In April 2016, the General Data Protection Regulation (GDPR) — a joint proposal by the European Commission, European Parliament, and the Council of the EU which provides individuals with even greater control over the collection and use of their personal data — was adopted by the European Union.

We are committed to ensuring our customers are able to comply with their requirements under the GDPR by the May 25, 2018 enforcement timeline.

Consent and Purpose

Before discussing how and why you should be collecting personal data, it’s important to define what personal data is, according to the GDPR.

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”1

While the definition of ‘personal data’ under the GDPR is largely unchanged from its predecessor, the EU Directive, the inclusion of reference to “online identifiers” is potentially a major shift for marketers’ perception of the data they hold and how it should be handled. So, if you’re storing data about a person in a usable way, it probably relates to some identifier of a natural person (including online identifiers like device IDs, cookie IDs, etc) and is, as a result, personal data.

The tips below focus on GDPR requirements that should be considered at the point of collection.

Personal Data must be “Processed lawfully, fairly and in a transparent manner”2

Consent and Transparency

For all data covered by the above definition of personal data, you’ll need to be able to justify that you’re processing3 it lawfully. Consent is just one way of establishing that your processing activities are lawful under the GDPR, but it is likely going to be the one most applicable to the email marketer. Just as it has been with email marketing in the past, explicit, purpose-based collection, that is freely given is the highest standard for data collection and use policies. This means that there is no ambiguity as to the activities consented to or the organisation carrying out those activities.

Consent should be clear and unique to a specific organisation and each reason for processing. Methods like separate forms or separate, default unchecked boxes are obvious options. While there may be other, more creative options that are equally viable, it is important to ensure that clarity is not lost in the process. The transparency of your reasons for processing data is a requirement for building explicit consent. As always, data subjects should be able to withdraw their consent for each, or all, processing activity, and withdrawing consent should be as easy as giving it was.

As with all GDPR-related things, records keeping is vital to demonstrating compliance. Make sure that, however you decide to do this, these records support your consent-based legal grounds.

TIP: If you are relying on consent as the lawful basis for processing your subscriber’s data, we recommend evaluating your subscribe forms to ensure they comply with the consent principles encapsulated in the GDPR (specifically those in Articles 6 & 7 and Recitals 32, 33, 42, 43, and 171).

Personal Data must be “Collected for specified, explicit and legitimate purposes”4 and be “Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”5

Purpose Limitation

Obtaining explicit consent goes hand-in-hand with purpose limitation; at the point of data collection (for example, your online form), you should be completely transparent about the purpose for which personal data is being collected such that there should be no confusion regarding the purpose of collection. In addition, once you have collected data for a specified purpose, that data should not be used for another, incompatible purpose. Further, the purpose must be legitimate– in other words, it must not be in violation of applicable laws.

Data Minimisation

Related to purpose limitation, personal data collected for an explicit purpose should be limited so that only data which is necessary to fulfil the consented-to purpose is processed. This means that you should carefully review the data being collected against the purpose it is meant to fulfil.

TIP: When evaluating whether or not you’re complying with the purpose limitation and data minimisation principles ask yourself some of these questions:

  • Have I made it clear to the Subscriber what information I am collecting?
  • Have I made it clear to the Subscriber why I am collecting that information?
  • Am I collecting more information than I need? (EX: If your subscriber is signing up for a newsletter– do you need information about that subscriber’s gender to fulfil your stated purpose?)

 

RELEVANT DEFINITIONS:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1 Chapter I; Article 4(1)
2 Chapter II; Article 5(1a)
3 Processing is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means” and includes collection, recording, storage, and other common activities.
4 Chapter II; Article 5(1b)
5 Chapter II; Article 5(1c)

Lawful Data Processing

As someone engaged in marketing, especially in the context of using an email marketing application like our CreateSend product, you will likely rely on consent (see: Consent and Purpose article) as the lawful basis for processing your subscriber’s personal data. While consent is not the only way to lawfully process personal data, at least one of the following grounds for lawfully processing personal data must apply (Art. 6 GDPR):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

While it’s true that for most marketing activities, the industry tends to rely heavily on consent as the lawful ground for processing, it is up to you to analyse your data processing activities and choose the right justification(s). If you are unsure which of the lawful grounds listed in the GDPR apply to you, please consult with legal counsel to ensure processing activities are properly justified. As always, diligent record keeping is vital to support these justifications.

 

RELEVANT DEFINITIONS:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Security

Risk and Appropriate Technical and Organisational Measures

While personal data is defined very broadly under the GDPR, the sensitivity of the data and the severity of harm that may result in the event of unauthorised access to the data, is not equal. This means that the measures by which you secure personal data (type of encryption, backup procedures, password requirements, etc.) may vary by data type and the processing activities undertaken using that data. The GDPR requires protection of personal data using “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” throughout the life cycle of the data.

“In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” (GDPR- Recital 78)

The regulation does not prescribe any specific security mechanisms, but rather requires that data controllers and processors take into “account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”6 should data be subject to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access.

Some measures that the GDPR highlights are pseudonymisation and encryption, but the extent to which they represent a standard for data security is unclear. Until more clear guidance is released from the EU, we recommend keeping an eye out for guidance from industry thought leaders, trade organisations, and data security experts and organisations (like the National Institute of Standards and Technology, or NIST), but there may also be clarity in Member State laws and future documents issued from the EU governing body.

Regardless of your current security measures, the GDPR highlights the need for ongoing evaluation of risk to personal data and security measures based on product evolution.

Privacy By Design

The GDPR’s “Data Protection by Design and by Default” model, or more commonly, ‘privacy-by-design’ model, requires that principles of data protection should be taken into account at the product development phase rather than after data is being processed. By implementing appropriate technical and organisational measures, taking into account the nature and sensitivity of data types that will be processed, and ensuring that appropriate data minimization measures are implemented at the product (and feature) development phase, personal data is protected at all stages of its life cycle.

Data Breaches

If you’re getting a hint of that new-regulation smell, that’s because data breach handling and notification is a previously-untouched scope of data privacy law in the EU. In the GDPR, rules for how and when you should notify data subjects and/or relevant authorities are made more clear.

Notice from Controllers to Supervisory Authority:

For controllers, notice to the appropriate supervisory authority must be made “without undue delay and, where feasible, not later than 72 hours” after becoming aware of the breach with the following information7:

  • Describe the nature of the personal data breach including where possible,
  • Include the name and contact details of the data protection officer or other contact from whom more information may be obtained
  • Describe the likely consequences of the breach
  • Describe what the controller is doing to address the breach and/or mitigate possible adverse effects.

Throughout the process of identifying, measuring the scope of, and remediating the effects of the breach, records should be maintained to “enable the supervisory authority to verify compliance with this Article.”8

Notice from Processors to Controllers:

Processors must inform “the controller without undue delay after becoming aware of a personal data breach”.

Notice from Controller directly to Data Subject:

If the personal data in question represents “high risk to the rights and freedoms of natural persons,” the controller will need to notify the data subject without undue delay. This notification should include a description of the breach in clear, plain language that includes contact details for the appropriate person (DPO or otherwise), the likely consequences of the breach, and the current and future measures the controller will take to address the breach.

There are a few exceptions to the data subject notice requirement: where the controller employed safeguards or has taken subsequent action to render the risk of the breach inert, and where individual data subject outreach would require disproportionate effort. But as with any exception under the regulation, legal counsel should be sought before proceeding.

 

RELEVANT DEFINITIONS:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

6 Article 32(1)
7 Article 33(3a-d)
8 Article 33(4)

This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.

 

 

It's a bright sunny morning today, the kind that makes you eager to get outside. Amongst the usual crop of marketing emails landing in my inbox yesterday were multiple attempts to sell me good weather gear: gardening equipment and outdoor toys, items for my "warm weather wardrobe" and "11 ingredients for fabulous outdoor dining". 

I didn't open any of those emails...

Why - apart from the usual reasons email get's ignored? Well it was cold and it rained pretty heavily most of the day yesterday.

Okay it wasn't raining everywhere in the UK yesterday just pretty much over all of Wales and central and southern England... and it was a chilly day across the whole country. So actually it wasn't great weather anywhere in the UK and besides these guys all know exactly where I live - they are all businesses who have delivered to my home address!

Now I know those emails I received were scheduled, maybe weeks ago, but if you are going to send good-weather related marketing messages it might be a good idea check the forecast the day before and RE-schedule where appropriate don't you think? Better still - take a look out the window on the day and hit PAUSE if it's chucking it down...

The obvious point here is if you are going to tailor your email campaign message to weather conditions, or any other variable for that matter, it's a good idea to check those conditions actually apply at the point when you're emails hit your prospects inbox, even if that means delaying sending your message!

 

 

 

 

Here is something we have been asked for a few times; the release schedule for new (latin script) gTLDs. Starting with today's four:

.tips 26|02|2014  
.enterprises 26|02|2014  
.diamonds 26|02|2014
.voyage 26|02|2014  
.recipes 05|03|2014  
.careers 05|03|2014  
.shoes 05|03|2014  
.photos 05|03|2014  
.company 12|03|2014  
.limo 12|03|2014  
.domains 12|03|2014  
.cab 12|03|2014  
.menu 17|03|2014  
.berlin 18|03|2014  
.academy 19|03|2014  
.uno 19|03|2014  
.center 19|03|2014  
.management 19|03|2014  
.systems 19|03|2014  
.computer 19|03|2014  
.builders 26|03|2014  
.email 26|03|2014  
.training 26|03|2014  
.solutions 26|03|2014  
.support 29|03|2014  
.education 02|04|2014  
.glass 02|04|2014  
.repair 02|04|2014  
.camp 02|04|2014  
.institute 02|04|2014  
.cool 07|04|2014  
.international 09|04|2014  
.coffee 09|04|2014  
.florist 09|04|2014  
.house 09|04|2014  
.solar 09|04|2014  
.buzz 15|04|2014  
.reviews 30|04|2014  
.club 07|05|2014  
.luxury 28|05|2014  
.ski Q2|2014
.supplies Q2|2014
.tokyo Q2|2014
.arab Q2|2014
.budapest Q2|2014
.city Q2|2014
.deal Q2|2014
.business Q2|2014
.bzh Q2|2014
.download Q2|2014
.pictures Q2|2014
.wien Q2|2014
.website Q2|2014
.associates Q2|2014
.cafe Q2|2014
.okinawa Q2|2014
.cymru Q2|2014
.energy Q2|2014
.date Q2|2014
.nyc Q2|2014
.pets Q2|2014
.melbourne Q2|2014
.exchange Q2|2014
.nagoya Q2|2014
.bid Q2|2014
.lease Q2|2014
.casa Q2|2014
.investments Q2|2014
.kiwi Q2|2014
.trade Q2|2014
.koeln Q2|2014
.hiv Q2|2014
.lat Q2|2014
.wiki 07|15|2014
.eus Q3|2014
.voting Q3|2014
.vin Q3|2014
.london Q3|2014
.bar Q3|2014
.latino Q3|2014
.ninja Q3|2014
.market Q3|2014
.one Q4|2014
.film Q4|2014
.vegas Q4|2014
.car Q4|2014
.sport Q4|2014
.wales Q4|2014
.africa Q4|2014
.secure Q4|2014
.bio Q4|2014
.green Q4|2014
.rocks Q4|2014
.boston Q4|2014
.gent Q4|2014
.ngo Q4|2014
.moscow Q4|2014
.law Q1|2015
.bcn Q1|2015
.paris Q1|2015
.pizza Q1|2015
.adult Q1|2015
.madrid Q1|2015
.ryukyu Q1|2015
.media Q1|2015
.immo Q1|2015
.amsterdam Q1|2015
.pics Q1|2015
.mls Q1|2015
.holiday Q1|2015
.miami Q1|2015
.rugby Q1|2015
.sale Q1|2015
.money Q1|2015
.rip Q1|2015
.wine Q1|2015
.sydney Q1|2015
.party Q1|2015
.digital Q1|2015
.online Q1|2015
.radio Q1|2015
.horse Q1|2015
.mobile Q2|2015
.vlaanderen Q2|2015
.osaka Q2|2015
.brussels Q2|2015
.bayern Q2|2015
.tour Q2|2015
.gay Q2|2015
.family Q2|2015
.earth Q2|2015
.chat Q2|2015
.yokohama Q2|2015
.luxe Q2|2015
.irish Q2|2015
.quebec Q2|2015
.poker Q2|2015
.porn Q2|2015
.store Q2|2015
.archi Q2|2015
.scot Q2|2015
.video Q2|2015
.site Q2|2015
.taxi Q2|2015
.hamburg Q2|2015
.sucks Q2|2015
.phone Q3|2015
.app Q3|2015
.eco Q3|2015
.shop Q3|2015
.sex Q3|2015
.hotel Q3|2015
.med Q3|2015
.cloud Q3|2015
.shopping Q3|2015
.blog Q3|2015
.buy Q3|2015
.design Q3|2015
.news Q3|2015
.kids Q3|2015
.music Q3|2015
.stockholm Q3|2015
.free Q3|2015
.lol Q3|2015
.book Q3|2015
.love Q3|2015
.surf Q3|2015
.play Q3|2015
.live Q3|2015
.team Q3|2015
.vip Q3|2015
.web Q3|2015