Meaning of GDPR

• The European Union's new privacy law - the General Data Protection Regulation (GDPR) - came
into effect on May 25, 2018.

• This new regulation applies to the data of all EU citizens, irrespective of where the data is stored
or sent to (For instance, even if you are sending data from the US to the recipients in the EU).

• This new regulation is an extended effort to ensure consistent and enforceable legal requirements
across all member states to protect the right of any EU citizen to privacy and the security of
their personal data.
 Meaning of GDPR

GDPR is applicable to:

• Any business located within and outside of the EU.

• Anyone possessing the personal data of EU citizens.

GDPR applies to anyone who collects, records, organizes, stores,

or performs any operations on data.
 Right to Request

• Users have the right to request information about their data

• Organizations must react by:

O Having a clear process for request

O Adding Identity confirmation procedure

O Not modifying or deleting the record or document

O Fulfiling the request within one month

O Delivering information in readable and portable format

O Documenting the process

 Data Activities Included in GDPR

This regulation applies to:

• Anyone who collects their data

• on the data or sending a personalized offer

Anyone who processes or analyzes data, like segmenting a list based

• Anyone who records data (including the third-party providers)

 Data Activities Included in GDPR

Users have the right to request information about the following data processing or analysis activities:

• Data segmentation for offers

• Data usage in target advertising

• Use of data to show personalized content

 Data Activities Included in GDPR

Companies must disclose relationships with third-party providers

that access and store data, including:

• Use of data in CRM

• Sharing of data with third parties

 Right to Be Forgotten

The right to portability of data states that:

• The user has the right to be completely removed and deleted from the records.
 Ideal Opt-in Process

The best practices for an opt-in process are:

Express Consent:
• Avoiding unambiguous consent

• Not adding a pre-checked subscribe check-box

yes, I want to receive regular
:ommunications via email.
• Adding a proof of consent to:
Subscribe
O Forms

O Landing pages

Box has to be unchecked by default

09
 Example: Proof of Consent

In this example, a third-party ESP maintains a database to record the proof of consent:

• Who (Subscriber name)

M Name Tags Email Marketing Source Contact Rating Date Added Last Changed

• Date of consent ierheyden Subscribed Hosted Signup Form

***** 9/29/14 4.09PM 9/29/ 14 4:09PM

• What they agreed to

er multi Subscribed Hosted Signup Form
***** 10/7/14 8 OOAM 10/7/14 BOQAM

ier Subscribed Hosted Signup Form

***** 10/13/14 7:01PM 10/13/14 7 01PM

• How they consented litr Subscribed Hosted Signup Form

***** 10/20/14 4 42AM 10/20/14 4:42AM

O Website Form
by Subscribed Hosted Signup Form
*****
*★★*
HV31/M VSIPM 10/31/14 I SIPM

Checkout Form
Subscribed Hosted Signup Form
* 1031/14 2:23PM 10/31/14 2:23PM

• When was the consent withdrawn

 Clear Consent Terms

• Areasons
disclosure of how an email address will be used is required. Any of the following
can be listed:

O Processing
O Segmenting
O Personalized Offers

• For example, when a user enters their email address to participate in a contest or download
a whitepaper, you cannot send marketing communication:

O If you did not disclose that their information would be used to send promotional emails.
O If they did not agree for their information to be used that way.
 Unsubscribe Options

It is easy to unsubscribe if:

• A fee is not charged

Update your preferences

• Additional information is not requested

Email Addreas

• There is no further process or is limited to one page

• Login information is not requested

 Reengagement Emails

• Companies are not allowed to contact unsubscribed users.

• Flybe was fined £70,000 for deliberately mailing unsubscribed users.
 Audit Your Current List

Ensure that the existing subscribers are gathered in a way consistent with current GDPR
requirements. The list must:

• Be clear and have an affirmative opt-in action

• Be provable

• Be recorded
• Have a mechanism of opt-in and consent
• Have agreement terms
 Essential Questions for Compliance

• Did your subscribers opt-in to your list, and can you prove it?

• On your sign up form, did you clearly explain how you will use subscribers' data
and what content you will send them? Can you prove it?

• Can your subscribers unsubscribe from your list as easily as they subscribed?
 Requirements of Proof of Consent

• The date and time the subscriber opted in

• The source of the opt-in (Website Subscription Form, "Added via API")
• A screenshot of the data collection mechanism (your signup form or landing page)
 Audit Subscription Mechanisms

The elements to be reviewed include: The review questions include:

• Landing Pages • Are these explicit opt-ins?

• Subscription Forms • Are clear terms presented?
• Registrations Forms • Is consent Bundled or Specific?
• Contact Forms • Is privacy policy available?
 Audit Mechanisms for Unsubscribe Option

• An ideal unsubscribe must be one page, single-click process.

• It must be Immediately processed
• Marketers must not:
O Reply with unsubscribe in subject line

O Request additional information

O Request payment

o Have a multi-page process

 Privacy and Data Policy

A privacy policy:

• Must be clearly written for people to understand

• Outlines the data that you collect directly
• Defines the cookie policy

• Enlists the types of information collected in privacy and cookie policy,

how it is used, if it is shared, and with whom it is shared

• State where the user's data is stored and processed

• Addresses user's rights with links or instructions to request their data,

request to be forgotten, and data portability