If you are mailing to contacts in Europe, you should be aware of a new law called the GDPR (General Data Protection Regulation) that took affect on May 25th, 2018. This article will give a brief synopsis of the new law, how it affects you and what steps Cordial took to be compliant.
Note: It is important that you work with your legal counsel to make sure you are maintaining data appropriately if mailing to Europe.
What is GDPR?
According to eugdpr.org the GDPR, or the General Data Protection Regulation, "replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy." This law will have far reaching effects on compliance and deliverability for non-US senders.
At first glance, these new regulations can seem daunting, but when you break them down they primarily affect how companies collect and store data. The UK’s Information Commissioner’s Office (ico.org.uk) identifies 12 areas that are affected by the GDPR including:
- Determining what personal data you are able to store
- Where the data came from and who you share it with
- Identifying the lawful basis for your processing activity in the GDPR
- Documenting it and updating your privacy notice
- Read more
In essence, GDPR affects being able to process data for the purposes of direct marketing, which includes storage, segmentation, profiling, matching, sending direct mail, making marketing phone calls and electronic marketing in the B2B sector.
What does it mean for me?
GDPR outlines stringent privacy protections for EU-based records, which means that companies around the world will need to treat EU records differently than those based in other countries. Most companies will be required to implement a separate solution to store client-hosted permissioned records for European email addresses.
GDPR also outlines changes to the email opt-in process. The legislation requires that there are no pre-checked boxes upon sign-up. Under GDPR, marketers will only be allowed to send communications to recipients who have provided clear and affirmative consent. The use of a pre-checked box does not constitute affirmative consent. In addition, the recipient must be provided with sufficient information as to how their data will be used. While this may seem like a burden for marketers, these actions will help marketers not only capture explicit permission from their customer, but will be a critical step in establishing strong engagement criteria.
What Steps is Cordial taking?
Cordial is committed to supporting clients in their GDPR requirement. Below is a summary of all the changes we've made to make sure we (and you) stay compliant
Data Access and Portability
We've built a new Download Profile job, that will package all of the data related to a specific contact into a single file. You could already meet this GDPR requirement using existing Cordial features, but this new feature minimizes effort by combining all related data collections in a single package from either an API call or a click in the UI.
Right to be Forgotten
We've significantly enhanced the delete contact functionality. For compliance safety, deleting a contact will now also remove all custom properties from the contact activities (events) collection in Cordial's database, in addition to removing the contact record itself.
We've also added support for advanced scenarios where contact records can be stripped of personal data and/or anonymized without destroying the entire customer record.
Security Policy Control
In short, we are aligned and ready. We welcome any and all questions about our readiness for GDPR and how it affects you. Feel free to contact your Client Sucess Manager with any questions.
- Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now
- Consent: lost (GDPR) and found (ePrivacy)
- Cutting out the crap: The truth about the GDPR & consent
- GDPR: What Europe’s New Privacy Law Means for Email Marketers
- GDPR: Taking a 'Glass Half Full' Approach
- GDPR and Marketing