If you are mailing to contacts in Europe, you should be aware of the General Data Protection Regulation (GDPR) law enforcement directive that took effect on May 25th, 2018. This article will give a brief synopsis of the European Union law, how it affects you, and what options Cordial offers to help you stay compliant.
It is important that you work with your legal counsel to make sure you are maintaining data appropriately if mailing to Europe.
Cordial will always try to redirect, forward, or defer GDPR related compliance requests to the client to handle appropriately.
What is GDPR?
According to eugdpr.org the GDPR "replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy." This law has had far-reaching effects on compliance and deliverability for non-US senders.
At first glance, GDPR may seem daunting, but when summed up, the regulation mainly affects how companies collect and store data. The UK’s Information Commissioner’s Office (ico.org.uk) identifies 12 areas that are affected by the GDPR including:
- Determining what personal data you are able to store
- Where the data came from and who you share it with
- Identifying the lawful basis for your processing activity in the GDPR
- Documenting it and updating your privacy notice
- Read more
In essence, GDPR impacts how data is processed for the purposes of direct marketing, which includes storage, segmentation, profiling, matching, sending direct mail, and introduces additional guidelines for marketing phone calls and business-to-business electronic marketing practices.
What does it mean for me?
GDPR outlines stringent privacy protections for EU-based records, which means that companies around the world must manage EU records differently than those based in other countries. Most companies are required to implement a separate solution to store client-hosted permissioned records for European email addresses.
GDPR also outlines rules for the email opt-in process. The legislation requires that there are no pre-checked boxes upon sign-up. Under GDPR, marketers will only be allowed to send communications to recipients who have provided clear and affirmative consent. The use of a pre-checked box does not constitute affirmative consent. In addition, the recipient must be provided with sufficient information as to how their data will be used. Although this may seem to be a burden, these measures will help marketers not only obtain explicit permission from customers, but will also be a key step in establishing strong engagement standards.
How to comply with GDPR on Cordial
Cordial is committed to supporting clients in meeting their GDPR requirements. Below is a summary of all the changes we've made to help you maintain compliance.
Data access and portability
We've built a Download Profile data job that will package all of the data related to a specific contact into a single file. You could already meet this GDPR requirement using existing platform functionality, but this new feature minimizes the effort, as it combines all related data collections into a single package by using API or through the platform UI.
Right to be forgotten
We've significantly enhanced the delete contact functionality. Deleting a contact will now also remove all custom properties from the contact activities (events) collection in Cordial's database, in addition to removing the contact record itself.
We've also added support for advanced scenarios where contact records can be stripped of personal data and/or anonymized without destroying the entire customer record.
If a contact continues to engage such as opening or clicking an old email after the contact record has been deleted, we would no longer track the activity.
Security policy control
We welcome any questions about how you can stay compliant with GDPR on Cordial. If you have any questions, please feel free to contact your Client Sucess Manager.
- Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now
- Consent: lost (GDPR) and found (ePrivacy)
- Cutting out the crap: The truth about the GDPR & consent
- GDPR: What Europe’s New Privacy Law Means for Email Marketers
- GDPR: Taking a 'Glass Half Full' Approach
- GDPR and Marketing