Having dealt with Canada’s anti-spam legislation for deveral years, Dialog Insight n’a pas été très surprise d’apprendre, en 2016 que l’Union européenne suivait la vague en votant un projet de loi pour encadrer les communications électroniques de nature promotionnelles. Cette nouvelle loi entrée en vigueur en mai 2018 et applies to any organization that processes the personal data of EU residents and citizens.
Officially, this law is called the General Data Protection Regulations, GDPR for Intimates. It aims at increasing the obligations of organizations processing personal data and at strengthening the control that EU citizens have over the collection and use of their personal information.
It is important to distinguish GDPR, which deals only with personal data, and e-mail per se. There is no mention of communication channels in this law. Information about electronic communications can be found in the European Directive on the protection of privacy in the electronic communications sector, which dates back to 2002. These indications are similar to the different notions of consent in Bill C-28 in Quebec, for more information, you can consult the article of the law here.
Although we tend to talk about the GDPR as a closed issue, we were surprised to learn that one year after its implementation, two-thirds of companies were still not in compliance with the new law[1]. It’s huge! So I guess the subject is far from being closed…
If you are in this situation, the rest of this article tells you the different steps you need to take to make sure you comply with this law.
1. Review existing practices
The first step on the road to GDPR compliance is to understand how personal data is stored, processed, shared, and used within your enterprise. Identify the existing personal data processing practices, those responsible for them, the current security levels, and the changes required.
Know that GDPR obligations do not apply only to your enterprise but also extend to your suppliers who process personal data on your behalf.
2. Keep a register of processing activities
Your enterprise must be able to prove compliance with the GDPR at any point in time. To that end, you must keep a register of data processing activities, which replaces the mandatory declaration to the CNIL. This register should include all operations performed on personal data related to the following processes: collection, storage, use, sharing, or destruction. You must ensure, at all times, that the processes in place are compliant, secure, and that they guarantee data confidentiality.
As soon as a processing activity that may infringe privacy is detected, you must conduct a privacy impact assessment. These assessments must also be documented.
3. Keeping a healthy database
The implementation of the GDPR is a good time for you to rework your database and keep it healthy over time. It is important for you and your customers that you keep only relevant information. That’s why you should regularly clean your database and make sure you don’t keep inactive contacts or irrelevant information in it.
Besides, if you have sensitive customer data, a regular review of access within your organization may be a good practice to ensure that only those employees who need it have access.
It is also a good idea to take all your information-gathering tools and adapt them to the legislation. Ask yourself if the information requested in your different forms is necessary for your organization in your different marketing targeting actions.
4. Appoint a data protection officer (DPO)
Such an appointment is mandatory only for public sector organizations and companies processing sensitive data and/or data on a large scale. However, having recourse to one is highly recommended for other enterprises also.
This person must be involved in matters relating to the protection of personal data. The data protection officer’s main duties are to ensure compliance, to advise the controller on its application, and to act as a contact person with supervisory authorities. He or she may also be responsible for notifying the CNIL and the people concerned in case of violation of privacy, within a maximum of 72 hours.
5. Apply the principles of privacy by design and privacy by default
The principle of privacy by design aims at building privacy protection upfront when developing a new product, service, or application.
The principle of privacy by default means that once a product, service, or application has been released, the highest possible level of data protection should be guaranteed by the enterprise by default. Also, the amount of personal data collected should be strictly limited to that which is necessary for the optimal use of the product, service, or application.
6. Provide flexible access to user data
The GDPR guarantees your customers new rights to access their data. You must be able to respond to 4 overriding rights of your users:
- Right to forget: Your contacts have the right to ask you to delete all the data you have on them. Be sure to centralize your contacts’ information in case they apply their right to forget, it will be easier for you to delete their information quickly.
- Right of rectification: Your contacts can ask at any time to rectify their information.
- Right to portability: Your contacts must be able to request and retrieve the information you have about them at any time. You should, therefore, have a system for extracting data in a common, open, computer-readable format.
- Right of access: It is important to clearly define, in your privacy policy, the use you make of the personal data you collect. In the case where your client exercises his right of access, he must be given simple access to his data, as advocated by the right to portability.
7. Raise awareness and train employees
Any employees who are likely to handle data must be aware of best practices to ensure its protection and confidentiality. Make sure to train all concerned within your enterprise.
You can also use specialized marketing solutions to exploit your data. For example, as part of a distributed marketing strategy, solutions such as Dialog Insight allow you to configure a wide range of personalized data access. This allocation of strictly necessary accesses to each user or collaborator allows you to minimize the risks of data leakage but also misuse of information.
This is done by configuring security attributes for your information, creating a granular permissions tree, or through a customized interface to suit the needs of each user.
Find out more about the GDPR
For those wondering about the liability of marketing mailing solutions such as Dialog Insight in the event of non-compliance with the GDPR, well, a sub-contractor cannot be held responsible for its customers’ non-compliance.
For our part, we offer all the necessary tools for our customers to comply. We also always advise our new clients to set up a consent center, but it remains their responsibility to apply the law properly. Nevertheless, we feel it is important to ensure that we make every effort to respect the responsibilities of subcontractors as set out in the law, that is to say:
- Ensuring the security of our processed customer data;
- Subjecting our employees to a confidentiality agreement;
- Immediately notify customers of any violation of its data;
- Assisting, alerting, and advising our clients on best practices in the industry and of GDPR.
If you are looking for a technology solution that will make it easy for you to comply with the law, Dialog Insight can certainly help you get there. Having anticipated that this type of consent compliance would become a key issue in the future of digital marketing, Dialog Insight has made it one of its main focus. This has allowed us, primarily, to consolidate our leadership position in Canada as foreign solutions have taken longer to comply with Bill C-28 and, more recently, the GDPR.
For further information, please refer to the full text on the General Data Protection Regulation (GDPR).
You can also download our compliance checklist to have these tips always at hand!
[1] https://www.capgemini.com/fr-fr/news/rapport-sur-la-rgpd/