Not only in Europe but also across the rest of the world, the GDPR has many in a dither. The new legislation raises many questions: Does the GDPR apply to my company? Will I be fined if don’t meet the requirements? Will I have to adjust my current database? Trying to find an answer in the cumbersome and near to incomprehensible texts would drive even the most tenacious individual to distraction. But help is at hand for we have made a list of the most pressing questions and figured out the ins and outs on your behalf. The result has been compiled in this White Paper.
GDPR is short for General Data Protection Regulation, known in Dutch in short as the AVG or in full as the Algemene Verordening Gegevensbescherming. It is a new European law that replaces the antiquated Data Protection Directive of 1995. The law was adopted in 2016 but adherence thereto will only be checked as of 25 May 2018. The new law deals with the manner in which companies are entitled to collect, use, store and delete personal data. It is applicable to businesses from all sectors that process personal data of EU citizens. It merits more than a cursory glance because this particular piece of legislation is extraordinarily comprehensive. Even companies that kept email addresses of job applicants on file since last year come within the scope of the GDPR and will have to adjust their policy.
As of 25 May 2018, companies may, in principle, be subject to fines. The fines can amount to 4 % of a company’s annual turnover or to 20 million euro, whichever amount is the greater. These are the maximum fines for the most serious offences; the Privacy Commission did not specify a minimum amount.
Where to start?
Data Protection Impact Assessment: in some cases, you will be obliged to carry out a DPIA. This applies to companies who process data on a large scale, such as direct marketing companies, for instance. It entails carrying out a security audit, examining how your company processes data and whether there is any risk of the data getting lost or stolen. On the basis of these findings you will need to draw up an action plan to contain the risks identified.
Create a database: anyone processing personal data will have to create a database, containing information such as the time frame within which data are erased and what the data will be used for. Within the Flexmail tool you can use the date of creation. Flexmail shows when a contact was imported or an opt-in was used. Be sure to keep in mind that the contact could predate the time that you’ve been using Flexmail.
Obligation to report data leaks: if you notice that data have been stolen or, in one way or another, ended up in the wrong hands, you are obliged to notify the authorities and any customers affected within 72 hours.
Data Protection Officer: in some cases, you will be obliged to appoint a DPO, for one, if direct marketing is your core business. That obligation can be met by appointing an external consultant or a member of staff who will assume the mandate of what can best be described as a privacy prevention adviser.
Right to information: come May, businesses will be obliged to clearly specify what they use their customers’ personal data for. It is not only important to make that clear when you receive the information but also further down in the processing process.
Right to be forgotten: your contacts are entitled to have their personal data deleted from your database at any time.
Right to rectification: your contacts are entitled to have their personal data completed or corrected if they are incorrect.
Right to access: your contacts are entitled to consult their personal data and to know what their data are used for. Furthermore, businesses are obliged to, on request, furnish their contacts with a free copy of that information within 30 days.
Right to data portability: your Contacts are entitled to have their data transferred, meaning that they are entitled to have their data securely transmitted to another institution.
Right to object: your contacts are entitled to refuse that their data are used in a certain context. You are obliged to allow your contacts to object online if you are planning to use their data. This will enable them to object to their personal data being used for direct marketing purposes, profiling or automated decision-making.
What type of information do I process?
Personal data are data that can identify a person, be it directly or indirectly. Examples that spring to mind are email addresses, social media posts, IP addresses…. For sensitive data, far more stringent rules apply. Sensitive data are data relating to race, genetic information and suchlike. As most companies process personal data only, the rules on the processing of sensitive data will not affect them. As data controller, it is up to you to take the necessary measures per individual category.
How do I deal with my current contacts?
If you obtained their information in line with GDPR standards, there is no issue. However, if you obtained their information via a pre-checked form on your page you will have to ask your contacts’ permission again as the information in question is deemed not to have been ‘provided freely’.
To do so, you could launch a reactivation campaign, i.e. send an email to all the people in your database concerned, asking them for a new opt-in. In other words, you will be asking them to subscribe to your newsletter or other communications again. The more appealing your email, the more likely your customers will see the benefit of opting in again. As there will always be some recipients who will disregard your email, you are bound to lose a number of contacts.
It is worth bearing in mind though that those you will ultimately be left with will be committed contacts and the target audience worth focusing on when engaging in email marketing. Result: a committed target audience, representative results, greater commitment and enhanced deliverability!
How do I tackle my reactivation campaigns within Flexmail?
The program offers you two methods to launch your reactivation campaigns: a direct and an indirect one.
Direct: you send out an opt-in campaign. This is a message with an opt-in link. As you send out the campaign, your campaign contacts are deactivated. As soon as your contacts click on the link they become active again. Any contacts that do not click on the link will remain inactive and will not receive any further mailings.
Indirect: you send out a regular campaign, e.g. a newsletter. You make sure that the question whether they want to receive any further mailings features in a prominent position. In addition, you include a button they can click. Make sure that this button is linked to a landing page for instance, so that you can assign a certain tag to your contacts.
This offers you several options:
Creating an interest label.
Creating a field in the contact details which you edit via the workflow.
Adding contacts who do confirm to a new segment via the workflow.
What is my role?
Anyone who consults personal data is either a data processor or a data controller. A data controller is the company that decides what type of data are collected and what they are used for. A data processor is the company that processes data on behalf of other companies. In other words, Flexmail is a processor. Thus, Flexmail is a smart channel used by the client, but not the controller .
When it comes to data protection, data controllers bear primary responsibility. This for one entails that it is up to the data controller to report any data leaks within 72 hours.