GDPR – 12 months to go, 12 things to think about (Part 4 of 4)

In Part 1 we covered raising awareness, data audits and privacy notices. While in Part 2 we covered how GDPR deals with individuals’ rights including subject access requests and legal basis. In the last instalment, we reviewed consent, marketing to children and data breaches. The last three things to think about are data protection impact assessments, data protection officers and international considerations.

10. Data Protection Impact Assessments

It has always been best practice to take a privacy-by-design approach when developing your data capture and processing strategies, as well as a key part of any technology implementation. Privacy impact assessments are fundamental to this approach by giving marketers a useful tool to consider properly the privacy risks that their data processing entails. All the GDPR does here is make privacy by design an express legal requirement and makes PIAs (renamed in the regulations as Data Protection Impact Assessment or DPIA) a requirement under certain circumstances where the data processing is likely to result in high risk to the data subjects such as:

  • where new technology is being deployed
  • where a processing activity is likely to significantly impact individuals
  • where there is large-scale processing on special categories of data

For most marketers, it will be the first two circumstances that will be most likely to trigger a DPIA but it is important to know the special categories of data if appropriate in the future.

In many if not most situations, the DPIA will indicate that the processing of the data is not high risk or if it is high risk, you will be able to address those risks. If you cannot mitigate the risk, you should contact the ICO for guidance on whether processing the data will comply with GDPR.

If you haven’t already, you should start to asses if any DPIAs are warranted within your organisation, who will lead them and who else needs to be involved. There is great guidance published by both the UK ICO and the Article 29 Working Party on DPIAs and privacy by design.

11. Data Protection Officers

US President Harry S. Truman had a sign on his desk that read “the buck stops here.” It was his assurance that he was ultimately responsible for how the government operated under his administration. Historically when it comes to data, the buck has not stopped anywhere due to the way that the collection and processing of data has grown organically within businesses and other organisations. I was speaking with one head of CRM recently who told me of the over 80 marketing databases that they currently have. It is going to come down to this CRM manager to get all of that data into a single place.

Every organisation should designate someone to “take the data buck” – to be ultimately responsible for data privacy and compliance. You should also have a think about where this role of Data Protection Officer (DPO) sits within the organisation and overall governance structures so that the person in this role has the freedom to act, should the need arise. In many instances, the GDPR has overcome this by specifying situations where a DPO is required such as:

  • public authorities
  • organisations that carry out large scale, regular and systematic monitoring of individuals
  • organisations that carry out large scale processing of special categories of data

Whomever the designated DPO, it is important that they have the knowledge, support and authority to carry out their role effectively. The article 29 working party has some good guidance on roles and responsibilities of a DPO.

12. International Considerations

The first thing to remember here is that Brexit will have little to no impact on GDPR. The government has confirmed on multiple occasions including as recently as the Queen’s Speech on 21st of June 2017, that GDPR will be the data protection law in the UK going forward. Moreover, the UK will still be an EU member when the law goes into effect on the 25th of May 2018.

If you operate in multiple EU member states, then you should determine which would be your lead data regulator. This is not meant to be a way to be under the auspices of the most favourable regulator. Your lead regulator should be the state where your central administration in the EU is based or the location where decisions about your data processing are taken. You can do this by mapping out where you take your data processing decisions and the country with the preponderance of those decisions is the one you should choose. If on the other hand you are not engaged in any cross border data processing, then your decision here is quite straightforward. Once again, the Article 29 Working Party has produced some guidance that will help you make the correct decision.

Conclusion

As I said at the beginning of part 1, data recently released by the DMA indicates that marketers are feeling less prepared for GDPR than they did in February. Marketers are also feeling less knowledgeable about GDPR in general and their four big concerns are:

  1. Consent
  2. Legacy Data
  3. Implementing a compliant system
  4. Profiling

I hope that this blog series has gone a little way to making you feel more prepared or at least has given you some things to think about and some things to start discussing internally. Over the coming weeks and months, dotmailer will be publishing useful guidance from recognised sources geared towards email marketers. Our approach is to keep our readers up to speed based on facts directly from this reputable guidance or vetted by the UK or other data regulators around Europe. In addition, our teams will be ready to help you implement the advice you receive from your professional advisors within the dotmailer environment.

The post GDPR – 12 months to go, 12 things to think about (Part 4 of 4) appeared first on The Email Marketing Blog.

Reblogged 4 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 3 of 4)

In Part 1 we covered raising awareness, data audits and privacy notices. While in Part 2 we covered how GDPR deals with individuals’ rights including subject access requests and legal basis. In this week’s installment, we will be reviewing consent, marketing to children and data breaches.

7. Consent

Under the Privacy and Electronic Communications Regulations, email marketing is consent-based. GDPR however, more fully defines how to get consent with the following stipulations:

  • Must be freely given – giving people genuine choice and control over how you use their data and “unbundling” consent from other terms and conditions; in other words, consent cannot be a precondition for a service unless it necessary to deliver the service.
  • Specific – clearly explain exactly what people are consenting to in a way they can easily understand (i.e. not with a load of legal mumbo jumbo) and in a way that does not disrupt the user experience.
  • Informed – clearly identify yourself as the data controller, identify each processing operation you will be performing, collect separate consent for each unless this would be “unduly disruptive or confusing”, describe the reason behind each data processing operation, and notify people of their right to withdraw consent at any time.
  • Unambiguous – it must be clear that the person has consented and what they have consented to with an affirmative action (i.e. no pre-checked boxes). Therefore, silence would not be a valid form of consent.

In the last instalment, we talked about deciding on the legal basis you will use to process your marketing data. Consent is not your only option. That said, it is always a good idea to know the source of all of your data, how that data flows through your various systems and what consent you have for the processing of that data. The ICO has published detailed guidance on consent and has produced a consent checklist to help you review your current practices.

8. Children

For the first time, the GDPR specifically calls out the rights of children and offers special protection for their personal data in the digital world. If you offer what the GDPR calls “information society services” to children and you rely on consent to process their data, you may have to get the permission of the parent or guardian before processing that child’s data. The GDPR set the age at which a child can consent for themselves at 16 but the UK may lower this to 13. One interesting thing to note is that the parent or guardian’s consent expires when the child reaches the age at which they can give consent, so you will have to refresh their consent at that milestone.

9. Data Breaches

The GDPR makes it the responsibility of all organisations to issue notifications for certain types of data breaches. You will have to notify the ICO if the breach is likely to impinge on the rights and freedoms of individuals such as financial loss, loss of confidentiality or significant economic or social harm. If this risk is high you may also have to notify the individual directly. Now is the time to think about your policies and procedures for identifying and managing data breaches.

So far, we have given you a lot to think about and we hope you have gotten started. Check back next soon for our last instalment where we will look at privacy by design, data protection officers and international considerations.

The post GDPR – 12 months to go, 12 things to think about (Part 3 of 4) appeared first on The Email Marketing Blog.

Reblogged 5 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 2 of 4)

In Part 1, we covered raising awareness, data audits and privacy notices.

4.    Individuals’ Rights

Just ‘getting ready’ for GDPR is not going to be good enough because you may also have to prove to the regulator that you are ready for GDPR. One critical proof point will be the decisions you make in getting ready for GDPR, as well as what you will do going forward after its implementation. Get in the habit now of documenting all of your decisions and the deliberations that went into them (more on this under the Protection by Design section). You will also have clearly defined and documented policies and procedures to comply with GDPR. These cannot be the kind of documents that are written and then live in a cupboard just in case something goes wrong, but rather they need to be distributed to staff in a useful format with comparable training so that the processes become habit within your organisation.

One area that is very well suited to this is protecting individuals’ rights. Most of the rights under GDPR are not that different than under the DPA, but now is a good time to ensure that you have your documentation in order. It is also a good time to ensure that your procedures will be compliant around things like correcting data and subject access requests.

5.    Subject Access Requests

While we are on the topic of Subject Access requests, these are changing under GDPR. First, the down side; you will no longer be able to charge for these and you will have to reply within 30 rather than 40 days. You will also have to provide some metadata along with the data subject’s own data, such as your data retention periods and many of the other things covered under the notices provision.

The good news is that you can charge for or refuse excessive requests (too frequent) and you can ask the data subject to specify the data they are looking for if you process large amounts of data. You will also be able to provide the data electronically in many cases.

6.    Legal Basis

Under the GDPR, the legal basis for processing data is all-important because individuals’ rights can change depending on the legal basis you determine for processing the data. It will be important for businesses to balance the requirements of consent and the legitimate interests that the GDPR provides for. The other legal basis that many email marketers will rely on is processing the data with the subject’s consent.

That puts us half way through the twelve things you should be thinking about to prepare for GDPR. Check back soon for the next two installments.

Editor’s note: The materials and information above is not intended to convey or constitute legal advice. You should seek your own advice specific to your business’ requirements.

The post GDPR – 12 months to go, 12 things to think about (Part 2 of 4) appeared first on The Email Marketing Blog.

Reblogged 6 months ago from blog.dotmailer.com

GDPR – 12 months to go, 12 things to think about (Part 1 of 4)

So, here we are. There are less than 12 months to go to the implementation date of the new General Data Protection Regulations (GDPR) on 25th May 2018.

It would be great to say that all UK businesses are well on their way to being ready, but data from the DMA released at an event this morning tells a different story.

Marketers are feeling less confident about GDPR than they did in February when 68% of businesses said they were ‘on course’ or ‘ahead’ of plans to be GDPR compliant by May 2018. Since that survey, the ICO and the Article 29 Working Party have issued both guidance and discussion documents bringing businesses greater clarity around what GDPR compliance will entail. This greater clarity has caused respondents to reassess their positions:

  • Only 55% of companies feel they are now ‘on course’ or ‘ahead’ of plans to meet the May 2018 deadline.
  • Marketers perception of their knowledge as ‘good’ rather than ‘basic’ has slipped from 66% to 59%.
  • Marketers sense of being ‘extremely’ or ‘somewhat’ prepared has fallen from 71% to 61%.

What has not changed is marketers’ four big GDPR-related concerns:

  1. Consent
  2. Legacy Data
  3. Implementing a compliant system
  4. Profiling

So what should you be thinking about? Here are 12 things to get you started.

  • Awareness

If you are the only person in your organization that is thinking about GDPR, you could be in big, big trouble. This is a major change to the legislative regime in which your business operates, so not only do key people need to be made aware of the revisions your business will need to make, they also need to be made to care.

As one of the speakers at this morning’s DMA event pointed out, good data practitioners already have the proper use of data on their radar; much of what the GDPR contains could therefore be considered business as usual. By stressing that this data attention is now in favor of helping the business comply with the new GDPR regulations, you may be able to obtain more budget for your undertaking.

While I am sure this is true in some cases, I know that for many companies, GDPR will represent a radical change in how they do business. It is critical that senior management is made of the impact sooner rather than later and that all members of staff are trained and brought up to speed on the changes over the next twelve months.

  1. Data Audit

While you are running your internal PR campaign, you can also be talking to all of the people that have data bases squirrelled away here, there and everywhere; these will need to be examined. Among other things, you need to fully document:

  • What data you hold
  • Where you obtained it
  • When it was acquired
  • How often it is updated
  • All of the places it is stored within your organization
  • How the data flows from one place to another
  • Who has access to the data throughout its journey
  • How it is stored
  • Where it is stored
  • The retention policy for each datum

  1. Privacy Notices

One of the things that will most likely have to change for most UK businesses under GDPR is their privacy notices. Being open, honest and transparent with consumers about what data you are collecting, why, how you will be using it, and how you will take care of it has been a core principle of data protection law since the original Data Protection Act of 1998. What has changed, however, is that the legislators feel that data owners have not always done this to the best of their ability. They have therefore given us more detailed instructions as to what openness, honesty and transparency entails in practice. The Information Commissioner’s Office (ICO) has released a great code of practice on privacy notices.

 

Check back next week to read 4-12 of 12 things to think about before GDPR 2018.

The post GDPR – 12 months to go, 12 things to think about (Part 1 of 4) appeared first on The Email Marketing Blog.

Reblogged 6 months ago from blog.dotmailer.com

Landing pages: why it pays to think beyond the CTA button

You might be thinking that landing pages aren’t your job; after all, your main concern is probably how many people are opening the campaign and clicking. Opens and clicks only take you so far, though: they don’t tell you how much revenue your email campaign generated or how effective your email message was for meeting company goals. And those are the things that help you to reveal the true worth of email marketing within your business which, incidentally, is proving to be a lot. The latest DMA Marketer Tracker report has revealed that the average ROI for email is £30.01 for every £1 spent; not to be sniffed at!

How do you ensure that your email campaigns perform well once the recipient has clicked the CTA button? The answer is to serve them a super-relevant landing page, otherwise they’re likely to bounce. Don’t get us wrong: there are times when it’s okay to direct people to product pages, for instance, if you’ve made it obvious that that’s where you’re sending the user. But on most occasions it’s wise to think carefully about the onward journey.

If you’re wondering when you might adopt a dedicated landing page for your campaign, we’ve compiled a list of four common use cases. If time’s a worry, you should also check out the dotmailer landing pages add-on, which offers the seamless functionality of our drag-and-drop EasyEditor. (P.S. you can also download a free copy of our latest ‘Get more from your landing pages’ guide).

Collecting additional data

You might have someone’s name and email address but what else do you know about them? Landing pages are the ideal place to embed a form to gather more data on your contacts; for example, you might encourage them to provide their preferences for ongoing email content or register their interest for a soon-to-be-launched event or product.

Targeted offers and offerings

If you’re sending out a specific offer or set of offers, a dedicated page with more information than was previously available in the email can aid conversions. What’s more, ‘exclusive’ landing pages can be safely hidden from the search engines, without damaging rankings of permanent pages, so only those with the link can view it.

Tracking individuals’ interest and intents

Landing pages facilitate an understanding of which customers are the most engaged with your brand by tracking the re-engagements of existing leads. This also means you can collect more information on customers’ preferences and online behavior, which is handy for sales.

Measuring success of marketing campaigns

Each landing page serves as a data asset for your marketing campaign, enabling you to get insight into its performance. A landing page created for a specific marketing campaign will allow you to understand the strength of your proposition – for example, the email might’ve done a great job of luring them in but the detailed landing page could be a total turn-off. On the other hand, the landing page could seal the deal and you’ll want to replicate those successes in future campaigns.

Why not get your hands on our free landing pages guide for the latest landing page advice – including 10 tips for optimization:

 

 

The post Landing pages: why it pays to think beyond the CTA button appeared first on The Email Marketing Blog.

Reblogged 10 months ago from blog.dotmailer.com

dotmailer becomes EU-U.S. Privacy Shield certified

On 12 August we were accepted for the U.S. Department of Commerce’s voluntary privacy certification program. The news is a great milestone for dotmailer, because it recognizes the years of work we’ve put into protecting our customers’ data and privacy. For instance, just look at our comprehensive trust center and involvement in both the International Association of Privacy Professionals (IAPP) and Email Sender & Provider Coalition (ESPC).

To become certified our Chief Privacy Officer, James Koons, made the application to the U.S. Department of Commerce, who audited dotmailer’s privacy statement. (Interesting fact: James actually completed the application process while on vacation climbing Mt. Rainer in Washington state!)

By self-certifying and agreeing to the Privacy Shield Principles, it means that our commitment is enforceable under the Federal Trade Commission (FTC).

What does it mean for you (our customers)?

As we continue to expand globally, this certification is one more important privacy precedent. The aim of the EU-U.S. Privacy Shield, which was recently finalized, provides businesses with stronger protection for the exchange of transatlantic data. If you haven’t seen it already, you might be interested in reading about the recent email privacy war between Microsoft and the U.S. government.

As a certified company, it means we must provide you with adequate privacy protection – a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive. Each year, we must self-certify to the U.S. Department of Commerce’s International Trade Administration (ITA), to ensure we adhere to the Privacy Shield Principles.

What does our Chief Privacy Officer think?

James Koons, who has 20 years’ experience in the information systems and security industry, explained why he’s pleased about the news: “I am delighted that dotmailer has been recognized as a good steward of data through the Privacy Shield Certification.

“As a company that has a culture of privacy and security as its core, I believe the certification simply highlights the great work we have already been doing.”

What happened to the Safe Harbour agreement?

The EU-U.S. Privacy Shield replaces the former Safe Harbour agreement for transatlantic data transfers.

Want to know more about what the Privacy Shield means?

You can check out the official Privacy Shield website here, which gives a more detailed overview of the program and requirements for participating organizations.

Reblogged 1 year ago from blog.dotmailer.com