Thanks for The Digital Bakery team for the opportunity to provide input in this forum on the upcoming GDPR and its implications for website owners and those involved in email marketing.
There has been considerable hype about the upcoming GDPR (EU General Data Protection Regulation) so I would just preface this blog by stating that the GDPR is a good thing. Admittedly it will increase the administrative and logistical burden for businesses. But morally and fundamentally it is the right thing to do. GDPR is designed to make sure that people take care of what they know about you.
WEBSITES – checklist
- SSL Certificate: Secure Sockets Layer certificate, the encryption code process that sits on the hosting space of your website. A variety are available but some have further protection and insurances so worth checking out.
- Pseudonymisation or anonymisation: Websites will need to start moving towards users being identified by a username only with the rest of their data encrypted so there is no connection between the user and the stored details. Consult your website developer and host about planning this change as it will require time, planning and budget.
- Newsletters: If you offer visitors to your site the option to receive a newsletter, you must make sure the tick box handling that subscription is set that they must actively opt in. GDPR will no longer allow opt out for consent. You also need to seek consent for each method you plan to email them and how they can withdraw/unsubscribe. Needless to say, all email communication must feature a simple Unsubscribe link.
- User account creation: If you are offering eCommerce services, allowing users to set up an account to access services, you need to talk to your web developer about SSL and pseudonyms.
- Enquiry & contact form: Check your site has an SSL, data stored is encrypted, and all details are sent to you under GDPR rules. Remember, you cannot use pre-ticked boxes on enquiry forms to get users to sign up to your newsletter.
- Live Chat: Check the GDPR / Privacy Shield policy in place.
- Connected email: All email service and the storage of email must be stored in accordance with Data Protection Acts 1988 & 2003, EC (Privacy and Electronic Communications) Regulations 2011, and GDPR 2018. You will need a Data retention policy and delete data on expiry of the agreed termination period.
EMAIL MARKETING – checklist
- Define the opt-in status of all contacts in your existing database: Organise them by whether specific opt-in has been recorded and define the approved type of communication. Remember, you will need opt-in if you don’t already have it.
- Ensure compliance for all new contacts: Look at the process for any new opt-in campaigns to ensure you minimise the amount of data needed. Document workflows to notify the relevant parties of opt-in, adjust all forms including any blog subscription forms to include specific and explicit opt-in, and always offer clear ways to unsubscribe for specific types of contact.
- Opt-in Campaigns: Ensure you allow enough time if you need to run re-engagement campaigns for contacts that do not have the correct opt-in recorded
- Prepare for Subject Access Requests: An important part of the GDPR is the requirement to respond to a request for information “without undue delay and at the latest within one month of receipt of the request”. When an individual requests information you are required to provide them with an overview of what data is being recorded, where data is stored, for what purposes you’ve recorded the data and how long you intend to keep it. The data must be provided in a portable readable format. You must also be able to amend or delete data on request.
- Security Breaches: Organisations are obliged to notify the appropriate supervisory authority, in Ireland this is the Office of the Data Protection Commissioner, within 72 hours of becoming aware of a data breach likely to “result in a risk to the rights and freedoms of individuals”.
- If you use 3rd party providers for your email marketing, conduct an audit: Make a list of all the providers and applications you use across all departments, e.g. CRM, cloud hosting, email marketing, online survey tools, etc. Develop a 3rd party provider inventory list: At a minimum you need to identify (i) what type of data is concerned, (ii) what data protection measures are in place, and (iii) who in your own organisation is responsible and what access they have. Map out the path your email data takes: Use above data to track which data is being shared with external providers and how it is being processed. Use the above to ensure compliance.
Whilst the above might seem arduous and time consuming, it is a valuable process. Your organisation will emerge from this with renewed confidence on the compliance of your data and a greater understanding of the permissions needed when you engage with your users. For further advice, you can contact Lisa Power on +353 87 236 6738 or firstname.lastname@example.org.
- LCP Consulting Limited was founded in 2015 by Lisa Power
- Over 15 years professional experience gained primarily in the Financial Services sector
- Specialist in large-scale regulatory Project and Program Management
- Six Sigma Black Belt
- Professional Certificate in Compliance (PDC1 & 2) via Institute of Bankers
- Certificate in Data Protection awarded in 2018 via UCD & Institute of Bankers