Act-On recently held a very informative webinar on the coming General Data Protection Regulation, known as GDPR. The regulation is intended to strengthen and unify data protection for all individuals within the European Union (EU). It will have an impact on all marketers who do business with people in these countries.
An engaged audience brought many great questions to the webinar, in which Act-On’s David Fowler, Head of Privacy, Compliance, and Deliverability, gave an overview of GDPR, what regulations marketers will be obligated to comply with, and how GDPR will affect marketers’ day-to-day responsibilities. He also shared resources available to help with the transition.
Check out these webinar questions and their answers, which address important issues that many marketers are wondering about as GDPR takes shape.
What size does an organization need to be to require a mandatory DPO?
If you have more than 250 employees you’re required to have a Data Protection Officer (DPO) on your staff.
Does GDPR itself apply to all sizes of organizations, or is there also a minimum size?
GDPR applies to any company that markets to people in the European Union, regardless of the size of the organization.
Which features will Act-On implement to help its customers with GDPR compliance, especially with respect to the individuals’ rights?
We are in the process of reviewing our products on how we may change and update them to ensure GDPR compliance. I would anticipate that we will communicate later in the year as more guidance on specific areas of the GDPR are released by the regulators.
When will Act-On launch new functionality that will make it easier to be compliant?
We’re reviewing our product requirements for any GDPR adjustments, and those will be communicated later in the year. Remember, you’re responsible for your own compliance under GDPR.
Will Act-On adapt to these regulations, like, for example, “the right to be forgotten”?
Yes, we’re required under the law to be in compliance on all the areas of the GDPR and we’ll adjust our product where applicable to allow our clients to ensure their obligations, including obeying “the right to be forgotten” option.
Will Act-On enable forms to offer positive opt-in based on location so that EU-based IP’s are shown a positive opt-in, but non-GDPR countries do not show this form artifact?
Form enhancements are under consideration for our GDPR preparations and we anticipate communicating about product changes later this year.
Does Act-On back up our lists stored in Act On?
Please visit our security documentation.
From a marketing perspective, what type of detail do you think will be necessary to ask for consent from a person before they’re a customer?
Under the GDPR you’ll have to communicate exactly what you’re going to do with the data subject’s information and the purpose for processing. This is a complex requirement. Please refer to Chapter 3 of the GDPR, which addresses “rights of the data subject,” for comprehensive information.
Will we still be able to use gated content and progressive profiling?
Yes, if you have provided complete information to the individual who signs up for the program and you’ve followed the data subject rights under GDPR.
How do I know if I have any EU email addresses in my database? I am a US B2B operator for businesses in the United States, but they may have an EU email.
You should conduct a data assessment and take inventory on the data you hold. You should assume that if your have EU clients, you will have EU addresses in your files. Prepare now for the legislation by adjusting your onboarding and acquisition methods to include geolocation information.
If all my customers are in the United States, but they have an EU email, am I impacted under the GDPR?
I would consult with a legal resource on this question, however, given that you have the EU data (email addresses), you will need to comply. You may also get further guidance from the Information Commissioner’s Office.
What are the various types of data processing covered in the regulations? Is simple segmentation of contacts into types (such as “resellers” and “distributors,” for example) considered data processing that must be listed and consented to?
Any data you or your vendors hold is covered under the regulations. As the data subject has more ability to manage their data with companies, it’s important you understand the regulations. Complete information on data subject rights can be viewed in Chapter 3 of the GDPR.
Because we’re a UK business, and therefore have to comply, does that also mean we need to comply from an outbound perspective? If we’re processing data on an individual in the United States, do the same restrictions apply?
No, only EU individuals are covered under GDPR. You do, however, want to ensure that you’re complying with any applicable legislation obligations for the other countries, such as CAN-SPAM (in the USA) and CASL (in Canada), for example.
Are requirements the same for member data and customer data? The Canadian spam regulations are slightly different for members vs. customers.
There are differences between CASL and GDPR. The best practice is to follow the law of the country in which the contact is located. Read this great article that discusses the differences in email legislation in Canada, the United States, and the European Union.
How will GDPR affect those businesses that are only focused on B2B engagements?
GDPR applies to any business marketing to EU citizens, regardless of the channel.
Does this apply to B2B customers and data or only to B2C individual data?
Any data you hold on an individual would be covered under GDPR. Chapter 4 discusses your responsibilities as a data controller.
How will the United Kingdom be affected by the Brexit under GDPR?
The UK government has indicated that Brexit will not affect GDPR. GDPR will be implemented in the United Kingdom as scheduled.
If individuals have opted in to receive information from a company with just email addresses and have provided no location information, what are best practices to find out where they are located?
Updating your records now would be a good place to start. Proactively reach out and request additional data to ensure that your information is accurate. More specifics on controller responsibilities can be accessed in Chapter 4 of the GDPR.
GDPR requires European Union members to comply, but how would it be different for a US-based company?
If you hold any data on EU citizens, then you’re required to comply with GDPR.