GDPR: What It Is, How It Affects You, And What We’re Doing

Miles: Hey, everybody. Welcome to Campaign Monitor’s GDPR webinar, every marketer’s favorite hot topic at the moment. My name is Miles Price and I’m the product marketing manager here at Campaign Monitor. You know, there’s a lot of talk online and throughout the whole marketing community around GDPR and the changes it’s bringing. We want to take this opportunity to share with you what we know about GDPR as it pertains to both Campaign Monitor as an ESP and you as our customers. We’ll highlight the GDPR-compliant features we’re releasing, and finally talk through what GDPR means to you as a marketer moving forward.

Before we get started, I want to introduce our incredible panel of GDPR experts here at Campaign Monitor. You’ll be hearing from Jesal Shah, our general counsel, Art Quanstrom, who is our data and privacy lead, Elizabeth Griffiths, who is on our product team, heading up GDPR updates, and I’m Miles Price, the product marketing manager here at Campaign Monitor. Well, without further ado, I’m going to go ahead and hand it over to Jesal and she’s going to walk us through exactly what GDPR is.

Jesal: Thanks, Miles. Hey, everyone. I’m Jesal Shah, general counsel here. So yes, the GDPR certainly is a big topic and it can be really daunting, especially if you’re a marketer just starting to think through what it will mean for you and how it affects your marketing practices. Our goal here is just to set you up with a framework for thinking about marketing in the era of GDPR. So, heads up. Of course, I have to do this. This webinar and the material included is provided for your general information and is not intended to act as legal advice. To fully understand the impact of the GDPR on your business, you should consult with independent legal and privacy professionals. Now, even though we can’t provide legal advice to you, we can walk you through some of the main things you should be thinking about when it comes to GDPR. We can provide you with tips on how this relates to the world of email marketing and also highlight some of the steps that we, as the provider of your email marketing application, are taking to comply.

So what exactly is GDPR? The general data protection regulation, a regulation adopted in April of 2016, is an effort to ensure consistent and enforceable legal requirements across all EU member states, particularly as it relates to the individual’s right to privacy and the protection of their personal data, which, when you read the GDPR, you’ll note, is broadly defined. But more on that later. So even though the GDPR was adopted in 2016, organizations were given a two-year window to take the necessary steps to ensure that they were fully compliant with the new law. That window is now rapidly closing and all affected organizations will be required to be compliant with the GDPR by Friday, May 25th 2018, the date the GDPR becomes enforceable.

So all of that is fine, but you’re an email marketer in the U.S. Why should any of this matter to you? Well, this new regulation applies both to companies in the EU processing any personal data, and companies outside of the EU that are processing the personal data of the individuals in the EU, irrespective of where the data itself actually resides. So in other words, even if you’re sending emails from the U.S. but you’re sending emails to subscribers in the EU, the GDPR applies to you. The regulation is written to apply to any organization that processes the personal data of those in the EU. This could be your customers, your prospects, your employees, or really anybody who happens to visit your company’s website and who you are tracking information about. So it goes without saying that the number of organizations affected by the GDPR is pretty enormous. So to be clear, if you’re an email marketer, more likely than not, the GDPR applies to you.

Okay, fine. So what does that mean? What rights do these data subjects who you’re collecting information about actually have? So, under the GDPR, all EU data subjects will gain increased control over their personal data and how it’s collected, used, and shared worldwide. These strengthened controls include provisions that grant individuals with, for example, greater transparency. Have you noticed maybe that the closer we get to May 25th 2018, you’ve been receiving more and more emails regarding updates to various companies’ privacy policies? Think about all the brands that you probably subscribe to in your own everyday life. Have you been getting updates from them regarding updates to their own privacy policies? Well, that’s because come May 25th, individuals have a right to know who is processing their data, their personal data, and for what purpose they are processing that data, and to what end that data will be used.

Individuals also have the right to access not only information about your processing activities, but they also have a right to access the personal data that has been collected about them. To ensure you’ll be able to meet these requirements, we suggest auditing and documenting all data processing activities as a starting point. In addition to notice and access, individuals also have the right to require organizations to correct inaccurate personal data that is being held about them.

Another right which frequently accompanies the right to rectification is one that is particularly daunting in the age of big data. It is the data subject’s right to erasure, also known as the right to be forgotten. Essentially, individuals have the right to have personal data about them erased in certain circumstances. Some of those include when the personal data is no longer necessary to achieve the purpose for which it was originally collected or if the data subject requests erasure or if the data subject objects to processing.

Individuals also have the right to require the restriction of their processing of the personal data in certain circumstances, including when they object to the processing of that personal data. In certain circumstances, under the Article 20 right to portability, the data subject has the right to receive the personal data concerning him or her in a structured, commonly used, and machine-readable format, so that they’re able to transfer the personal data to a recipient of their choice.

The GDPR also grants data subjects the right to object to processing of their personal data and to withdraw previously given consent to the processing of their personal data. Individuals also have the right not to be subjected to decisions based solely on automated processing. Now, this includes profiling, especially where this produces legal or other similarly significant effects on him or her. Since the GDPR is more nuanced than the summary I’ve just provided, we recommend spending some time with legal counsel to understand the rights of data subjects as they translate to your processing activities.

So where should organizations like yours start when it comes to GDPR compliance? Well, the process is going to be pretty different for every organization. After all, what GDPR compliance looks like for you depends a great deal on how you’re currently using personal data. We recommend by starting with documenting all of your current data processing activities. Think through the ways that your brand collects, manages, and acts on information, and map out how the new rules and restrictions will impact how you do business. Next, seek out expert legal and privacy advice, whether that’s from an in-house counsel, an outside lawyer or firm, or better yet, both. GDPR is a big, complex, evolving, and sometimes difficult to understand regulation, and organizations that design their compliance roadmap without sufficient legal guidance and oversight could be putting themselves in a very risky situation. All right. Now I’m going to pass this over to Art to walk you through more of the nuts and bolts behind what drives GDPR. Take it away, Art.

Art: Thanks, Jesal. Hey, everyone. I’m Art Quanstrom, the data privacy lead. So Jesal just walked us through what GDPR is. Now let’s talk about why it’s critical in the privacy game and what we’re doing to help. Any piece of information that can be used directly or indirectly to identify an EU citizen is personal data, period. That can be obvious identifiers like email addresses or ID numbers, but it can also apply to more ambiguous data points like a given person’s biometric data, location information, IP address, and a whole lot more. Among its goals, the GDPR seeks to add accountability to the practices of data controllers and processors. What does that mean exactly? A controller is the one who determines the purposes and means of the processing of personal data. A processor is one who processes personal data on behalf of the controller. More simply put, a controller is you and possibly us, and a processor is us when you send emails through our platform. While there are other options for lawful data collection and processing, for marketers, consent will be the strongest and most familiar way to achieve this.

First, we’re building internal privacy-by-design guidelines and training our product and engineering teams on GDPR to make sure that data privacy principles are taken into account during the earliest stages of feature and product development. So from the discovery phase of product development all the way through production, we’ll have an end-to-end system in place to make sure that everything released is GDPR compliant. When your subscriber reaches out to you to exercise their rights, for example, of erasure or rectification, it’s our responsibility as the data processor to assist you in complying with that request insofar as it pertains to data processed through our application. We’re updating our platform with features that help you fulfill that subscriber’s request in a timely manner. We’re going to walk you through those in just a minute.

We’re auditing and documenting all of our current security measures and practices. This covers building security, data storage, and a whole lot more. Where security measures can be further strengthened, our team is working quickly to implement those updated security measures before May 25th 2018 so we can make sure the appropriate technical and organizational measures are in place for the safeguarding of personal data. We are also reevaluating all of our sub processors to ensure that they have adequate security measures in place for the onward processing of any personal data processed by them. And with that, I’ll hand it over to our product team to talk through some of the new updates you’ll be seeing in your account.

Elizabeth: Thanks, Art. Hey, everyone. My name is Elizabeth, product manager here at Campaign Monitor. We’ve been working hard with our product teams and engineers to make sure that Campaign Monitor is GDPR compliant and that we’re providing you with all the right tools to manage and respond to your email subscribers’ requests. Today I’m going to walk you through some of those changes inside the product. Here’s a look at what’s new.

Hosted subscribe forms. The GDPR clearly defines how consent can and cannot be given. It lays out a set of conditions for informed consent that reinforces your subscribers’ rights and puts specific obligations on you. When it comes to your subscribe forms, that means they must, A, clearly state exactly what the subscriber is signing up for and no more pre-checked checkboxes, B, include a link to your own privacy policy that’s easy to find, and C, let subscribers know that they can unsubscribe anytime. With that in mind, we’ve made the following changes to our hosted subscribe form. First, we added a new optional consent to email field. We’ve also added a new consent to track field. And finally, a new customizable field that lets you link out to your company’s online privacy policy and cookie policy. We’ve also rolled out more changes in the product to help you manage your subscribers’ requests. Here they are.

Manual upload. To help you easily modify your subscribers’ tracking preferences, both manual upload and CSV upload functions will recognize when you add a yes/no value to the new consent to track column. In the API, we’ve built a brand new API endpoint that allows you to include your subscribers’ tracking preference. It accepts a yes/no value as well as an option for leaving a subscriber’s preference unchanged. Reporting. In reports, subscribers who have opted out of tracking will be included in the total sent metrics but they’ll be removed from opens, clicks, shares, and so forth.

View tracked subscribers. We’ve added the ability for you to view your subscribers’ tracking preference. A new column in the list view shows which subscribers opted not to track their email activity. This value is also visible in each subscriber’s profile. Send a test. Previously, to test personalization, the default option in campaigns and the campaign’s API was to send a test using a random subscriber’s details. Due to privacy and GDPR regulations, we can no longer offer this option. But you can still test the email using the fallback value of your personalization tag which will auto-populate for each custom field.

And finally, security. We’ve been working very hard on new security features that will help minimize the risk of a data breach and unauthorized access. We’ve increased the minimum password length to eight characters. Right now, your existing password is still fine. But if you change the password, you’ll be asked to meet the new requirements. Another new security improvement is session timeouts. After a period of inactivity, your session will time out and you’ll need to log back in. And we’ve also been working on two-factor authentication which improves your account’s security by requiring additional code at login. This code is displayed on your mobile device via your chosen authenticator app.

Miles: Okay. So we’ve covered the ins and outs of GDPR, the how and when it’ll be enforced, and the GDPR updates we’re releasing in Campaign Monitor. Now let’s talk what this means for you, the marketer. It’s time to review your opt-in process. Leading up to the May 25th GDPR effective date, now is the time to take another look at the consent you’ve received from your subscribers prior and strategize how you’ll obtain consent in the future under the GDPR’s requirements. If you’re a Campaign Monitor customer, you should already be sending to subscribers who have given you permission. So really, this just means adding a few new items to your to-do list.

Number one, review consent for existing subscribers. You don’t need to re-obtain consent if it was originally obtained in a GDPR compliant manner. Number two, review your consent forms, those are your signup forms, to ensure any new information obtained about an individual is in compliance with the GDPR. And three, review public-facing policies around data collection, like your online privacy policy, to make sure that you’re transparent about your data collection, sharing, and usage practices, and to make sure that these policies are provided when collecting information through your signup forms.

Be clear with how you’re using your subscribers’ data. Your subscribers have the right to know how their personal data is being processed by your company, so you should make your online privacy policy both easy to find and easy to comprehend. Here’s some tips. Make sure that you explicitly define all processing activities related to personal data collected by you. For each, state a purpose. This includes any third parties processing on your behalf as well. Provide all information regarding processing activities in a concise, transparent, intelligible, and easily accessible manner, using clear and plain language, and try to avoid jargon and legalese wherever possible. And finally, ensure that your online privacy notices aren’t hidden, they’re not too long, or difficult to understand.

Operationalize ways to respond to your subscribers’ requests. Data subjects, in this case, your subscribers, as they relate to your use of Campaign Monitor, have the right to transparent information about your processing of their data, deletion, correction, and portability of their data, and they have the right to restrict or completely revoke consent for future processing of their data. And that includes objections to any automated decision-making that may be in place based on their personal data. So you’ll need to operationalize ways to respond to and quickly address these subscribers’ requests to exercise their rights under the GDPR.

Number one, the process for the subscriber to exercise their rights as a data subject should be clear. Make sure instructions for the process are where they’re expected to be and that the mechanism to make the request is easy to use and does not require a special knowledge beyond that needed to verify the request. Number two, request for information may not always be legitimate. As the data controller, you’ll want a way to confirm the identity of the requester so that you’re not disseminating personal data to the wrong person. Number three, responses should be timely and accurate. Four, there may be lawful grounds that prevent you from modifying or deleting, in part or whole, the record. Consider these carefully and fully document your reasoning.

Number five, keep your responses to data subjects clear and unambiguous. Number six, make sure a subscriber’s data is in a common readable and portable file format in case they want to store that data elsewhere for their own purposes. Number seven, you’ll generally have one month to fulfill the request, though there are allowances for additional time under certain circumstances. And number eight, finally, all steps in the above process should be documented. And finally, keep a record of each of your signup forms, data collection mechanisms, and processing activities. Just like your computer, everything should be backed up. This could be saving the underlying code, a screenshot, PDF, or a use case description of any data collection mechanism you’re currently using or will use in the future. And it can help you prove the nature of consent between you and your subscribers.

All right, everybody, that about wraps it up for today. I hope we were able to help clear up GDPR and hopefully make it a little less scary and daunting. I want to give a huge thank you to Jesal, Art, and Elizabeth for all their expert GDPR advice. And just as a quick recap, we went over what GDPR is and why it’s critical, what we’re putting in place, and a look at the new GDPR updates, and what GDPR means for email marketers. And before we go, just remember a few things. Don’t be afraid of GDPR. It’s here to help provide your customers with valuable protections that will help them engage with you more confidently. Seek legal counsel for any areas where you’re unsure. And remember that we’re working hard to make sure that compliance is going to be a breeze when it comes to your email efforts. For even more information on GDPR, check out our trust center at campaignmonitor.com/trust, where you’ll find all of our documentation on GDPR, privacy, and security. Thanks, everybody.