Miles: Hey, everybody. Welcome to our introductory webinar on GDPR, here at Emma, every marketer’s favorite hot topic at the moment. My name is Myles Price and I’m the product marketing manager here at Emma. You know, there’s been a whole lot of talk online and throughout the whole marketing community around GDPR and the changes it’s bringing. We want to take this opportunity to share what we know about GDPR as it pertains to both Emma as an ESP and to you as our customers. We’ll highlight the GDPR-compliant features we’re releasing, and finally, talk through what GDPR means to you as a marketer moving forward. Before we get started, I want to introduce our incredible panel of GDPR experts here at Emma. You’ll be hearing from Jesal Shah, our head of legal, Art Quanstrom, who’s our data and privacy lead, Matt Thackson, senior product manager heading up the GDPR updates, and I’m Miles, the product marketing manager here at Emma. Well, without further ado, I’m gonna go ahead and hand it over to Jesal and she’s going to walk us through exactly what GDPR is.
Jesal: Thanks, Miles. Hey, everyone. I’m Jesal Shah, general counsel here. So yes, the GDPR certainly is a big topic and it can be really daunting, especially if you’re a marketer just starting to think through what it will mean for you and how it affects your marketing practices. Our goal here is just to set you up with a framework for thinking about marketing in the era of GDPR. So, heads up. Of course, I have to do this. This webinar and the material included is provided for your general information. It is not intended to act as legal advice. To fully understand the impact of the GDPR on your business, you should consult with independent legal and privacy professionals. Now, even though we can’t provide legal advice to you, we can walk you through some of the main things you should be thinking about when it comes to GDPR. We can provide you with tips on how this relates to the world of email marketing, and also highlight some of the steps that we as a provider of your email marketing application are taking to comply.
So what exactly is GDPR? The General Data Protection Regulation, a regulation adopted in April of 2016, is an effort to ensure consistent and enforceable legal requirements across all EU member states, particularly as it relates to the individual’s right to privacy and the protection of their personal data, which when you read the GDPR, you’ll note is broadly defined. But more on that later.
So, even though the GDPR was adopted in 2016, organizations were given a two-year window to take the necessary steps to ensure that they were fully compliant with the new law. That window is now rapidly closing and all affected organizations will be required to be compliant with the GDPR by Friday, May 25th, 2018, the date the GDPR becomes enforceable. So all of that is fine, but you’re an email marketer in the U.S. Why should any of this matter to you? Well, this new regulation applies both to companies in the EU processing any personal data, and companies outside of the EU that are processing the personal data of individuals in the EU, irrespective of where the data itself actually resides. So in other words, even if you’re sending emails from the U.S. but you’re sending emails to subscribers in the EU, the GDPR applies to you. The regulation is written to apply to any organization that processes the personal data of those in the EU.
This could be your customers, your prospects, your employees, or really anybody who happens to visit your company’s website and who you are tracking information about. So it goes without saying that the number of organizations affected by the GDPR is pretty enormous. So to be clear, if you’re an email marketer, more likely than not, the GDPR applies to you.
Okay, fine. So what does that mean? What rights do these data subjects who you’re collecting information about actually have? So under the GDPR, all EU data subjects will gain increased control over their personal data and how it’s collected, used and shared worldwide. These strengthened controls include provisions that grant individuals with, for example, a greater transparency. Have you noticed maybe that the closer we get to May 25th, 2018, you’ve been receiving more and more emails regarding updates to various companies’ privacy policies? Think about all the brands that you probably subscribe to in your own everyday life.
Have you been getting updates from them regarding updates to their own privacy policies? Well, that’s because come May 25th, individuals have a right to know who is processing their data, their personal data, and for what purpose they are processing that data and to what end that data will be used. Individuals also have the right to access not only information about your processing activities, but they also have a right to access the personal data that has been collected about them. To ensure you’ll be able to meet these requirements, we suggest auditing and documenting all data processing activities as a starting point. In addition to notice and access, individuals also have the right to require organizations to correct inaccurate personal data that is being held about them.
Another right which frequently accompanies the right to rectification is one that is particularly daunting in the age of big data. It is the data subject’s right to erasure, also known as the right to be forgotten. Essentially, individuals have the right to have personal data about them erased in certain circumstances. Some of those include when the personal data is no longer necessary to achieve the purpose for which it was originally collected or if the data subject requests erasure, or if the data subject objects to processing. Individuals also have the right to require the restriction of their processing of the personal data in certain circumstances, including when they object to the processing of that personal data. In certain circumstances, under the article 20 right to portability, the data subject has a right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format so that they’re able to transfer the personal data to a recipient of their choice. The GDPR also grants data subjects the right to object to processing of their personal data and to withdraw previously given consent to the processing of their personal data.
Individuals also have the right not to be subjected to decisions based solely on automated processing. Now, this includes profiling, especially where this produces legal or other similarly significant effects on him or her. Since the GDPR is more nuanced than the summary I’ve just provided, we recommend spending some time with legal counsel to understand the rights of data subjects as they translate to your processing activities. So, where should organizations like yours start when it comes to GDPR compliance? Well, the process is going to be pretty different for every organization. After all, what GDPR compliance looks like for you depends a great deal on how you’re currently using personal data. We recommend by starting with documenting all of your current data processing activities. Think through the ways that your brand collects, manages and acts on information, and map out how the new rules and restrictions will impact how you do business. Next, seek out expert legal and privacy advice. Whether that’s from an in-house counsel, an outside lawyer or firm, or better yet, both. GDPR is a big, complex, evolving and sometimes difficult to understand regulation. And organizations that design their compliance roadmap without sufficient legal guidance and oversight could be putting themselves in a very risky situation. All right, now I’m gonna pass this over to Art to walk you through more of the nuts and bolts behind what drives GDPR. Take it away. Art.
Art: Thanks, Jesal. Hey, everyone. I’m Art Quanstrom, the data privacy lead. So, Jesal just walked us through what GDPR is. Now, let’s talk about why it’s critical in the privacy game and what we’re doing to help. Any piece of information that can be used directly or indirectly to identify an EU citizen is personal data, period. That can be obvious identifiers like email addresses or ID numbers, but it can also apply to more ambiguous data points like a given person’s biometric data, location information, IP address, and a whole lot more. Among its goals, the GDPR seeks to add accountability to the practices of data controllers and processors. What does that mean exactly? A controller is the one who determines the purposes and means of the processing of personal data. A processor is one who processes personal data on behalf of the controller. More simply put, a controller is you, and possibly us, and a processor is us when you send emails through our platform.
While there are other options for lawful data collection and processing, for marketers, consent will be the strongest and most familiar way to achieve this. First, we’re building internal privacy by design guidelines and training our product and engineering teams on GDPR to make sure that data privacy principles are taken into account during the earliest stages of feature and product development. So, from the discovery phase of product development all the way through production, we’ll have an end-to-end system in place to make sure that everything released is GDPR compliant.
When your subscriber reaches out to you to exercise their rights, for example, of erasure or rectification, it’s our responsibility as the data processor to assist you in complying with that request, in so far as it pertains to data processed through our application. We are updating our platform with features that help you fulfill that subscriber’s request in a timely manner. We’re going to walk you through those in just a minute.
We’re auditing and documenting all of our current security measures and practices. This covers building security, data storage, and a whole lot more. Where security measures can be further strengthened, our team is working quickly to implement those updated security measures before May 25th, 2018 so we can make sure the appropriate technical and organizational measures are in place for the safeguarding of personal data. We’re also reevaluating all of our subprocessors to ensure that they have adequate security measures in place for the onward processing of any personal data processed by them. And with that, I’ll hand it over to our product team to talk through some of the new updates you’ll be seeing in your account.
Matt: Thanks, Art. Hey, everybody. My name is Matt Thackson, senior product manager here at Emma. We’ve been working hard with our product teams and engineers to make sure that Emma is GDPR compliant, and today I’m going to walk you through some of those new changes inside the app. Under new GDPR guidelines, data subjects, in this case, your subscribers, have the right to transparent information about your processing of their data, deletion, correction and portability of their data, and the right to restrict or completely revoke consent for future processing of their data, including objection to any automated decision-making that may be in place based on their personal data. So with that in mind, we’ve added some functionality to Emma that makes it easy to respond and act on your customers’ requests. Here’s a look at what’s new.
A new tracking consent toggle lets you enable or disable tracking pixels on a subscriber’s contact record. If tracking is disabled, the subscriber will still remain an active member and will continue to receive any mailings sent to them, but we won’t be able to see any of their behavior typically tracked, like opens, clicks, forwards, and shares. New export and delete functions. The new export function bundles up all of that subscriber’s data into a shareable CSV. And now when a subscriber is deleted from the archive, all of their data is permanently removed from our system, including their mailing response data and all personal data you have stored about them. And we’ve updated our send to a friend feature. We’ve made it GDPR compliant so no email addresses are saved when a mailing is shared, and we’ve built a new user experience that links to the mailing’s web view.
Miles: Okay, so we’ve covered the ins and outs of GDPR, the how and when it will be enforced, and the GDPR updates we’re releasing in Emma. Now let’s talk what this means for you, the marketer. It’s time to review your opt-in process. Leading up to the May 25th GDPR effective date, now is the time to take another look at the consent you’ve received from your subscribers prior and strategize how you will obtain consent in the future under the GDPR’s requirements. If you’re an Emma customer, you should already be sending to subscribers who have given you permission. So really, this just means adding a few new items to your to-do list.
And finally, ensure that your online privacy notices aren’t hidden, they’re not too long or difficult to understand. Operationalize ways to respond to your subscribers’ requests. Data subjects, in this case, your subscribers, have the right to transparent information about your processing of their data, deletion, correction, and portability of their data, and they have the right to restrict or completely revoke consent for future processing of their data, and that includes objections to any automated decision-making that may be in place based on their personal data. So you’ll need to operationalize ways to respond to and quickly address these subscribers’ requests to exercise their rights under the GDPR.
Number one, the process for the subscriber to exercise their rights as a data subject should be clear. Make sure instructions for the process are where they’re expected to be and that the mechanism to make the request is easy to use and does not require special knowledge beyond that needed to verify the request. Number two, requests for information may not always be legitimate. As the data controller, you’ll want a way to confirm the identity of the requester so that you’re not disseminating personal data to the wrong person. Number three, responses should be timely and accurate. Four, there may be lawful grounds that prevent you from modifying or deleting, in part or whole, the record. Consider these carefully and fully document your reasoning. Number five, keep your responses to data subjects clear and unambiguous. Number six, make sure a subscriber’s data is in a common readable and portable file format in case they want to store that data elsewhere for their own purposes. Number seven, you’ll generally have one month to fulfill the request, though there are allowances for additional time under certain circumstances. And number eight, finally, all steps in the above process should be documented.
And finally, keep a record of each of your signup forms, data collection mechanisms, and processing activities. Just like your computer, everything should be backed up. This could be saving the underlying code, a screenshot, PDF, or a use case description of any data collection mechanism you’re currently using or will use in the future. And it can help you prove the nature of consent between you and your subscribers.
All right, everybody, that about wraps it up for today. I hope we were able to help clear up GDPR and hopefully make it a little less scary and daunting. I want to give a huge thank you to Jesal, Art, and Matt for all the expert GDPR advice. Just as a quick recap, we went over what GDPR is and why it’s critical, what we’re putting in place, and a look at the new GDPR updates and what GDPR means for email marketers. And as a takeaway, just remember a few things. Don’t be afraid of GDPR. It’s here to provide your customers with valuable protections that’ll help them engage with you more confidently. Seek legal counsel for any areas where you’re unsure, and remember that we’re working hard to make sure that compliance will be a breeze when it comes to your email efforts. For even more information on GDPR, check out our trust center at myemma.com/trust, where you’ll find all of our documentation on GDPR, privacy, and security. Thanks, everybody.