Companies who handle personal data of EU residents are obligated to comply with the EU’s new GDPR regulations by May 25th.
As a Data Processor and an Email Marketing Platform, Remarkety provides strong tools and features to help you with your GDPR compliance efforts.
* Please note that the following information does not constitute legal advice.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, which replaces the Data Protection Directive 95/46/EC. The GDPR is intended to harmonize the patchwork of data privacy laws across its member states. The objective of GDPR is to protect all EU residents from privacy and data breaches in an increasingly data-driven world. The GDPR seeks to accomplish its objective by providing certain rights and freedoms to EU residents in relation to the processing of their personal data.
When will GDPR take effect?
The GDPR is currently scheduled to be effective on May 25, 2018.
How does Remarkety help you with GDPR compliance?
Here are some of the techniques and features that will help you, as an eCommerce email marketer, comply with GDPR.
1. Obtaining consent
- In order to send people marketing emails, you need to get their approval. If you are using Remarkety’s subscription forms and double opt-in (built-in feature), the consent records (customer approval) will be saved in our logs with supporting data like their IP (if available), email address and date and will this data be available as evidence that a person consented to receive marketing emails. Data can be previewed within the Remarkety app in a detailed contact timeline view.
2. Right to be forgotten
- Under GDPR, your customers have the right to request removal of all their tracking data that you possess. Remarkety makes it easy for you to delete all of a specific customer’s data that is stored within Remarkety, via a single “Delete” button in the Contact Details screen. [In progress. Expected May 2018]
3. Right to access and Data Portability
- Under GDPR, your customers have the right to request all data that you have stored regarding their actions. Remarkety makes it easy for you to download the specific data that Remarkety has stored for a specific customer via a “Download” button in the Contact Details screen.
Should I update my privacy statement?
You, as data controller, should certainly disclose in your privacy statements that you use third party service providers, such as Remarkety, to help manage your business operations and that personal information will be shared with service providers as necessary to deliver operational services. You may find it helpful to provide a further explanation to users about the types of services that are typically outsourced to third parties and also the names of the key vendors used (e.g. Remarkety). There is not generally a legal requirement to disclose a full list of vendor names, but it can be helpful to aid compliance with the transparency principle.
What are some of the key elements and changes to the law under GDPR?
These are some of the key elements or changes under the GDPR. These issues are more general and not necessarily related directly to Remarkety, but we thought it will be important for you to know:
- Obtaining consent. Explicit consent by a “clear affirmative act” will be required, as opposed to a soft opt-in. Formerly used methods such as pre-ticked boxes, silence, or inactivity will not constitute consent. Consent records must be maintained so they can be presented if you are challenged.
- Extra-territorial scope. The rules, at least for now, state they apply to all persons or companies who handle personal data of EU residents, regardless of whether or not they reside in the EU.
- Increased penalties. Fines can be significant. Infringement of certain provisions can result in fines of up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover of the provider’s preceding financial year, whichever is higher.
- Right to be forgotten. The right to be forgotten, previously a right arising from a court decision, is now codified in the GDPR. A data subject has the right to be forgotten, meaning that his/her personal data must be erased upon request, and no longer processed where the personal data is no longer necessary to the purposes for which it was collected.
- Right to access. A data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller is required to provide a copy of the personal data, free of charge, in an electronic format.
- Data portability. A data subject has the right to receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and have the right to transmit that data to another controller.
- Privacy by design. The GDPR calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing. As a result, developers of applications, services or products that will process personal data should take the new regulations into account during the design and development process to ensure that the final product will protect the personal data of its users. Privacy has to be by design, not an afterthought bolt on.
- Breach notification. Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
* Remarkety’s Term of Service will be modified to set out client’s responsibilities for making disclosures to, and obtaining consents from, end users in the EEA. [In progress. Expected 2018]
** Please note that Remarkety does not make your business compliant with GDPR by default. GDPR requirements and rules are complex, and the responsibility to comply with the GDPR is yours. We recommend consulting with your company’s legal counsel regarding which steps and measurements you have to take.