ActiveDEMAND GDPR Compliance
What is GDPR?
The GDPR (General Data Protection Regulation) is a European privacy law approved by the European Commission in 2016. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data.
The GDPR was adopted in April 2016, but will officially be enforceable beginning on May 25, 2018.
Who does it apply to?
The GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies to all industries and sectors.
What is considered Personal Data?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Personal data will now include not only social security numbers, names, physical addresses, email addresses, but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more.
What does Process Personal Data mean?
In the context of GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR.
What are the GDPR implications for marketers?
Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller
- Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented, or the processing is in the organization’s “legitimate interests.” This means that marketers have to be very clear in their engagements as to what personal data is being collected, how it is being used, and give the audience the opportunity to get more information, and the ability to be forgotten.
Does the GDPR say anything about cross-border data transfers?
Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers. One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy decision.
How does this relate to ActiveDEMAND?
ActiveDEMAND is excited about the GDPR and the strong data privacy and security principles that it emphasizes, many of which ActiveDEMAND has instituted long before the GDPR was enacted. ActiveDEMAND, as a Canadian company, has had to help marketers comply some of the toughest privacy legislation in the world. The Canadian Anti Spam Legislation (CASL) was implemented several years ago and as such, ActiveDEMAND helped Canadian companies comply well before CASL was enacted. At ActiveDEMAND, we believe that the GDPR is an important milestone for the EU and the rest of the world in the data privacy landscape; We are committed to achieving compliance with the GDPR on or before May 25, 2018.
ActiveDEMAND’s GDPR preparation is part of this process we are reviewing (and updating where necessary) all of our internal processes, procedures, data systems, and documentation. We have, among other things:
- Updated our Data Processing Agreement to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to ActiveDEMAND and permit ActiveDEMAND to continue to lawfully receive and process that data;
- Updated our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data;
- Analyzed all of our current features and templates to determine whether any improvements or additions can be made to make them more efficient for those users subject to the GDPR;
- Right to be forgotten: You may terminate your ActiveDEMAND account at any time, in which case we will permanently delete your account and all data associated with it.
- Right to rectification: You may access and update your ActiveDEMAND account settings at any time to correct or complete your account information. You may also contact ActiveDEMAND at any time to access, correct, amend or delete information that we hold about you.
ActiveDEMAND is a personalization platform. The core use of ActiveDEMAND is the collection of and interpreting behavioral data for the purpose of shortening buyer journeys. As such this entails processing of personal data under the GDPR. It is important that users of ActiveDEMAND use the many tools provided by ActiveDEMAND to help your audience understand what you are doing, why you are doing it, and how they can opt-in, opt-out, be forgotten, and see what data you have collected. This article (below) will give you some guidance on what is available in ActiveDEMAND to help you comply with GDPR.
It is important to note, you should never collect sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin using any marketing platform including ActiveDEMAND.
ActiveDEMAND is a marketing automation and reporting platform, which may include associated consulting and technical support services. Use of the platform by subscribers in the European Economic Area (EEA) entails the processing of personal data under the GDPR.
ActiveDEMAND is provided by Canadian company, JumpDEMAND, Inc.
JumpDEMAND, Inc. offers its subscribers in the EEA two agreements to cover GDPR compliance, in addition to their existing agreement:
- A model clause agreement based on the European Commission’s standard contractual clauses (processors). The GDPR recognizes this as a legitimate way to transfer personal data from the EEA to any country outside the EEA.
- A GDPR addendum containing legal terms and details of how personal data are processed in ActiveDEMAND. The GDPR requires these terms and details to be included in contracts between controllers and processors.
What does this mean? In broad terms, it means that if you a subscriber in an EU member state, Norway, Iceland or Liechtenstein, you can continue to transfer your lawfully processed personal data to JumpDEMAND, Inc. under the GDPR, who will process those data on your behalf.
How is ActiveDEMAND helping me comply with the GDPR?
ActiveDEMAND has always given marketers the tools to help with privacy and data handling. Here are a few examples
ActiveDEMAND has a simple process for obtaining and recording (and tracking) consent. ActiveDEMAND’s has Opt-In form elements, dynamic opt-in email fields, dynamic opt-in landing pages that give the marketer the ability to easily provide the opportunity to Opt-In to marketing communications. All Opt-Ins are captured, recorded, and managed on a the ActiveDEMAND prospect timeline thus it is easy to report on when a prospect has opted in and how. ActiveDEMAND as well provides a simple one-click guard for enforcing the Opt-In communications (i.e. globally locking outbound communication to only those who have opted in).
Right to object (opt-out)
ActiveDEMAND has always had a simple system for tracking opt-outs. With ActiveDEMAND it is technically impossible to send an email to someone who has opted out. As well ActiveDEMAND does not allow outbound communications to people without providing the ability to opt-out (unsubscribe).
Right to be forgotten
With ActiveDEMAND, deleting a contact will permanently delete all data related to that individual. As well ActiveDEMAND provides a simple ‘Forget Me’ form element that can be presented to a prospect.
Right of access
Right of portability
All of ActiveDEMAND’s data can be exported. This includes contact lists, metadata, and the conversions captured within the database.
Educating Your Audience About Options