GDPR… so why is it so important all of a sudden?
The European Union (EU) ratified the GDPR during April 2016 and provided the market two years to get ready before enforcing the regulation. As you can clearly see, these two years are behind us and the enforcement will begin on May 25th, 2018.
At this point you must be asking yourself “OK. But what does it have to do with us?”
The GDPR define to which terms and conditions businesses and organizations, regardless of their size and location, must comply to be able to contact EU citizens. In addition, the GDPR define that Businesses and organizations that will breach these terms and conditions will be subjected to fines of up to the greater of 4% of global gross turnover or 20,000,000€.
“With GDPR looming on the horizon it’s never been more important to take a hard look at our lists to make sure that we’re only sending to people who have chosen to hear from us.” – Logan Sandrock Baird
I bet now we have your attention. Therefore, it is a good time to clarify that the information in this post does not constitute legal advice.
Background
The GDPR substitute the EU privacy protection directive from 1995 and are intended personal data of the EU citizens, to establish one single set of data protection rules across Europe and to change the way businesses and organization of EU member countries collect and handle personal data.
While the GDPR only protects the EU citizens, the enforcement is not limited to businesses and organizations located in the EU member countries. Therefore, the GDPR affect the way businesses and organizations located in non EU member countries collect and handle personal data as well. In addition, GDPR experts claim that it is good to apply the GDPR data collection and handling approach to non-EU citizens as well because more and more countries will set data protection rules of similar nature as a result of the GDPR. One example is the Israeli Data Protection Regulations that in many aspects are very similar to the GDPR.
Principles and Definitions of the GDPR
You guessed it right,. This section includes many technical and legal details which are to say the least boring. However, it is crucial to know and understand them to get the gist of the GDPR. To help you keep awake, we added an explanation how you are affected.
Personal Data
According to the GDPR, Personal Data is any information relating to a person who can be identified. By “identified” the meaning is any piece of information that allows to indentify a person directly or indirectly. This includes name, ID number, location, biometric, social info., online identifiers, such as IP addresses and cookies, etc.
The GDPR define that businesses and organization must have a legitimate reason to collect personal data of EU citizens. The purpose of this definition is to encourage businesses and organizations to minimize the data they collect. Therefore, you should check what data you are collecting and make sure you have a legitimate reason to collect and process it.
Smoove allows you to reach Contacts and collect their data. However, you decide which data to collect. Therefore, if you have contacts that are EU citizens, then as far as GDPR are concerned, you are defined as Collectors and we, smoove, are your Processors, only in all that relates to the services you receive from the product and its capabilities.
Controller
Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data of EU citizens.
As smoove customers and/or users, you define what personal information to collect from your contacts. Therefore, GDPR wise, you are the controller of that data. hance , you have to make sure that you have a legitimate reason to collect and process this data. In addition, you have to map the data flow in your organization and the systems you use, especially if you pass data to and from smoove via API, to make sure there will be no unauthorized use of this data.
It is important to note that the GDPR define how EU citizens personal data should be handled and secured and which control policies should be adopted within the organization (privacy policy, computers, filing cabinets, etc.) and not only about servers and smoove. This post will not cover these issues directly.
Processor
Natural or legal person, public authority, agency or other body which processes personal data of EU citizens on behalf of the controller.
As smoove customers and/or users, if you have contacts that are EU citizens, then as far as GDPR are concerned, we are your Processors, only in all that relates to the services you receive from the product and its capabilities. As a processor, we take care of the privacy security of your data in our system. We update and expand these securities from time to time and make sure that our suppliers meet comply to them as well.
Consent
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
This issue is crucial to grasp in the GDPR. It defines:
- How to achieve your contacts’ consent – make sure that the when contacts are giving you their consent, information, or accepting a specific service they do it explicitly, per item, based on clear and separate information.
Smoove provides you several capabilities to create such consent, such as:- Add Subscriber to List – create a list for any mailing method/content type you plan to communicate with your contacts. When you create a registration form, use the “Add Subscriber to List” feature for each relevant mailing method/content type. As a result, the subscriber will be able to explicitly decide to which item to register.
- Double Opt-in – to make sure your contacts explicitly approve the different mailings, you can turn on the Double Opt-in function. This function will automatically send a registration confirmation email to each contact. Until contacts will approve the registration via this email they will be blocked for additional mailings.
- Show of Consent – Controllers must be able to prove the consent of the data subject (see below).
The smoove Communication Line feature allows you to show the entire communication history with a specific contact, from the 1st registration point.
Data Subject Rights
When you collect EU citizens data GDPR defined them as Data Subjects. Therefore, it is important to know the data subjects right and how smoove helps you to comply with them.
Right of Access
GDPR define that:
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: purposes of the processing, categories of personal data concerned, recipients or categories of recipient to whom the personal data have been or will be disclosed,the envisaged period for which the personal data will be stored, existence of automated decision-making and meaningful information about the logic involved.
- The data subject shall have the right to be informed of the appropriate safeguards when personal data are transferred to a third country or to an international organisation.
- The right to obtain a copy of the personal data undergoing processing if not adversely affect the rights and freedoms of others.
Right to Rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
If your contacts requires you to permanently delete their data in smoove, it is a bummer!
But… we are here to help you. Contact our support team and we will do that for you.
Right to restriction of processing
The data subject can restrict the data processing in one of four cases detailed in the GDPR. In such cases, beyond storage, the data can be processed only for legal purposes (which are detailed in the GDPR as well). The controller must update the data subject when the restrictions are removed.
Right to Data Portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling.
In order for you to comply with the aforementioned data subject rights, at the bottom of every email you create and send via smoove there are links that allow the contact to self access, and change the basic information collected about him/her. In addition, contacts can remove themselves from mailing lists they registered to and no longer interested in. If your contacts ask you for information beyond these basic information, you can easily locate them in smoove and export their information to an Excel file.
Summary
The GDPR, aimed to protect personal data of EU citizens. In a few day GDPR enforcement will begin. It requires the business world, and marketers in particulars, to prepare and adopt new methods and technologies. We, smoove, did, do, and will do all that is necessary for you, our customers and users, to comply with these regulations and others in all that relates to using our product and its features.
Good luck to us all!