Wherever you gather information, you, as an organisation, will face your information requirement. This information requirement means that you must provide clear, understandable, accessible and visible information to the persons involved (the natural persons whose personal information you are processing) about your processing of their personal information. The GDPR specifies the information you have to provide to meet your information requirement. You must, for example, list your identity and your contact information and explain what personal information you are gathering, what you are doing with this information and for what purpose you are processing personal information. You must also mention the storage periods you employ, how you secure the data you collect, to which third parties (if any) you release the information and how the persons involved can exercise their legal rights.
Easy to find and understand
Saving your registration text and carrying the burden of proof
As we briefly covered in our first blog, you, being the responsible party (the party that defines the purpose of and means for the data collection), must be able to prove that you received permission and show which text your subscribers agreed to. This is not a new requirement under the GDPR, but it is extremely important all the same. In order to make it easier for you to carry this burden of proof, we recommend using a double opt-in process that consists of multiple steps. By including steps such as registering, giving permission and confirming one’s permission and email address in your registration process, you can make sure that the email address someone enters is correct. This method also makes it easy to prove that you received valid permission. Although you are not required to use this method, it does make your job as a marketer a whole lot easier.
In order to carry your burden of proof, you must be able to present at least the following information:
- That the person in question gave their permission
- When they gave their permission
- To whom they gave their permission (organisation or company)
- What they gave permission for
- The way in which they gave their permission (checkbox, text)
Webpower’s GDPR Version Manager allows you to save your registration text in a GDPR-proof manner and makes it easier to meet the requirements concerning your burden of proof.
If you cannot provide sufficient proof to demonstrate you received permission to gather the information in your existing database, it is advisable to consider using a reactivation campaign to reactive the people in your current database in a GDPR-proof manner. It is a myth that old opt-ins are suddenly invalid, although you do have to be able to demonstrate that you actually acquired this permission and that it meets the requirements pertaining to valid permission under the GDPR. If you received permission that also meets the stricter requirements of the GDPR (and if you can prove that you received this permission), you do not have to ask for permission a second time. You should therefore determine the extent to which your organisation processes personal information based on permission and find out whether you can prove that you received this permission and that your permission request meets the requirements of the GDPR. If that is not the case (or if you cannot prove that it is), you will have to acquire valid permission somehow, e.g. via a reactivation campaign. If you fail to do so, you will be processing personal information without valid permission to do so, which is in violation of the GDPR.
Webpower’s GDPR easy consent manager lets you set up a reactivation campaign in order to meet the requirements of your burden of proof and/or the requirements of valid permission in relation to your existing database.
GDPR compliant with Webpower
Under the GDPR (which will enter into effect on May 25th, 2018), you will have to be able to demonstrate how permission was obtained and exactly what that permission pertains to. This applies to new registrants, but also applies retroactively to your existing database. Thankfully, Webpower has developed the GDPR Version Manager and the GDPR Easy Consent Manager, which will ensure that all of your email marketing from now on is fully GDPR-compliant.
It is important to us to handle the new privacy legislation correctly. The contents of this blog have therefore been verified by ICTRecht. We provide this information to you so you can gain a better understanding of what the GDPR can mean to marketers. The purpose of this blog article is to share knowledge and it should not be viewed as official legal advice. In reading this article, you safeguard Webpower, ICTRecht and the author against any legal implications. We recommend always consulting a legal adviser before implementing any GDPR-related measures in your organisation.