In April 2016, the European Union (EU) approved measures to protect the private data of its citizens under the General Data Protection Regulation, now commonly known as the GDPR. As a result, by May 25th of this year companies and entities that have data of EU citizens and residents must take certain measures to make sure they are within compliance of the GDPR or face a hefty fine.

Since we as an email company do work with subscriber data, we thought we would be transparent with what we are doing to become GDPR compliant.

what is the GDPR?

First, let’s take a quick high-level look at what this regulation is and who it affects. As mentioned, the EU is taking steps to protect that data of its citizens. In their own words:

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

However, this regulation affects anyone that has any private data of an EU citizen and residents:

“The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

The data in question is any information you have on a consumer that can be used to identify them in any way. A picture, an address, an IP address, a post from social media – if you can tie it to a person who is a citizen of the EU, then you must work to become GDPR compliant.

The regulation further classifies data holders into two categories: controllers and processors. Controllers are individuals or entities that determine how the personal data of the consumer will be leveraged. Processors are the individuals or entities that are used to engage with the consumers on behalf of the controllers. To use their example:

“… if Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.”

Companies and individuals not compliant by May 25th will face a fine of 4% of their annual revenue, or 20,000,000 EUR (or its currency equivalent) – whichever is the greater sum.

what is WhatCounts doing?

As a processor, it’s important to us that we do what we can to help our clients become GDPR compliant, educate themselves on the regulation, and safeguard themselves for the future. As such we’re taking the following steps to ensure our customers can

1. Easy access to a Subscriber’s Data – We will be adding a feature to the Subscriber Details page allowing you to generate a file of a subscriber’s personal data in a single click.
2. Form Version History – We are adding the ability to save changes to your Sign Up Forms and Preference Sites as a version so you can always go back and confirm consent for a specific subscriber.
3. Ensuring all third-party integrations are compliant with GDPR regulations.
4. Adding ourselves to the Privacy Shield list and adhering to the framework they provide.

Be on the lookout for these changes coming soon.

what you should be doing

Here are some steps you can take on your end that are considered GDPR best practices:

1. Work with your legal department (or a legal entity) to accurately update your privacy policy and terms of service.
2. Identify any and all opt-ins that will need to be updated. To help with the updating process, it’s a good practice to list out what fields your forms have on them currently, and what needs to change to make them GDPR compliant.
   1. Along these lines, you’ll need to update your preference site as well.
3. Put together a re-permission campaign, asking your subscribers and customers to re-subscribe to any list they may have been on. Make sure the campaign itself falls within the regulation, and it’s encouraged you direct people to your preference center.
4. Put together a process that spells out how you’ll handle requests from subscribers as it pertains to their data. Under the GDPR, they’ll have the right to request what personal information you have on them (that they provided to you) and also the right to ask that you delete it entirely.

These are just a few tips to keep in mind while you approach becoming compliant. We strongly encourage that you educate yourself as much as possible on this matter, identify any and all additional steps you need to take to conform to the regulation, and work with your team to get everything handled before May 25.

further reading

We are constantly educating ourselves on this matter and have a started a repository of resources we believe could be helpful for you to check out. You can find it here.

Disclaimer: While we can provide resources and display what we are doing to become GDPR compliant as a sort of guide for others, we are in no way stating these are the official steps everyone must take to safeguard themselves. We strongly advise that you work with your legal department to thoroughly research what must be done within your company to be compliant.