Lucep like every other service provider on the web, had to overhaul our privacy policy and incorporate GDPR compliance into our design before May 25. It showed us the difference between a standard policy and one that is really, truly meant to protect your users and their privacy
This is what I want to share with you today – not just a series of checkboxes that you tick for compliance, but the design of a GDPR compliant digital marketing strategy and tools that will help you do this. I’m going to split this into three parts to cover the general requirements first, and then the two most commonly used digital marketing channels that involve data collection – website forms and emails.
1. General Data Protection Regulation (EU) 2016/679 of the European Parliament.
a) Consent – Requires user’s explicit consent (clear affirmative act) through an unticked checkbox that needs to ticked by the user.
A pre-ticked box or the typical implicit consent that is hidden within a huge body of text in a privacy policy or a cookie usage document is not enough for GDPR compliance.
This is explained in the law (pt. 78) as the principles of “data protection by design and data protection by default.”
b) Privacy by design – Instead of data privacy and protection as an add-on for GDPR compliance, the EU wants you to develop and design applications, products and services in a way that it takes into account the right to data protection, and to make sure that data controllers and processors (see below) are able to fulfill their own obligations in this regard.
“It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.”
c) Right to access, object and erase – The users of GDPR compliant providers have the right to obtain (free of charge, provided by the data controller) access to their personal data in electronic form. They also have the right to object, and request rectification or erasure of the same.
2. GDPR compliance for website forms.
The pre-dominant channel of inbound digital marketing today is the website form. People come to your website, and you put a form in front of them asking them to fill up their personal data.
Whether you’re asking for an email, phone number, address and / or any other personal data, it is now required to be protected as per the requirements of GDPR outlined above.
The simple answer is to make use of a form provider and mailing list that are already GDPR compliant, so you don’t have to worry about it.
Click here to see the Lucep web form in action. You can also put in your name and number into the Lucep widget at the bottom right.
3. GDPR compliance for email marketing.
See Mailchimp’s GDPR guide on how to collect consent using forms and Mailchimp. To sum it up, use a GDPR form, and add the subscribers to Mailchimp into a GDPR-enabled list.
Run a consent campaign through Mailchimp to ensure that anyone who enters their personal data into a form is then sent an email that explicitly requires them to consent.
This is typically done by getting them to tick a checkbox that says they allow you to store, process, use and/or share the data in the manner specified in your privacy policy
4. GDPR questions and answers.
a. What is GDPR? Read the EU guide on what is GDPR, and understand what are the core values that need to be a part of your privacy policy design.
b. How do I start? Consult a corporate law or EU law expert and have them design or at least approve your GDPR compliance plan.
c. Are you required to be GDPR compliant? This is a common question, and I have two answers:
First, it is legally applicable if you are located in the EU and collecting / controlling / processing data provided by EU residents or citizens. It is legally applicable even if you are not located in the EU but your digital marketing strategy targets, collects and/or makes use of data provided by EU residents or citizens. Note that it applies only to the data provided by people covered by EU law, and not to people from other countries or regions of the world.
The second answer is that, if you think GDPR is justified as a data protection law for EU residents, you should implement these privacy mechanisms for every person whose data you collect, control, process and/or share, regardless of where they are from, regardless of whether you are required by law to be GDPR compliant. If the law works as expected in the EU, expect the U.S. and other regions of the world to follow suit and do the same. It’s better if you’re ahead of the curve and do it before you’re forced to, as happened in the case of GDPR.
d. What are the penalties if you flout this law? Four percent of annual global turnover, or €20 million (whichever is greater).