GDPR Overview and Best Practices
In April 2016, the General Data Protection Regulation (GDPR) — a joint proposal by the European Commission, European Parliament, and the Council of the EU which provides individuals with even greater control over the collection and use of their personal data- was adopted by the European Union.
As a provider of a world-class email marketing platform, which by its nature has a global reach and deals with the processing of email contact and engagement information, Delivra is committed to ensuring our customers are able to comply with their requirements under the GDPR.
With that goal in mind, we’ve created a robust privacy program that integrates data privacy into Delivra’s core — from training our managers and executives on the GDPR and how it impacts all decisions related to treatment of personal data, to evaluating all of our systems, security practices, and related documentation. Among other things, the key steps that we’ve taken to comply with GDPR requirements are:
- Documented all data processing activities that involve the collection, treatment, and safeguarding of personal data
- Built new processes and features to ensure we can quickly and effectively address any requests from our customers when their subscribers wish to exercise their rights (including the Right of Access, Right to Rectification, Right to Object, Right to be Forgotten, and the Right of Portability)
- Reevaluated all of our sub-processors to ensure they have adequate security measures in place for the safeguarding of personal data processed by them and ensuring our contracts with them require them to also abide by their requirements as sub-processors under the GDPR
Consent and Purpose
Before discussing how and why you should be collecting personal data, it’s important to define what personal data is, according to the GDPR.
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”^1
While the definition of ‘personal data’ under the GDPR is largely unchanged from its predecessor, the EU Directive, the inclusion of reference to “online identifiers” is potentially a major shift for marketers’ perception of the data they hold and how it should be handled. So, if you’re storing data about a person in a usable way, it probably relates to some identifier of a natural person (including online identifiers like device IDs, cookie IDs, etc) and is, as a result, personal data.
The tips below focus on GDPR requirements that should be considered at the point of collection.
Personal Data must be “Processed lawfully, fairly and in a transparent manner”^2
Consent and Transparency
For all data covered by the above definition of personal data, you’ll need to be able to justify that you’re processing^3 it lawfully. Consent is just one way of establishing that your processing activities are lawful under the GDPR, but it is likely going to be the one most applicable to the email marketer. Just as it has been with email marketing in the past, explicit, purpose-based collection, that is freely given is the highest standard for data collection and use policies. This means that there is no ambiguity as to the activities consented to or the organisation carrying out those activities.
Consent should be clear and unique to a specific organisation and each reason for processing. Methods like separate forms or separate, default unchecked boxes are obvious options. While there may be other, more creative options that are equally viable, it is important to ensure that clarity is not lost in the process. The transparency of your reasons for processing data is a requirement for building explicit consent. As always, data subjects should be able to withdraw their consent for each, or all, processing activity, and withdrawing consent should be as easy as giving it was.
As with all GDPR-related things, records keeping is vital to demonstrating compliance. Make sure that, however you decide to do this, these records support your consent-based legal grounds.
TIP: If you are relying on consent as the lawful basis for processing your subscriber’s data, we recommend evaluating your subscribe forms to ensure they comply with the consent principles encapsulated in the GDPR (specifically those in Articles 6 & 7 and Recitals 32, 33, 42, 43, and 171).
Personal Data must be “Collected for specified, explicit and legitimate purposes”^4 and be “Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”^5
Purpose Limitation
Obtaining explicit consent goes hand-in-hand with purpose limitation; at the point of data collection (for example, your online form), you should be completely transparent about the purpose for which personal data is being collected such that there should be no confusion regarding the purpose of collection. In addition, once you have collected data for a specified purpose, that data should not be used for another, incompatible purpose. Further, the purpose must be legitimate– in other words, it must not be in violation of applicable laws.
Data Minimization
Related to purpose limitation, personal data collected for an explicit purpose should be limited so that only data which is necessary to fulfill the consented-to purpose is processed. This means that you should carefully review the data being collected against the purpose it is meant to fulfill.
TIP: When evaluating whether or not you’re complying with the purpose limitation and data minimization principles ask yourself some of these questions:
Have I made it clear to the Subscriber what information I am collecting?
Have I made it clear to the Subscriber why I am collecting that information?
Am I collecting more information than I need? (EX: If your subscriber is signing up for a newsletter– do you need information about that subscriber’s gender to fulfill your stated purpose?)
Relevant Definitions:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
^1: Chapter I; Article 4(1)
^2:Chapter II; Article 5(1a)
^3: Processing is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means” and includes collection, recording, storage, and other common activities.
^4: Chapter II; Article 5(1b)
^5: Chapter II; Article 5(1c)
Lawful Data Processing
As a marketing professional, especially in the context of using an email marketing application like Delivra, you will likely rely on consent (see: Consent and Purpose article) as the lawful basis for processing your subscriber’s personal data. While consent is not the only way to lawfully process personal data, at least one of the following grounds for lawfully processing personal data must apply (Art. 6 GDPR):
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
While it’s true that for most marketing activities, the industry tends to rely heavily on consent as the lawful ground for processing, it is up to you to analyze your data processing activities and choose the right justification(s). If you are unsure which of the lawful grounds listed in the GDPR apply to you, please consult with legal counsel to ensure processing activities are properly justified. As always, diligent record keeping is vital to support these justifications.
Relevant Definitions:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Security
Risk and Appropriate Technical and Organisational Measures
While personal data is defined very broadly under the GDPR, the sensitivity of the data and the severity of harm that may result in the event of unauthorized access to the data, is not equal. This means that the measures by which you secure personal data (type of encryption, backup procedures, password requirements, etc.) may vary by data type and the processing activities undertaken using that data. The GDPR requires protection of personal data using “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” throughout the life cycle of the data.
“In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” (GDPR- Recital 78)
The regulation does not prescribe any specific security mechanisms, but rather requires that data controllers and processors take into “account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”^6 should data be subject to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
Some measures that the GDPR highlights are pseudonymisation and encryption, but the extent to which they represent a standard for data security is unclear. Until more clear guidance is released from the EU, we recommend keeping an eye out for guidance from industry thought leaders, trade organisations, and data security experts and organisations (like the National Institute of Standards and Technology, or NIST), but there may also be clarity in Member State laws and future documents issued from the EU governing body.
Regardless of your current security measures, the GDPR highlights the need for ongoing evaluation of risk to personal data and security measures based on product evolution.
Privacy By Design
The GDPR’s “Data Protection by Design and by Default” model, or more commonly, ‘privacy-by-design’ model, requires that principles of data protection should be taken into account at the product development phase rather than after data is being processed. By implementing appropriate technical and organisational measures, taking into account the nature and sensitivity of data types that will be processed, and ensuring that appropriate data minimization measures are implemented at the product (and feature) development phase, personal data is protected at all stages of its life cycle.
Data Breaches
If you’re getting a hint of that new-regulation smell, that’s because data breach handling and notification is a previously-untouched scope of data privacy law in the EU. In the GDPR, rules for how and when you should notify data subjects and/or relevant authorities are made more clear.
Notice from Controllers to Supervisory Authority:
For controllers, notice to the appropriate supervisory authority must be made “without undue delay and, where feasible, not later than 72 hours” after becoming aware of the breach with the following information^7:
- Describe the nature of the personal data breach including where possible,
- The categories and approximate number of data subjects concerned; and
- The categories and approximate number of personal data records concerned
- Include the name and contact details of the data protection officer or other contact from whom more information may be obtained
- Describe the likely consequences of the breach
- Describe what the controller is doing to address the breach and/or mitigate possible adverse effects.
Throughout the process of identifying, measuring the scope of, and remediating the effects of the breach, records should be maintained to “enable the supervisory authority to verify compliance with this Article.”^8
Notice from Processors to Controllers:
Processors must inform “the controller without undue delay after becoming aware of a personal data breach”.
Notice from Controller directly to Data Subject:
If the personal data in question represents “high risk to the rights and freedoms of natural persons,” the controller will need to notify the data subject without undue delay. This notification should include a description of the breach in clear, plain language that includes contact details for the appropriate person (DPO or otherwise), the likely consequences of the breach, and the current and future measures the controller will take to address the breach.
There are a few exceptions to the data subject notice requirement: where the controller employed safeguards or has taken subsequent action to render the risk of the breach inert, and where individual data subject outreach would require disproportionate effort. But as with any exception under the regulation, legal counsel should be sought before proceeding.
Relevant Definitions:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
^6: Article 32(1)
^7: Article 33(3a-d)
^8: Article 33(4)
This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.