, loss of confidentiality or significant economic or social harm. If this risk is high you may also have to notify the individual directly. Now is the time to think about your policies and procedures for identifying and managing data breaches.

So far, we have given you a lot to think about and we hope you have gotten started. Check back next soon for our last instalment where we will look at privacy by design, data protection officers and international considerations.

The post GDPR – 12 months to go, 12 things to think about (Part 3 of 4) appeared first on The Email Marketing Blog.

Reblogged 5 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 2 of 4)

In Part 1, we covered raising awareness, data audits and privacy notices.

4.    Individuals’ Rights

Just ‘getting ready’ for GDPR is not going to be good enough because you may also have to prove to the regulator that you are ready for GDPR. One critical proof point will be the decisions you make in getting ready for GDPR, as well as what you will do going forward after its implementation. Get in the habit now of documenting all of your decisions and the deliberations that went into them (more on this under the Protection by Design section). You will also have clearly defined and documented policies and procedures to comply with GDPR. These cannot be the kind of documents that are written and then live in a cupboard just in case something goes wrong, but rather they need to be distributed to staff in a useful format with comparable training so that the processes become habit within your organisation.

One area that is very well suited to this is protecting individuals’ rights. Most of the rights under GDPR are not that different than under the DPA, but now is a good time to ensure that you have your documentation in order. It is also a good time to ensure that your procedures will be compliant around things like correcting data and subject access requests.

5.    Subject Access Requests

While we are on the topic of Subject Access requests, these are changing under GDPR. First, the down side; you will no longer be able to charge for these and you will have to reply within 30 rather than 40 days. You will also have to provide some metadata along with the data subject’s own data, such as your data retention periods and many of the other things covered under the notices provision.

The good news is that you can charge for or refuse excessive requests (too frequent) and you can ask the data subject to specify the data they are looking for if you process large amounts of data. You will also be able to provide the data electronically in many cases.

6.    Legal Basis

Under the GDPR, the legal basis for processing data is all-important because individuals’ rights can change depending on the legal basis you determine for processing the data. It will be important for businesses to balance the requirements of consent and the legitimate interests that the GDPR provides for. The other legal basis that many email marketers will rely on is processing the data with the subject’s consent.

That puts us half way through the twelve things you should be thinking about to prepare for GDPR. Check back soon for the next two installments.

Editor’s note: The materials and information above is not intended to convey or constitute legal advice. You should seek your own advice specific to your business’ requirements.

The post GDPR – 12 months to go, 12 things to think about (Part 2 of 4) appeared first on The Email Marketing Blog.

Reblogged 6 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 1 of 4)

So, here we are. There are less than 12 months to go to the implementation date of the new General Data Protection Regulations (GDPR) on 25th May 2018.

It would be great to say that all UK businesses are well on their way to being ready, but data from the DMA released at an event this morning tells a different story.

Marketers are feeling less confident about GDPR than they did in February when 68% of businesses said they were ‘on course’ or ‘ahead’ of plans to be GDPR compliant by May 2018. Since that survey, the ICO and the Article 29 Working Party have issued both guidance and discussion documents bringing businesses greater clarity around what GDPR compliance will entail. This greater clarity has caused respondents to reassess their positions:

  • Only 55% of companies feel they are now ‘on course’ or ‘ahead’ of plans to meet the May 2018 deadline.
  • Marketers perception of their knowledge as ‘good’ rather than ‘basic’ has slipped from 66% to 59%.
  • Marketers sense of being ‘extremely’ or ‘somewhat’ prepared has fallen from 71% to 61%.

What has not changed is marketers’ four big GDPR-related concerns:

  1. Consent
  2. Legacy Data
  3. Implementing a compliant system
  4. Profiling

So what should you be thinking about? Here are 12 things to get you started.

  • Awareness

If you are the only person in your organization that is thinking about GDPR, you could be in big, big trouble. This is a major change to the legislative regime in which your business operates, so not only do key people need to be made aware of the revisions your business will need to make, they also need to be made to care.

As one of the speakers at this morning’s DMA event pointed out, good data practitioners already have the proper use of data on their radar; much of what the GDPR contains could therefore be considered business as usual. By stressing that this data attention is now in favor of helping the business comply with the new GDPR regulations, you may be able to obtain more budget for your undertaking.

While I am sure this is true in some cases, I know that for many companies, GDPR will represent a radical change in how they do business. It is critical that senior management is made of the impact sooner rather than later and that all members of staff are trained and brought up to speed on the changes over the next twelve months.

  1. Data Audit

While you are running your internal PR campaign, you can also be talking to all of the people that have data bases squirrelled away here, there and everywhere; these will need to be examined. Among other things, you need to fully document:

  • What data you hold
  • Where you obtained it
  • When it was acquired
  • How often it is updated
  • All of the places it is stored within your organization
  • How the data flows from one place to another
  • Who has access to the data throughout its journey
  • How it is stored
  • Where it is stored
  • The retention policy for each datum

  1. Privacy Notices

One of the things that will most likely have to change for most UK businesses under GDPR is their privacy notices. Being open, honest and transparent with consumers about what data you are collecting, why, how you will be using it, and how you will take care of it has been a core principle of data protection law since the original Data Protection Act of 1998. What has changed, however, is that the legislators feel that data owners have not always done this to the best of their ability. They have therefore given us more detailed instructions as to what openness, honesty and transparency entails in practice. The Information Commissioner’s Office (ICO) has released a great code of practice on privacy notices.

 

Check back next week to read 4-12 of 12 things to think about before GDPR 2018.

The post GDPR – 12 months to go, 12 things to think about (Part 1 of 4) appeared first on The Email Marketing Blog.

Reblogged 6 months ago from blog.dotmailer.com