GDPR – 12 months to go, 12 things to think about (Part 4 of 4)

In Part 1 we covered raising awareness, data audits and privacy notices. While in Part 2 we covered how GDPR deals with individuals’ rights including subject access requests and legal basis. In the last instalment, we reviewed consent, marketing to children and data breaches. The last three things to think about are data protection impact assessments, data protection officers and international considerations.

10. Data Protection Impact Assessments

It has always been best practice to take a privacy-by-design approach when developing your data capture and processing strategies, as well as a key part of any technology implementation. Privacy impact assessments are fundamental to this approach by giving marketers a useful tool to consider properly the privacy risks that their data processing entails. All the GDPR does here is make privacy by design an express legal requirement and makes PIAs (renamed in the regulations as Data Protection Impact Assessment or DPIA) a requirement under certain circumstances where the data processing is likely to result in high risk to the data subjects such as:

  • where new technology is being deployed
  • where a processing activity is likely to significantly impact individuals
  • where there is large-scale processing on special categories of data

For most marketers, it will be the first two circumstances that will be most likely to trigger a DPIA but it is important to know the special categories of data if appropriate in the future.

In many if not most situations, the DPIA will indicate that the processing of the data is not high risk or if it is high risk, you will be able to address those risks. If you cannot mitigate the risk, you should contact the ICO for guidance on whether processing the data will comply with GDPR.

If you haven’t already, you should start to asses if any DPIAs are warranted within your organisation, who will lead them and who else needs to be involved. There is great guidance published by both the UK ICO and the Article 29 Working Party on DPIAs and privacy by design.

11. Data Protection Officers

US President Harry S. Truman had a sign on his desk that read “the buck stops here.” It was his assurance that he was ultimately responsible for how the government operated under his administration. Historically when it comes to data, the buck has not stopped anywhere due to the way that the collection and processing of data has grown organically within businesses and other organisations. I was speaking with one head of CRM recently who told me of the over 80 marketing databases that they currently have. It is going to come down to this CRM manager to get all of that data into a single place.

Every organisation should designate someone to “take the data buck” – to be ultimately responsible for data privacy and compliance. You should also have a think about where this role of Data Protection Officer (DPO) sits within the organisation and overall governance structures so that the person in this role has the freedom to act, should the need arise. In many instances, the GDPR has overcome this by specifying situations where a DPO is required such as:

  • public authorities
  • organisations that carry out large scale, regular and systematic monitoring of individuals
  • organisations that carry out large scale processing of special categories of data

Whomever the designated DPO, it is important that they have the knowledge, support and authority to carry out their role effectively. The article 29 working party has some good guidance on roles and responsibilities of a DPO.

12. International Considerations

The first thing to remember here is that Brexit will have little to no impact on GDPR. The government has confirmed on multiple occasions including as recently as the Queen’s Speech on 21st of June 2017, that GDPR will be the data protection law in the UK going forward. Moreover, the UK will still be an EU member when the law goes into effect on the 25th of May 2018.

If you operate in multiple EU member states, then you should determine which would be your lead data regulator. This is not meant to be a way to be under the auspices of the most favourable regulator. Your lead regulator should be the state where your central administration in the EU is based or the location where decisions about your data processing are taken. You can do this by mapping out where you take your data processing decisions and the country with the preponderance of those decisions is the one you should choose. If on the other hand you are not engaged in any cross border data processing, then your decision here is quite straightforward. Once again, the Article 29 Working Party has produced some guidance that will help you make the correct decision.

Conclusion

As I said at the beginning of part 1, data recently released by the DMA indicates that marketers are feeling less prepared for GDPR than they did in February. Marketers are also feeling less knowledgeable about GDPR in general and their four big concerns are:

  1. Consent
  2. Legacy Data
  3. Implementing a compliant system
  4. Profiling

I hope that this blog series has gone a little way to making you feel more prepared or at least has given you some things to think about and some things to start discussing internally. Over the coming weeks and months, dotmailer will be publishing useful guidance from recognised sources geared towards email marketers. Our approach is to keep our readers up to speed based on facts directly from this reputable guidance or vetted by the UK or other data regulators around Europe. In addition, our teams will be ready to help you implement the advice you receive from your professional advisors within the dotmailer environment.

The post GDPR – 12 months to go, 12 things to think about (Part 4 of 4) appeared first on The Email Marketing Blog.

Reblogged 1 month ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 3 of 4)

In Part 1 we covered raising awareness, data audits and privacy notices. While in Part 2 we covered how GDPR deals with individuals’ rights including subject access requests and legal basis. In this week’s installment, we will be reviewing consent, marketing to children and data breaches.

7. Consent

Under the Privacy and Electronic Communications Regulations, email marketing is consent-based. GDPR however, more fully defines how to get consent with the following stipulations:

  • Must be freely given – giving people genuine choice and control over how you use their data and “unbundling” consent from other terms and conditions; in other words, consent cannot be a precondition for a service unless it necessary to deliver the service.
  • Specific – clearly explain exactly what people are consenting to in a way they can easily understand (i.e. not with a load of legal mumbo jumbo) and in a way that does not disrupt the user experience.
  • Informed – clearly identify yourself as the data controller, identify each processing operation you will be performing, collect separate consent for each unless this would be “unduly disruptive or confusing”, describe the reason behind each data processing operation, and notify people of their right to withdraw consent at any time.
  • Unambiguous – it must be clear that the person has consented and what they have consented to with an affirmative action (i.e. no pre-checked boxes). Therefore, silence would not be a valid form of consent.

In the last instalment, we talked about deciding on the legal basis you will use to process your marketing data. Consent is not your only option. That said, it is always a good idea to know the source of all of your data, how that data flows through your various systems and what consent you have for the processing of that data. The ICO has published detailed guidance on consent and has produced a consent checklist to help you review your current practices.

8. Children

For the first time, the GDPR specifically calls out the rights of children and offers special protection for their personal data in the digital world. If you offer what the GDPR calls “information society services” to children and you rely on consent to process their data, you may have to get the permission of the parent or guardian before processing that child’s data. The GDPR set the age at which a child can consent for themselves at 16 but the UK may lower this to 13. One interesting thing to note is that the parent or guardian’s consent expires when the child reaches the age at which they can give consent, so you will have to refresh their consent at that milestone.

9. Data Breaches

The GDPR makes it the responsibility of all organisations to issue notifications for certain types of data breaches. You will have to notify the ICO if the breach is likely to impinge on the rights and freedoms of individuals such as financial loss, loss of confidentiality or significant economic or social harm. If this risk is high you may also have to notify the individual directly. Now is the time to think about your policies and procedures for identifying and managing data breaches.

So far, we have given you a lot to think about and we hope you have gotten started. Check back next soon for our last instalment where we will look at privacy by design, data protection officers and international considerations.

The post GDPR – 12 months to go, 12 things to think about (Part 3 of 4) appeared first on The Email Marketing Blog.

Reblogged 1 month ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 2 of 4)

In Part 1, we covered raising awareness, data audits and privacy notices.

4.    Individuals’ Rights

Just ‘getting ready’ for GDPR is not going to be good enough because you may also have to prove to the regulator that you are ready for GDPR. One critical proof point will be the decisions you make in getting ready for GDPR, as well as what you will do going forward after its implementation. Get in the habit now of documenting all of your decisions and the deliberations that went into them (more on this under the Protection by Design section). You will also have clearly defined and documented policies and procedures to comply with GDPR. These cannot be the kind of documents that are written and then live in a cupboard just in case something goes wrong, but rather they need to be distributed to staff in a useful format with comparable training so that the processes become habit within your organisation.

One area that is very well suited to this is protecting individuals’ rights. Most of the rights under GDPR are not that different than under the DPA, but now is a good time to ensure that you have your documentation in order. It is also a good time to ensure that your procedures will be compliant around things like correcting data and subject access requests.

5.    Subject Access Requests

While we are on the topic of Subject Access requests, these are changing under GDPR. First, the down side; you will no longer be able to charge for these and you will have to reply within 30 rather than 40 days. You will also have to provide some metadata along with the data subject’s own data, such as your data retention periods and many of the other things covered under the notices provision.

The good news is that you can charge for or refuse excessive requests (too frequent) and you can ask the data subject to specify the data they are looking for if you process large amounts of data. You will also be able to provide the data electronically in many cases.

6.    Legal Basis

Under the GDPR, the legal basis for processing data is all-important because individuals’ rights can change depending on the legal basis you determine for processing the data. It will be important for businesses to balance the requirements of consent and the legitimate interests that the GDPR provides for. The other legal basis that many email marketers will rely on is processing the data with the subject’s consent.

That puts us half way through the twelve things you should be thinking about to prepare for GDPR. Check back soon for the next two installments.

Editor’s note: The materials and information above is not intended to convey or constitute legal advice. You should seek your own advice specific to your business’ requirements.

The post GDPR – 12 months to go, 12 things to think about (Part 2 of 4) appeared first on The Email Marketing Blog.

Reblogged 2 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 1 of 4)

So, here we are. There are less than 12 months to go to the implementation date of the new General Data Protection Regulations (GDPR) on 25th May 2018.

It would be great to say that all UK businesses are well on their way to being ready, but data from the DMA released at an event this morning tells a different story.

Marketers are feeling less confident about GDPR than they did in February when 68% of businesses said they were ‘on course’ or ‘ahead’ of plans to be GDPR compliant by May 2018. Since that survey, the ICO and the Article 29 Working Party have issued both guidance and discussion documents bringing businesses greater clarity around what GDPR compliance will entail. This greater clarity has caused respondents to reassess their positions:

  • Only 55% of companies feel they are now ‘on course’ or ‘ahead’ of plans to meet the May 2018 deadline.
  • Marketers perception of their knowledge as ‘good’ rather than ‘basic’ has slipped from 66% to 59%.
  • Marketers sense of being ‘extremely’ or ‘somewhat’ prepared has fallen from 71% to 61%.

What has not changed is marketers’ four big GDPR-related concerns:

  1. Consent
  2. Legacy Data
  3. Implementing a compliant system
  4. Profiling

So what should you be thinking about? Here are 12 things to get you started.

  • Awareness

If you are the only person in your organization that is thinking about GDPR, you could be in big, big trouble. This is a major change to the legislative regime in which your business operates, so not only do key people need to be made aware of the revisions your business will need to make, they also need to be made to care.

As one of the speakers at this morning’s DMA event pointed out, good data practitioners already have the proper use of data on their radar; much of what the GDPR contains could therefore be considered business as usual. By stressing that this data attention is now in favor of helping the business comply with the new GDPR regulations, you may be able to obtain more budget for your undertaking.

While I am sure this is true in some cases, I know that for many companies, GDPR will represent a radical change in how they do business. It is critical that senior management is made of the impact sooner rather than later and that all members of staff are trained and brought up to speed on the changes over the next twelve months.

  1. Data Audit

While you are running your internal PR campaign, you can also be talking to all of the people that have data bases squirrelled away here, there and everywhere; these will need to be examined. Among other things, you need to fully document:

  • What data you hold
  • Where you obtained it
  • When it was acquired
  • How often it is updated
  • All of the places it is stored within your organization
  • How the data flows from one place to another
  • Who has access to the data throughout its journey
  • How it is stored
  • Where it is stored
  • The retention policy for each datum

  1. Privacy Notices

One of the things that will most likely have to change for most UK businesses under GDPR is their privacy notices. Being open, honest and transparent with consumers about what data you are collecting, why, how you will be using it, and how you will take care of it has been a core principle of data protection law since the original Data Protection Act of 1998. What has changed, however, is that the legislators feel that data owners have not always done this to the best of their ability. They have therefore given us more detailed instructions as to what openness, honesty and transparency entails in practice. The Information Commissioner’s Office (ICO) has released a great code of practice on privacy notices.

 

Check back next week to read 4-12 of 12 things to think about before GDPR 2018.

The post GDPR – 12 months to go, 12 things to think about (Part 1 of 4) appeared first on The Email Marketing Blog.

Reblogged 2 months ago from blog.dotmailer.com

What’s new: Changes to the things you use every day

As a Product Manager, I spend a lot of time thinking about how I can make our big releases impact you in the best way possible. Our next big release is in February and will contain a number of great new things for our customers who sell (online or otherwise).

But we haven’t only been working on improvements for those of you with shops. We’ve been looking at how you create campaigns – any campaigns – from conception through to editing. And rather than make you wait until February, we’re launching them today. Here’s what’s changed.

Drag and drop template uploader

When you come to upload a template (or a one-off campaign), you’ll notice we’ve replaced the old interface with a drag and drop canvas. You can now drag files from anywhere on your computer straight into dotmailer (although you can click and select too if you find that easier). What’s more, you can drag in as many files as you like, as often as you like. It’s also lightning fast. Tip: try dragging in a zip file, too!

Campaign details with added emojis 😲👍👏

Subject lines. The first thing your contacts see. Proven to increase (or decrease) open rates. We think they’re so important, we’ve redesigned the ‘campaign details’ page to help you come up with subject lines that win.

You can now – finally – add emojis using the searchable picker. Combined with your skills and the personalization picker, your subject lines can now be expertly written, personalized and eye catching.

We’ve also improved the preview window that gives you an example of how your campaign details will look when your email arrives in an inbox. No, we didn’t much like the blue Outlook panel either, so it’s gone and been replaced with an inbox mock-up.

A clearer, cleaner EasyEditor

We’ve changed the building blocks in EasyEditor from pink to grey. Well, we’ve done a lot more than that, but that’s the most noticeable change. We also studied how you interacted with blocks, noticed some old design decisions that could be way better, and improved them.

For example, the header bar that contained the move, copy and delete tools would sometimes be inside a block, and sometimes outside. We knew why this was, but it turned out you didn’t, and it was just plain annoying. And why was the drag area so small? And why was it you couldn’t always see what type of block was selected? We’ve fixed all these things – and more – to create an easier, more consistent experience.

You’ll also notice the new blocks in our segment and landing page editor, too.

And more…

Finally, we’ve tweaked the Settings menu slightly to prepare for more changes later this month. In particular, your users, API users and transactional email users are now found under the ‘Access’ option.

The post What’s new: Changes to the things you use every day appeared first on The Email Marketing Blog.

Reblogged 7 months ago from blog.dotmailer.com

Meet Dan Morris, Executive Vice President, North America

  1. Why did you decide to come to dotmailer?

The top three reasons were People, Product and Opportunity. I met the people who make up our business and heard their stories from the past 18 years, learned about the platform and market leading status they had built in the UK, and saw that I could add value with my U.S. high growth business experience. I’ve been working with marketers, entrepreneurs and business owners for years across a series of different roles, and saw that I could apply what I’d learned from that and the start-up space to dotmailer’s U.S. operation. dotmailer has had clients in the U.S. for 12 years and we’re positioned to grow the user base of our powerful and easy-to-use platform significantly. I knew I could make a difference here, and what closed the deal for me was the people.  Every single person I’ve met is deeply committed to the business, to the success of our customers and to making our solution simple and efficient.  We’re a great group of passionate people and I’m proud to have joined the dotfamily.

Dan Morris, dotmailer’s EVP for North America in the new NYC office

      1. Tell us a bit about your new role

dotmailer has been in business and in this space for more than 18 years. We were a web agency, then a Systems Integrator, and we got into the email business that way, ultimately building the dotmailer platform thousands of people use daily. This means we know this space better than anyone and we have the perfect solutions to align closely with our customers and the solutions flexible enough to grow with them.  My role is to take all that experience and the platform and grow our U.S. presence. My early focus has been on identifying the right team to execute our growth plans. We want to be the market leader in the U.S. in the next three years – just like we’ve done in the UK –  so getting the right people in the right spots was critical.  We quickly assessed the skills of the U.S. team and made changes that were necessary in order to provide the right focus on customer success. Next, we set out to completely rebuild dotmailer’s commercial approach in the U.S.  We simplified our offers to three bundles, so that pricing and what’s included in those bundles is transparent to our customers.  We’ve heard great things about this already from clients and partners. We’re also increasing our resources on customer success and support.  We’re intensely focused on ease of on-boarding, ease of use and speed of use.  We consistently hear how easy and smooth a process it is to use dotmailer’s tools.  That’s key for us – when you buy a dotmailer solution, we want to onboard you quickly and make sure you have all of your questions answered right away so that you can move right into using it.  Customers are raving about this, so we know it’s working well.

  1. What early accomplishments are you most proud of from your dotmailer time so far?

I’ve been at dotmailer for eight months now and I’m really proud of all we’ve accomplished together.  We spent a lot of time assessing where we needed to restructure and where we needed to invest.  We made the changes we needed, invested in our partner program, localized tech support, customer on-boarding and added customer success team members.  We have the right people in the right roles and it’s making a difference.  We have a commercial approach that is clear with the complete transparency that we wanted to provide our customers.  We’ve got a more customer-focused approach and we’re on-boarding customers quickly so they’re up and running faster.  We have happier customers than ever before and that’s the key to everything we do.

  1. You’ve moved the U.S. team to a new office. Can you tell us why and a bit about the new space?

I thought it was very important to create a NY office space that was tied to branding and other offices around the world, and also had its own NY energy and culture for our team here – to foster collaboration and to have some fun.  It was also important for us that we had a flexible space where we could welcome customers, partners and resellers, and also hold classes and dotUniversity training sessions. I’m really grateful to the team who worked on the space because it really reflects our team and what we care about.   At any given time, you’ll see a training session happening, the team collaborating, a customer dropping in to ask a few questions or a partner dropping in to work from here.  We love our new, NYC space.

We had a spectacular reception this week to celebrate the opening of this office with customers, partners and the dotmailer leadership team in attendance. Please take a look at the photos from our event on Facebook.

Guests and the team at dotmailer's new NYC office warming party

Guests and the team at dotmailer’s new NYC office warming party

  1. What did you learn from your days in the start-up space that you’re applying at dotmailer?

The start-up space is a great place to learn. You have to know where every dollar is going and coming from, so every choice you make needs to be backed up with a business case for that investment.  You try lots of different things to see if they’ll work and you’re ready to turn those tactics up or down quickly based on an assessment of the results. You also learn things don’t have to stay the way they are, and can change if you make them change. You always listen and learn – to customers, partners, industry veterans, advisors, etc. to better understand what’s working and not working.  dotmailer has been in business for 18 years now, and so there are so many great contributors across the business who know how things have worked and yet are always keen to keep improving.  I am constantly in listening and learning mode so that I can understand all of the unique perspectives our team brings and what we need to act on.

  1. What are your plans for the U.S. and the sales function there?

On our path to being the market leader in the U.S., I’m focused on three things going forward: 1 – I want our customers to be truly happy.  It’s already a big focus in the dotmailer organization – and we’re working hard to understand their challenges and goals so we can take product and service to the next level. 2 – Creating an even more robust program around partners, resellers and further building out our channel partners to continuously improve sales and customer service programs. We recently launched a certification program to ensure partners have all the training and resources they need to support our mutual customers.  3 – We have an aggressive growth plan for the U.S. and I’m very focused on making sure our team is well trained, and that we remain thoughtful and measured as we take the steps to grow.  We want to always keep an eye on what we’re known for – tools that are powerful and simple to use – and make sure everything else we offer remains accessible and valuable as we execute our growth plans.

  1. What are the most common questions that you get when speaking to a prospective customer?

The questions we usually get are around price, service level and flexibility.  How much does dotmailer cost?  How well are you going to look after my business?  How will you integrate into my existing stack and then my plans for future growth? We now have three transparent bundle options with specifics around what’s included published right on our website.  We have introduced a customer success team that’s focused only on taking great care of our customers and we’re hearing stories every day that tells me this is working.  And we have all of the tools to support our customers as they grow and to also integrate into their existing stacks – often integrating so well that you can use dotmailer from within Magento, Salesforce or Dynamics, for example.

  1. Can you tell us about the dotmailer differentiators you highlight when speaking to prospective customers that seem to really resonate?

In addition to the ones above – ease of use, speed of use and the ability to scale with you. With dotmailer’s tiered program, you can start with a lighter level of functionality and grow into more advanced functionality as you need it. The platform itself is so easy to use that most marketers are able to build campaigns in minutes that would have taken hours on other platforms. Our customer success team is also with you all the way if ever you want or need help.  We’ve built a very powerful platform and we have a fantastic team to help you with personalized service as an extended part of your team and we’re ready to grow with you.

  1. How much time is your team on the road vs. in the office? Any road warrior tips to share?

I’ve spent a lot of time on the road, one year I attended 22 tradeshows! Top tip when flying is to be willing to give up your seat for families or groups once you’re at the airport gate, as you’ll often be rewarded with a better seat for helping the airline make the family or group happy. Win win! Since joining dotmailer, I’m focused on being in office and present for the team and customers as much as possible. I can usually be found in our new, NYC office where I spend a lot of time with our team, in customer meetings, in trainings and other hosted events, sales conversations or marketing meetings. I’m here to help the team, clients and partners to succeed, and will always do my best to say yes! Once our prospective customers see how quickly and efficiently they can execute tasks with dotmailer solutions vs. their existing solutions, it’s a no-brainer for them.  I love seeing and hearing their reactions.

  1. Tell us a bit about yourself – favorite sports team, favorite food, guilty pleasure, favorite band, favorite vacation spot?

I’m originally from Yorkshire in England, and grew up just outside York. I moved to the U.S. about seven years ago to join a very fast growing startup, we took it from 5 to well over 300 people which was a fantastic experience. I moved to NYC almost two years ago, and I love exploring this great city.  There’s so much to see and do.  Outside of dotmailer, my passion is cars, and I also enjoy skeet shooting, almost all types of music, and I love to travel – my goal is to get to India, Thailand, Australia and Japan in the near future.

Want to find out more about the dotfamily? Check out our recent post about Darren Hockley, Global Head of Support.

Reblogged 1 year ago from blog.dotmailer.com