Last November, we launched our practical GDPR health check: the Road to the GDPR. By answering twenty questions, (email) marketers can test their knowledge and practical skills pertaining to the GDPR. Although the test will be available until at least 25 May 2018, the initial results are already in.
Five percent of the participants scored a perfect 10. On average, participants score 14.48 out of 20 points during the test, which translates to a grade of 7.2 (Negative outlier: 2.5% of the participants earned a score of 1 or 2). This average grade of 7.2 tells us that the organisations taking the test are sufficiently or even well prepared for the GDPR.
On average, participants earned a score of 7.7 for their knowledge and 6.6 for their practical skills. This could mean that people are sufficiently familiar with the contents of the new privacy legislation, although they have not yet tailored their daily activities accordingly.
The test consists of three categories: the registration process, the registration text and the processing. In general, there are no notable differences between the scores earned in these three categories (respectively 7.2/7.1/7.4), which could indicate that participants have sufficient insight into all aspects of the GDPR.
One result that stands out is the low score for the question of whether an organisation uses pre-checked checkboxes on their registration page: 93% uses pre-checked checkboxes on their registration page. When the GDPR enters into force, this will no longer be allowed. The GDPR states that consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes.” This means that giving consent must be a clear affirmative act (e.g. checking a checkbox).
Jacco Bouw, founder of Webpower, explains: “For example, if you are a webshop and you want an easy way to ask new customers for consent to send them your newsletter, you can pre-check the checkbox for receiving your newsletter during the final phase of the purchase process. A new webshop customer can easily uncheck this checkbox (opt out) to let you know that they do not wish to receive any commercial communication from you. Note that this only applies during the final phase of the order process when there is an existing customer relationship. In all other cases, checkboxes cannot be pre-checked.”
Additionally, 79% of the participants ask for more information than necessary on their registration page. Data minimisation is a key principle of the GDPR. You should not ask for more information than necessary for the purpose for which you process the data. For example, do not ask someone for their phone number if you do not “need” this information.
Another notable result: 60% of the participants cannot (or do not know how to) save their registration text using their email software. Ewald Kessler (expert deliverability and Data Protection Officer at Webpower) explains: “Webpower recommends linking the burden of proof under the GDPR to your registration text via the confirmation email (also known as a double opt-in process). Although the GDPR does not require you to meet your burden of proof with a double opt-in, it will make your job as a marketer a lot easier when it comes to meeting your burden of proof and verifying whether you received the correct email address.”
Finally, it is notable that the majority of the participants do not use a separate checkbox for each consent request. Under the GDPR, a person must be given the option to consent to different data processing purposes. If you want to send your subscribers informative messages and commercial newsletters, you must ask for their consent twice: once per type of message.
Side note: the generally positive test scores may result from the fact that some people read the (test-related) information about the GDPR that is available on our website prior to taking the test.
Do you want to take the test?
Are you curious to know if you can do better than your (marketing) colleagues? The test is available at https://gdpr-are-you-ready.com/en/.