May 3, 2018
There’s a new buzzword (or should we call it “buzzacroymn”) around town - GDPR. GDPR stands for “General Data Protection Regulation”, and is the EU’s new data protection framework.
Coming into effect on the 25th May 2018, the framework is designed to not only harmonize data privacy laws across Europe, but strengthen an individual’s privacy rights by placing tighter limits around the processing of personal data, expanding the rights of the individual, and holding organizations accountable for data privacy and transparency with their consumers.
It’s been hailed as the most important change to data privacy regulations in the last 20 years, and everyone’s talking about it. So, should you be doing something about it? The answer is ‘yes’, and we’ll tell you why below.
- GDPR in a Nutshell: what is it, and how does it affect you?
- 8 basic steps on your journey to becoming GDPR compliant
- What is Autopilot doing about GDPR?
- How can you use Autopilot to help become GDPR compliant?
GDPR In A Nutshell: what is it, and how does it affect you?
Whilst GDPR is an EU protection framework, it doesn’t just apply to companies and entities in the EU that handle personal data as a part of their activities. It also applies to companies and entities outside of the EU who handle the personal data of EU data subjects (individuals residing in the European Union). So, if your business is based in the US, Australia or any other part of the world outside of the EU and you process personal data in connection with goods and services offered to or monitor the behaviors of individuals within the EU, the laws will apply to you. Disregard them, and you could be fined up to 4% of your global annual revenue.
But what exactly is personal data, and how do you know if you’re responsible for it?
Personal data is any piece of data that can lead to the identification of a living individual - whether that be directly (i.e. name, email, address etc.) or indirectly through the online and offline information you possess (i.e. location, customer ID, IP address etc.). Interestingly, this definition has also been expanded to include sensitive personal data such as genetic data and biometric data that can be traced back to an individual.
For the GDPR, there are two types of entities that handle personal data - Controllers and Processors. A controller is an individual or company that determines the purpose and means by which personal data is processed, and a processor is an individual or company that processes personal data on behalf of the controller. Data processors are often a third party or an entity external to the company. If you’re unsure which category you fall into, the European Commission has a great example of the two on their website:
“A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor.”
Or, to put it even more simply, as an Autopilot customer you are defining the data that is captured from your contacts, and how it should be used to market to them. Autopilot provides you with a platform to store this data, and the tools in which to communicate. This makes you the data controller, and Autopilot the data processor.
So we’ve established that you’re a data controller, and that you collect personal data. But what does this actually mean for you and your business?
GDPR also grants individuals a number of additional rights that you need to be prepared to honor. These include:
- The right to be informed
- The right of access (for free, unless this is overly burdensome)
- The right to rectification
- The right to erasure (although this is not absolute, and only applies in certain circumstances)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
To learn more about these individual requirements, we’d encourage you to check out the UK’s Information Commissioner’s Office (ICO) comprehensive Individual Rights write up here.
This seems like a lot, but there are some basic steps that you can take to ensure you’re on the right path to becoming GDPR compliant.
8 basic steps on your journey to becoming GDPR compliant
- Identify the lawful basis that you have for processing personal data.
- Put together a document outlining the data that you store, where it comes from, and who you share it with.
- Ensure your data is clean and up-to-date.
- Review the rights that GDPR grants individuals, and ensure you’re setup to honor each and every one of them. Define processes that you can follow internally - what will you do if someone requests to see the data you have for them on file? How will you delete an individual’s record if they request that you do so? Do you specify how long you will retain data for?
- If you’re a processor of data, confirm with your CTO (or relevant technical security owner) that you have processes in place to investigate, and react to, a data breach.
- Analyze your database. Do you market to children or store special information such as sexual preference or biometrics? If you do, then start thinking about age restrictions and whether you need to put in place an age verification system. Under GDPR, you may need a parent or guardian’s consent to process data for individuals under the age of 16.
This list is by no means exhaustive so we encourage you to do your research and make use of the following resources to find out more, plan appropriately and action accordingly:
- https://ico.org.uk - The ICO is the UK’s independent body set up to uphold information rights. We recommend taking a look at their compliance checklist and guide to preparing for GDPR (you’ll notice that we pulled a number of our recommendations from this list).
- https://www.eugdpr.org/ - an educational portal for all thing GDPR. Check out their resources page for a great list of relevant articles and videos.
You can also read the final version of the Regulation, released April 6th 2016.
What is Autopilot doing about GDPR?
Like you, we are committed to data privacy and, as a processor of personal data, are taking all necessary steps to become GDPR compliant. We have certified our commitment to the EU-US Privacy Shield principles (you can view our listing here), and have initiated and/or completed several projects focusing on the processing of our EU customers’ personal data. These projects include, but are not limited to:
- Undertaking a Data Protection Impact Assessment and GDPR readiness assessment.
- Creating a record of all personal data processing activities.
- Obtaining, documenting and maintaining a legal basis for each processing activity that we carry out.
- Reviewing and updating our processor and sub-processor agreements.
- Verifying the GDPR readiness of our 3rd party vendors and making sure they are compliant.
- Creating a procedure for notifying third parties when customer data needs to be deleted.
- Reducing our backup retainment timeframe to 29 days, in line with GDPR requirements.
- Creating policies and procedures to respond to data rights requests.
- Appointing a Data Protection Officer.
- Ensuring that all personally identifiable data is encrypted at rest and in flight.
- Enabling you to define how you handle cookies through Autopilot’s tracking script (more on this below).
- Requesting your consent in-app to comply with GDPR when using our services.
- Carrying out extensive penetration tests to highlight and resolve any vulnerabilities.
- Updating our privacy and security policy and procedures, which you can access below:
- Autopilot Terms and Conditions
- Autopilot Privacy Shield Notice
- Autopilot IT Security
We have also run a number of staff training programmes, and prepared customer DPAs which you can find in-app (under Settings > GDPR) and sign electronically.
We will also continue to make updates over the coming months, to ensure we’re staying at the forefront of GDPR compliance. Upcoming projects include:
- Upgrading Autopilots “list handling” so that you can have double-opt in capability for all subscriptions and have Autopilot check this for you in journeys.
- Putting in place a Breach Notification Plan.
- Setting up comprehensive monitoring systems to track, limit and log all data access by Autopilot employees.
- Setting up comprehensive monitoring systems to monitor threads to data access.
- Scrubbing all log files of personally identifiable information.
- Setting up an intrusion detection system across our databases to monitor for malicious activity.
We will continue to update you as and when these projects have been completed. Please feel free to refer back to this article and be sure to look out for in-app messages and email communication.
Some important messages around tracking and consent:
Online cookie tracking & compliance
We now provide you with 2 different versions of our web and app tracking code – a version that can be used by customers who operate in the EU or handle EU data, and a version that can be used by customers who aren’t bound by GDPR. The latter is our standard tracking code, whilst the former version of the tracking code enables customers to either (a) handle cookie-tracking opt-in on their own, or (b) use Autopilot’s cookie-tracking opt-in popup. Depending on your selection, we either provide documentation on how to activate cookies if managing your own opt-in, or enable the Autopilot opt-in popup on your tracked pages. If your contacts opt-in to cookie tracking, we then run our tracking code. You can find a link to our web page tracking code advanced options support documentation here.
Email & form tracking
We partner with FullContact to automatically enrich your contact’s profiles with publicly available data. To turn this functionality off, please follow the steps below:
How can you use Autopilot to help become GDPR compliant?
There are a number of different ways that you can utilize Autopilot to become, and stay, compliant with GDPR. Here are a few of our favorites, but we’d also encourage you to reach out to our Support or Success teams if you’d like more information or help with setting anything up:
Asking for, and capturing, double opt-ins:
You can create a very simple Journey in Autopilot that captures first time opt-ins and sends an automatic email requesting confirmation that the contact wants to be subscribed to your database (a “double” opt-in). See below for the Journey setup, as well as a quick email that we put together using the ‘Personal Touch’ template in our Advanced Email Editor:
To capture the second opt-in and update your database accordingly, you will need (a) a “thank you for confirming / subscribing” landing page that you can direct contacts to when they confirm their opt in via your email Call To Action, and (b) a unique set of UTM parameters that you can append to the end of the confirmation URL, that qualify their acceptance in Autopilot.
If you haven’t used UTM parameters in the past, then we’d encourage you to check out this support document to learn more. Once you’ve added your UTM parameters and sent your Journey live, you will want to build a Smart Segment that listens for any contact landing on your “thank you” page with the UTM parameters in question, then use this Smart Segment to trigger a quick operational Journey that updates a custom “Double Opt-In” field to ‘true’. If you’d like, you can also add these contacts to a list, which can be used to start your marketing Journeys or refine your contact segmentation in future. Here’s a quick example of the Smart Segment setup and operational Journey (note that you can add this operational Journey to the same canvas as your double-opt in process, to keep everything together):
Enabling contacts to access their data:
As we mentioned earlier, one of the rights that GDPR grants for individuals, is the right to access their data from you at any time. Keeping track of these requests and actioning them can be a cumbersome task, so we’ve devised a quick and easy way for you to capture enquiries and respond to your contacts. It starts with a simple request form on your website (we recommend using Typeform, Instapage or Unbounce to power this piece of the Journey if you don’t yet have a preferred form or landing page builder), that can then be used as a trigger for a notification Journey:
There are then a few different ways that you can supply the required personal data to the requestor, but we’d recommend either:
- Identifying the personal data points that you keep on file for contacts in Autopilot, and building an automated email that uses personalization variables to surface these data points to the end user; or
- Exporting the list of contacts from Autopilot on a weekly basis and manually following up with each person, using the data from the exported .csv file.
If you opt for (1), you can also use fallback variables to let contacts know if you don’t contain a particular data point for them on file (i.e. “We don’t have this data on file for you”). Here’s a quick example, with the fallback variables highlighted in orange:
Allowing contacts to have their data deleted from your database:
In a very similar fashion to #2, you can also use the request form > list to manage deletion requests. Simply capture the deletion request form in Autopilot, add everyone to a list, and send a notification to your team whenever a new request comes through. You can then delete these contacts from Autopilot on an hourly, daily or weekly basis depending on your policy. See below for a quick GIF showing you how to delete a contact from a list (please note that when you delete a contact from Autopilot, you delete all of their data and historical activity, so be sure that you want to do this before proceeding):
If you’re looking for a less manual approach, and have access to technical resources, please also note that the Autopilot API has a “Delete Contact” method that can also be used to delete contacts from our database. You can read more about it in our API documentation.
There’s no need to panic. If you’re committed to GDPR, then it’s important to accept that you’re in it for the long haul. Be smart about what you prioritize, be open and transparent with your customers, and ensure you have buy-in from company stakeholders to make the necessary changes.
Autopilot’s team of “Awesome People” is here to help and support you, so please reach out with any questions and we’ll gladly answer them for you.
Note - this post is in no way legal advice and it’s important to speak to a legal professional and seek advice before taking actions towards GDPR.