By Charlie Cummins – bbmm.ie
The European Union’s new data protection law, the General Data Protection Regulation (GDPR), is meant to protect the data and rights of individuals who are in the European Union and European Economic Area (EU/EEA). More than that, the GDPR details how organisations are to deal with these individuals’ personal data in safe, secure, open, and benign ways.
Responsibility for compliance extends to any organisation that communicates with individuals who are in the EU/EEA. As such, the GDPR affects both organisations that are established in the EU/EEA, and to many organisations that operate outside of the EU/EEA and interact with individuals who are in the EU/EEA.
Enforcement of the GDPR will begin on 25 May 2018. SharpSpring is preparing to meet the GDPR requirements by that date. As such, SharpSpring will be implementing changes to software and policies in the coming weeks to specifically address its new responsibilities and assist its customers in meeting some of their responsibilities under the GDPR.
1. Privacy Policy Change
SharpSpring’s Privacy Policy will be updated to outline the following more clearly:
• What data is collected
• How data is processed and used
• How client data and third-party data interact
2. Providing Consent
The ability to prove consent is an important aspect of the GDPR. Article 4 of the GDPR defines consent as follows:
“…Any freely given, specific, informed, and unambiguous Indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her…”
All SharpSpring Forms will be updated to help individuals provide consent. Landing pages will also be updated to address the consent requirements.
3. Identifying Consent
Seeking request permissions is only part of the new consent rules. Now, with the GDPR, you must identify and retain exactly how you obtained an individual’s information and consent, such as:
• How recipients consent to you sending them information
• How recipients consent to you storing their information
• How recipients provided consent
• How recipients consented to have their information given
4. Third-Party Data Tracking
The GDPR requires organisations to be transparent on their practices regarding personal data. To comply with these transparency requirements, SharpSpring will internally log more granular information on what data has been obtained from third parties. This information will be publicly visible.
5. Internal Data Logging
SharpSpring already maintains an audit trail. To better represent the audit process, and comply with the GDPR, SharpSpring will update these internal audit logs and similar records. The changes will reflect how customer data is transferred, updated, deleted, and accessed within the SharpSpring platform.
6. Data Access and Verification
The GDPR requires organisations to provide individuals with the means to know how their data is being processed and used. To comply with these new rules on data access, SharpSpring will implement new verification measures. Going forward, when a client makes certain support requests, SharpSpring will ask the client to provide additional information. These requests will help verify a client’s identity before SharpSpring staff accesses certain data or performs certain actions on the client’s behalf.
7. Data Erasure and Other Limitations
The GDPR affords the right to data erasure, also known as the right to be forgotten. This right provides individuals, in limited circumstances, with the ability to request that their data be deleted. In addition, to address data erasure more directly, SharpSpring is currently in the process of building, updating, and expanding internal tools. These internal tools allow SharpSpring to respond to data erasure requests in a timely manner.
8. Data Retention
SharpSpring will publish a comprehensive overview of its data retention policies, to answer the following:
• What data does SharpSpring keep?
• How long does SharpSpring keep that data?
• Why does SharpSpring keep the data?
9. Recommended Customer Actions
It is not just SharpSpring that is impacted by the GDPR. Email marketers should take action to remain compliant. Again, GDPR compliance is required for all marketers that have leads in the EU/EEA. While in no way a complete list, SharpSpring recommends that email marketers do the following to begin to comply with the GDPR:
1. Update your privacy policy.
2. Prove individual consent.
3. Establish and re-establish consent
4. Make unsubscribe footers visible and accessible
5. Ensure that all third-party services are compliant.
6. Consider hiring a data protection officer.
Source: Nik Schultz – SharpSpring
Disclaimer: This document is not legal advice. It is only meant to provide general information on selected aspects of the GDPR. While this document addresses some legal aspects of the GDPR, it is not intended to provide legal advice. It is recommended that you consult your solicitor on how best to comply with the GDPR
