E-mail: info@spiralsites.com
GDPR - All you need to know!

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, which replaces the Data Protection Directive 95/46/EC. The GDPR is intended to streamline the data privacy laws across all EU member states. The objective of GDPR is to protect all EU residents from privacy and data breaches in an increasingly data-driven world. The GDPR seeks to accomplish this by providing certain rights and freedoms to EU residents in relation to the processing of their personal data.

Why is GDPR being adopted?

The GDPR was adopted by the EU Parliament to:

  • Create consistency within all the member states of the EU as to the rules regarding data protection, implementation of the law, and how the rules are enforced.
  • Modernize the principles laid out in the 1995 Data Protection Directive (Directive 95/46/EC), which was written before the advent of social media, 'smart' mobile devices that now can access things like cameras and geolocation information, and the ubiquity of online services and communications.
  • Reinforce the rights of individuals to control and protect their personal data.
  • Strengthen the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.

When will GDPR come into effect?

The GDPR is currently scheduled to become live as at the 25th of May 2018.

Who does GDPR apply to?

The GDPR applies to:

  • Organizations located within the EU.
  • Organizations located outside of the EU if they offer goods or services to (even for free), or monitor the behaviour of, EU residents.
  • Organizations processing and holding personal data of EU residents, regardless of the organization's location.

How does GDPR affect my business?

Here are a few things to considering regarding how GDPR will affect your business:

Are you a data processor or data controller?

A 'controller' is the organization that determines the purposes, conditions, and means of the processing of personal data. A 'processor' is an organization that processes personal data on behalf of the 'controller'. For example, if you're using Spiral Sites to send your marketing email, you will be the 'controller' and Spiral Sites will be the 'processor'.

Defining 'personal data' under GDPR

GDPR defines personal data broadly as 'any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.'

Under this definition, nearly ALL information about a EU resident is personal data including, for example, names, ages, National Insurance Numbers, email addresses, online identifiers and location data, IP addresses and mobile device IDs, cookies, and more sensitive personal data such as genetic data and bio-metric data, including fingerprints, facial recognition and retinal scans.

How does GDPR affect email delivery?

There are several ways in which GDPR will affect email delivery. Here are some common questions.

Do I have to retain the email I send to my customers under GDPR?

No, there is no specific data retention requirement under GDPR. In fact, GDPR is intentionally set up to promote the active non-retention of data.

For example, Comment (64) to GDPR states in part that, 'A controller should not retain personal data for the sole purpose of being able to react to potential requests'

However, if you have a duty to retain based on some other legal obligation, Comment (65) to GDPR, which deals with the right to be forgotten states that a controller may retain data 'where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.'

How will GDPR generally affect sending email?

Provided the controller has the necessary consent, the actual sending of the email is not really impacted by GDPR. However, GDPR can affect the returned message event data to the extent that such data indirectly or directly identifies a EU data subject

In broad terms, how does GDPR change existing obligations regarding email?

Broadly speaking, GDPR requires you to look at all your data acquisition, tracking and data use systems, and then determine whether they adequately document the consent requirements, permit compliance with transparency requirements, and can be purged when requested by a data subject. Any legacy system that was not designed with these systemic issues in mind may be a real task to re-develop.

In addition, GDPR will require you to look at each third-party service you are using for tracking, monitoring, and developing your data analytics and verify whether they are GDPR compliant. After all, it is the whole point of these systems to track users for marketing, service augmentation and customization and experience and hence by definition, this is data that identifies a data subject. This data is personal data in the EU (whereas it is not personal data with any level of real protection in the US). It is the lowest common denominator third party services that could cause a problem if even one is non-compliant, the EU regulators will likely view your entire system as non-compliant.

What can a data subject ask me to do under GDPR that I must do?

As discussed briefly above, a data subject can make essentially two requests an accounting of all uses of the data subject's personal data, and that the data subject's personal data be removed from the controller's or processor's systems. This is a very general answer, and these rights are not absolute, so it is beyond the scope of this blog post to explain in detail what information a data subject must have access to and when they can ask that it be deleted.

What are some of the key elements and changes to the law under GDPR?

Some of the key elements or changes under the GDPR are:

  • Obtaining consent. Explicit consent by a 'clear affirmative act' will be required, as opposed to a soft opt-in. Formerly used methods such as pre-ticked boxes, silence, or inactivity will not constitute consent. Consent records must be maintained so they can be presented if you are challenged. Therefore, systems design changes may be necessary to provide evidence that a person consented to a specific use of their personal data.
  • Extra-territorial scope. The rules, at least for now, state they apply to all persons or companies who handle personal data of EU residents, regardless of whether they reside in the EU.
  • Increased penalties. Fines can be significant. Infringement of certain provisions can result in fines of up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover of the provider's preceding financial year, whichever is higher.
  • Right to be forgotten. The right to be forgotten, previously a right arising from a court decision, is now codified in the GDPR. A data subject has the right to be forgotten, meaning that his/her personal data must be erased upon request, and no longer processed where the personal data is no longer necessary to the purposes for which it was collected. This again may require significant systems changes to be able to 'scrub' the data from all locations, apparently including backup locations and other non-production storage. However, it should also be noted that this right requires controllers to compare the subjects rights to 'the public interest in the availability of the data' when considering such requests.
  • Right to access. A data subject has the right to obtain from the data controller confirmation as to whether personal data concerning them is being processed, where and for what purpose. The controller is required to provide a copy of the personal data, free of charge, in an electronic format.
  • Data portability. A data subject has the right to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine-readable format' and have the right to transmit that data to another controller.
  • Privacy by design. The GDPR calls for controllers to hold and process only the data necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing. As a result, developers of applications, services or products that will process personal data should take the new regulations into account during the design and development process to ensure that the final product will protect the personal data of its users. Privacy must be by design, not an afterthought bolt on.
  • Breach notification. Breach notification will become mandatory in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals.' This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, 'without undue delay' after first becoming aware of a data breach.

Spiral Sites? GDPR compliance

As a commitment to our customers, Spiral Sites has made a commitment to be fully GDPR compliant before GDPR takes into effect.

Will Spiral Sites be GDPR compliant on May 25, 2018?

Yes. Wherever Spiral sites processes or stores personal data of EU residents, it will be compliant.

Does Spiral Sites retain the content of the email I send? Is this compliant with GDPR?

No, But If you use the Spiral Sites Email Marketing System it only holds the templates of the emails you send and the subscriber details, except only in short term cache or in cases of message delivery failure, for a defined period while it retries the sending of the email. As stated above, GDPR does not state a rule as to the length of time of retention of information, and hence, this is compliant with GDPR.

Disclaimer: The above is meant as a general guide of questions and answers and is not advice and cannot be relied upon for any legal purpose. You must consult your own professional advisors for your specific facts and circumstances before taking, or refraining from taking, any course of conduct. The above blog post is not an amendment or supplement to any agreement between Spiral Sites and you.

Additional resources: