Road to the GDPR: processing data and the burden of proof

Estimated reading time: 3 minutes (Too long? Email me this article)
21, March 2018

This blog is part of our GDPR health check “Road to the GDPR.” In part three of the test, we will provide you more information about topics such as your privacy policy, saving your registration text and execution a possible reactivation campaign. If you have not completed the test yet, you should do so first and then come back to read the background information in this blog.

Information requirement via your privacy policy

Wherever you gather information, you, as an organisation, will face your information requirement. This information requirement means that you must provide clear, understandable, accessible and visible information to the persons involved (the natural persons whose personal information you are processing) about your processing of their personal information. The GDPR specifies the information you have to provide to meet your information requirement. You must, for example, list your identity and your contact information and explain what personal information you are gathering, what you are doing with this information and for what purpose you are processing personal information. You must also mention the storage periods you employ, how you secure the data you collect, to which third parties (if any) you release the information and how the persons involved can exercise their legal rights.

Easy to find and understand

On your website, you can meet your information requirement by adding a privacy policy in which you cover the aforementioned topics. The information in your privacy policy must be easy to find and accessible via every page of your website, e.g. by including a link to your privacy policy in your footer. As mentioned in part one of our blog series, meeting your information requirement is one of the aspects of meeting the requirements for valid permission. You must therefore also briefly describe in your registration text who you are and what someone is giving permission for (e.g. how often you will approach them, about which topics and via which channel). You must also refer readers to your privacy policy (with a direct link) for more information. Note that although people do not have to accept your privacy policy, you are required to refer to it whenever you ask for permission.

Note that you have to provide clear and understandable information in order to meet your information requirement. You must therefore draw up your privacy policy in such a way that your target audience can easily understand its contents. Keep that in mind when e.g. choosing what language to use.

Our recommendation

You have a single privacy policy on your website in which you provide information about all your data processing activities. In this privacy policy, you provide more information about the commercial messages you send to people, but also about e.g. the data you collect to complete webshop orders and the cookies you use. Of course, it is quite common that some aspect of these information processing activities changes and that you therefore have to update your privacy policy. Inform readers of this possibility in the privacy policy itself and be sure to include a version number or the date of the most recent change, so it is clear to everyone when your policy was last updated. Keep a list of the periods of validity of the different versions of your privacy policy, so you can always verify to which substantive information you referred at the time based on the permission for registration you received (via your registration text).

Saving your registration text and carrying the burden of proof

As we briefly covered in our first blog, you, being the responsible party (the party that defines the purpose of and means for the data collection), must be able to prove that you received permission and show which text your subscribers agreed to. This is not a new requirement under the GDPR, but it is extremely important all the same. In order to make it easier for you to carry this burden of proof, we recommend using a double opt-in process that consists of multiple steps. By including steps such as registering, giving permission and confirming one’s permission and email address in your registration process, you can make sure that the email address someone enters is correct. This method also makes it easy to prove that you received valid permission. Although you are not required to use this method, it does make your job as a marketer a whole lot easier.

In order to carry your burden of proof, you must be able to present at least the following information:

  • That the person in question gave their permission
  • When they gave their permission
  • To whom they gave their permission (organisation or company)
  • What they gave permission for
  • The way in which they gave their permission (checkbox, text)

Webpower’s GDPR Version Manager allows you to save your registration text in a GDPR-proof manner and makes it easier to meet the requirements concerning your burden of proof.

Reactivation campaign

If you cannot provide sufficient proof to demonstrate you received permission to gather the information in your existing database, it is advisable to consider using a reactivation campaign to reactive the people in your current database in a GDPR-proof manner. It is a myth that old opt-ins are suddenly invalid, although you do have to be able to demonstrate that you actually acquired this permission and that it meets the requirements pertaining to valid permission under the GDPR. If you received permission that also meets the stricter requirements of the GDPR (and if you can prove that you received this permission), you do not have to ask for permission a second time. You should therefore determine the extent to which your organisation processes personal information based on permission and find out whether you can prove that you received this permission and that your permission request meets the requirements of the GDPR. If that is not the case (or if you cannot prove that it is), you will have to acquire valid permission somehow, e.g. via a reactivation campaign. If you fail to do so, you will be processing personal information without valid permission to do so, which is in violation of the GDPR.

Webpower’s GDPR easy consent manager lets you set up a reactivation campaign in order to meet the requirements of your burden of proof and/or the requirements of valid permission in relation to your existing database.

GDPR compliant with Webpower

Under the GDPR (which will enter into effect on May 25th, 2018), you will have to be able to demonstrate how permission was obtained and exactly what that permission pertains to. This applies to new registrants, but also applies retroactively to your existing database. Thankfully, Webpower has developed the GDPR Version Manager and the GDPR Easy Consent Manager, which will ensure that all of your email marketing from now on is fully GDPR-compliant.

Contact us    Read more about our GDPR solutions

It is important to us to handle the new privacy legislation correctly. The contents of this blog have therefore been verified by ICTRecht. We provide this information to you so you can gain a better understanding of what the GDPR can mean to marketers. The purpose of this blog article is to share knowledge and it should not be viewed as official legal advice. In reading this article, you safeguard Webpower, ICTRecht and the author against any legal implications. We recommend always consulting a legal adviser before implementing any GDPR-related measures in your organisation.

Share this article