Posted on Leave a comment

How to Grow Your Email Marketing List and Still be GDPR-Compliant

Email Marketing Strategy

How to Grow Your Email Marketing List and Still be GDPR-Compliant

The implications of the EU GDPR are much more pervasive and widespread than businesses initially thought them to be. Database creation, information collection, archive maintenance, and multiple other activities are affected. Email marketing is one of these activities.

Maintaining an email list that is GDPR-compliant can be a challenge. If you don’t know how to handle the process, the following email marketing tips will shed some light on the essentials.

Email Opt-in Tactics Matter

At the end of 2017, Forrester predicted that 80 percent of companies will fail with their GDPR compliance efforts. While the number may seem shocking, it probably isn’t that far off from the truth.

Ensuring compliance in the field of your email marketing strategy can be particularly tricky, especially when it comes to opt-in strategies.

Pre-checked opt-in boxes (for example, when a person is attempting to order a product or create a log-in account) have become a big no-no in terms of GDPR compliance. You can no longer do that to collect email information and send newsletters in the future.

You have to collect explicit opt-in permissions from the people who visit your website. Consent should be freely given, otherwise, you cannot send newsletters or other forms of promotional emails. Let your audience decide whether they’d like to opt-in and start receiving emails from you. Relying on pre-ticked boxes is deceiving and ineffective anyway!

Provide Clear Explanation of What People Are Signing Up for

Apart from getting affirmative consent, you will also have to make sure people are informed about what they’re signing up for in order to ensure EU GDPR compliance.

You can accomplish the goal by featuring a few sentences next to each checkbox. The explanation should tell potential subscribers how their personal information is going to be utilized, what type of newsletter they’d be getting, and what’s the frequency of communication.

Get Consent from Existing Email Subscribers (If Necessary!)

In a survey carried out by Compose, 70 percent of small business owners said that email marketing was their biggest concern as far as GDPR compliance goes. Things are most challenging when it comes to the existing database and the management of data collected before the enforcement of GDPR.

You have to account for the date on which a person subscribed to your newsletter. If you don’t know what the date is, you will have to obtain explicit opt-in consent from the person who’s already on record in your existing newsletter database.

A simple campaign carried out via email will be sufficient to notify your existing subscribers of the changes and the need for consent renewal.

The Opt-Out Process

Under GDPR, you also have to make it effortless for subscribers to opt out of your mailing list.

The good news is that if you’re following the CAN-SPAM guidelines, you have already provided your subscribers with such an option. Nothing will have to change and you will still be GDPR-compliant.

If not, you will have to put an effective opt-out mechanism in place. Include a button in the bottom of each email that will transfer subscribers to the opt-out page. There, you can request some information about the need for an opt-out. You will be GDPR-compliant and you will get essential information that could improve the effectiveness of your marketing efforts in the future.

Posted on Leave a comment

GDPR: 10 Steps That Will Help Guide You Through The New E.U. Data Protection Framework

The new European data protection law, the General Data Protection Regulation ( GDPR ) comes into force on the 25th of May, 2018. The new framework poses considerable pressure on online and offline businesses of all sizes because it will strengthen the rules under which the personal data of European residents can be collected, stored, and disclosed. Despite its territorial scope, the GDPR will apply to organizations that do not have a physical presence in the European Union.

To guide you through the new E.U. data protection framework, we’ve provided you with a 10-step guideline that will allow you to better understand the formal requirements of the GDPR and the new personal data security standards.

1. Scope of the GDPR

Although the GDPR is a European legislation, it may apply to businesses located in other jurisdictions as well. More specifically, the GDPR applies to natural and legal persons that collect personal data and:

  • Are established in the E.U.;
  • Are not established in the E.U. but cooperate with data processors that are established in the E.U.; or
  • Are not established in the E.U. but collect personal data of E.U. residents or target them (e.g., offer them goods and services or monitor their behavior).
  • The GDPR will not be applicable if you are a natural person who accesses personal data in the course of a purely personal or household activity (e.g., browsing social media websites).

 2. Tracking personal data

The GDPR defines personal data as any information that allows you to identify a natural person. For instance, personal data may include personal names, physical addresses, email addresses, social security numbers, location data, genetic information, biometric data, health care data, and IP addresses.

The GDPR requires applying the principle of data minimization, meaning that you can collect and process only the amount of personal data that is required to provide the requested service.

In order to keep track of all of the personal data that you collect, store, access, share, and process online and offline, it is important to document such transactions for your own records. Also, in certain cases (e.g., if you employ more than 250 persons, collect personal data regularly, or target special categories of personal data) you may be obliged to maintain data processing records.  

It is important to note that the GDPR imposes stricter requirements (e.g., obtaining explicit consent) for special categories of personal data, such as a person’s racial or ethnic origin, political, religious, and philosophical opinions, trade union membership, genetic data, biometric data, healthcare data, and data concerning a natural person’s sex life or sexual orientation.

3. Collaboration with third parties

Under the GDPR, all third parties that have access to personal data collected by you, such as cloud storage providers, hosting providers, and newsletter providers, are considered to be data processors. The law stipulates that the relationship between you and data processors should be governed by data processing agreements, which should reflect (1) the types of personal data you provide access to, (2) the purposes of processing, (3) the duration of processing, (4) the applicable security measures, and (5) the mutual assistance in fulfilling your obligations under the GDPR.

If the third parties are located outside the EEA, you can disclose or transfer personal data only if certain conditions are met, including, but not limited to:

  • If the third party is established in the country that is “white-listed” by the E.U.;
  • If you conclude a contract with the third party on the basis of pre-approved contractual clauses or binding corporate rules;
  • If the data subject provides you with explicit consent to the disclosure or transfer of personal data; or
  • If the transfer is explicitly necessary for conclusion or performance of a contract.

 4. Consent

Consent for the collection and processing of personal data is one of the legal grounds for lawful data processing under the GDPR. To be valid, the consent should be prior, explicit, informed, and freely given (pre-ticked boxes are not allowed). The deviation from obtaining consent is permitted if the personal data is necessary for performing a contract with the data subject (e.g., booking an appointment, providing the requested service, or delivering a product), pursuing legitimate business interests, and in some other exceptional circumstances.

5. Data protection and storage

Under the GDPR, personal data can be retained only as long as its storage is necessary for the purpose for which the personal data was collected. Afterwards, the personal data should be deleted. Only in certain cases, when the storage of personal data is required by the applicable law (e.g., for accountancy purposes), businesses are allowed to retain personal data in order to comply with their legal obligations.

To protect personal data, appropriate organizational and technical security measures have to be taken (e.g., limited access to personal data by employees, anonymization, secured networks, and encryption) and you have to ensure that the data processors with whom you cooperate have also put equivalent security measures in place.

6. Data subjects’ rights

The GDPR provides data subjects with a number of rights with regard to their personal data. Indicate in your privacy policy those rights, and give instructions on how data subjects can exercise them. Such rights include:

  • The right to access personal data (e.g., getting a list of personal data you store about the data subject);
  • The right to correct personal data (e.g., change of contact details);
  • The right to erase personal data and object to profiling (i.e., “right to be forgotten”);
  • The right to restrict the processing of personal data;
  • The right to ask a data controller to provide another data controller with a list of personal data related to the data subject; and]
  • The right to launch a complaint about the handling of personal data.

7. Identification and transparency

Give your privacy policy the highest level of transparency. List clearly the types of personal data you collect, the purposes of collection, the grounds for processing, third parties that have access to personal data, and all your policies and procedures governing collection, storage, and the processing of personal data.  

Also, indicate your contact details clearly in your privacy policy, including the email and post addresses that can be used by data subjects to contact you with regard to personal data. Also, mention the timeframe in which you will respond to the data subject’s inquiries.

8. Children

The GDPR prohibits the collection and processing of children’s personal data without obtaining a parental or guardian consent in advance. In order to comply with this requirement, consider putting systems in place to verify individuals’ ages and to obtain the requested consent. Also, provide parents or guardians with the opportunity to request the erasure of children’s personal data that has been obtained without their consent.

9. Data breaches

The GDPR puts in place strict guidelines for reporting security breaches that affect personal data. In a nutshell, you have to inform the supervisory authority within 72 hours from the moment you become aware of a breach, and then provide details about the affected personal data. Should a data breach occur in data processors’ systems, the data processors have to immediately notify you. Make sure that you have the right procedures in place to detect, report, and investigate a data breach.

10. Data Protection Officer (DPO)

You can voluntarily appoint a DPO as a person who will assist you in complying with the GDPR, as well as tracking and documenting the transactions involving personal data within your organization. The GDPR explicitly requires appointing a DPO if:

  • Your business relies mainly on processing of personal data on a large scale;
  • You process special categories of personal data on a large scale.
  • The processing of personal data may cause a threat to rights and freedoms of data subjects; or
  • You are a public body or authority.
Posted on Leave a comment

Is Encryption a Mandatory Part of GDPR Compliance?

Is Encryption a Mandatory Part of GDPR Compliance?

Website encryption guarantees a high level of security for visitors, which is why the number of websites featuring security certificates is on the rise. According to a Mozilla report, the volume of encrypted traffic already surpasses unencrypted traffic. Other reports predict that approximately 75 percent of web traffic will be encrypted by 2019.

While the benefits of data encryption are easy to understand, is there a legal requirement for websites to feature a security certificate? Does the new General Data Protection Regulation (GDPR) mandate such a change?  The use of a security certificate is definitely beneficial, but there’s currently no encryption law that necessitates the change.

Is SSL Certification Needed to Be GDPR-Compliant?

The SSL certificate adds a layer of protection to a website, increasing privacy and giving visitors peace of mind. The padlock symbol in the address bar shows whether a website is encrypted.

Under GDPR, data encryption is recommended, but not mandatory. In fact, the term encryption is not featured in the lengthy document much.

GDPR suggests the introduction of safety measures like encryption and various others (the words used are “may be introduced” and “optional”). Encryption is only one suggestion, and while it is presented as a good choice, there are no statements that make it mandatory

The Lack of Encryption and Data Breaches

While there are currently no encryption laws that mandate the purchase of a certificate, website owners are expected to do everything in their power to prevent eventual data leaks, website hacking, and breaches.

If a data breach occurs and the data of EU citizens get affected, the website owner will have to answer questions about the security safeguards in place. Questions about the encryption of personal and sensitive information may also arise.

Would the lack of encryption be perceived as a negative thing? Most likely! Are there any requirements under the new GDPR policies for the purchase and the integration of the SSL certificate? Such provisions do not exist at the time being.

The General Data Protection Regulation is concerned with ensuring the safety of personal data. Thus, you should work hard towards guaranteeing eprivacy in every possible way. While data breaches are often inevitable, there are things to do for the purpose of minimizing the risk.

A few of the best options (other than website encryption) include the following:

  • Make sure that the system and all software will get upgrades on a regular basis
  • Refrain from using default passwords and usernames
  • Keep track of devices to make sure none are lost or stolen
  • Limit the number of people who have admin rights and access to sensitive information (human error is still one of the most profound contributing factors to data breaches)
  • Reduce data transfers
  • Make sure that all employees who do website work undergo data security training

Getting Your Website Encrypted Is a Good Idea

While GDPR does not make website encryption mandatory, this is a good option you should consider for your online platform.

There are different kinds of security certificates, and their features will determine the cost. Many hosting companies will also provide a free SSL certificate as a part of the service package their clients receive. This is a possibility to consider but for the purpose, talk to a developer or a data security specialist. Encryption certificates are not created equal, and some may not be worth getting.

The things that you do to guarantee the security of your website’s visitors will have an impact on your reputation. Do a bit of research and consider all possibilities carefully before turning down one option or the other.

Posted on 1 Comment

Privacy Notices Under GDPR: How to Draft a Compliant Statement

Privacy Policy Compliance

Privacy Notices Under GDPR: How to Draft a Compliant Statement

The deadline for the enforcement of the new General Data Protection Regulation (GDPR) is fast approaching and many businesses are still unprepared to address new privacy concerns and requirements.

GPDR changes are going to have the most profound effect on privacy policies and notices. The GDPR privacy notice has a couple of specifics that make it different from previous versions of the document. Currently, a privacy notice template is made available by the Information Commissioner’s Office. This is one of the official sources of information you can rely on to ensure compliance. Other privacy notice forms you find online could potentially be outdated, which will lead to a GDPR compliance failure.

What Does a GDPR Privacy Notice Have to Feature?

The aim of GDPR is to give internet users and website visitors full control over the manner in which their personal data is being used. The rights of website visitors, customers, and subscribers should be presented in a comprehensive privacy notice.

The privacy notice is a public statement that focuses on how personal and sensitive data protection principles will be applied in reference to the website’s functioning.

According to articles 12, 13 and 14 of the GDPR, a website’s privacy policy should be:

  • Concise and written in a language that’s easy to understand
  • Transparent and readily accessible on the website
  • Free of charge
  • Written so that a child could understand the information contained in it

There are numerous important questions that website privacy terms and conditions have to address in order to ensure GDPR compliance. A few of these key issues include:

  • Information about the entity that is collecting data and how this data is going to be used
  • What is the legal basis for the collection and the processing of personal or sensitive information
  • Is the information going to be shared with third parties, how and why
  • The amount of time during which personal and sensitive data is going to be stored
  • The rights of the individuals who share their sensitive data with the entity
  • The manner in which a complaint can be filed
  • The manner in which website visitors can consent or withdraw consent to data collection

Drafting a GDPR-Compliant Privacy Policy

Most often, privacy notices are copy-pasted or filled with jargon to the point that they become completely illegible.

If your privacy notice isn’t simple, straightforward and well-written, you will have to rework it.

All manners in which personal data is going to be collected and used will have to be outlined. This means that if you use third-party products on the website (Google Analytics, email newsletter software) that require visitor information, your visitors should be informed.

A generic privacy policy is no longer going to cut it. It has to be specific and it has to provide details about the entity behind the website, the purpose of the website, data collection practices and the numerous ways in which such information is going to be used to enhance the visitor’s experience.

Official privacy notice templates can be quite helpful when attempting to draft a brand new document. In the absence of legal knowledge or experience, however, you may want to seek professional assistance. There are fines and penalties for compliance failures, which is why you can’t leave the drafting of your privacy notice to chance.

Posted on Leave a comment

What is a Privacy Policy?

What is a Privacy Policy?

Website privacy policies can be complicated to draft because of several factors. You will have to juggle legal requirements, as well as the audience’s understanding of privacy and website functionality. Thus, a generic document or a website privacy policy template is not going to cut it.

Additionally, a privacy policy is not static. The importance of frequent updates is huge, yet many website owners think it’s a one-time thing that will never have to be addressed again.

A privacy policy for a website is probably one of the most crucial documents to have. Here are a few of the key reasons why.

The privacy policy provides comprehensive information about how user data is going to be handled. It should outline everything that the website uses such data for.

In essence, you’ll be letting website visitors know:

  • What types of data the website is going to collect
  • How this data is going to be used for the purpose of providing the website’s content or services
  • What steps are undertaken to protect the data

Website privacy laws do exist. Some of the most important regulatory documents in the US include:

The Federal Trade Commission is the entity that regulates data privacy provisions and protections. It regularly issues guidelines that have to be followed for the purpose of drafting comprehensive website privacy policies that adhere to legal requirements.

Reasons Why Your Website Needs a Well-Written Privacy Policy: 

Website privacy policy laws mandate the inclusion of such a document if you collect personal data from your users. To ensure regulatory compliance, you need to have a comprehensive privacy policy that addresses the specific type of data collection and the protections available on your online platform.

There are several additional reasons why a well-written privacy policy should be uploaded to every single website.

  • Many third-party service providers may want your website to have a privacy policy. Google Analytics is just one example of such third-party applications. 
  • Users will also be interested in seeing whether your website offers such protection. While in the past most people weren’t concerned with privacy policies, recent data leak scandals have started to shape up new attitudes. According to an interesting poll presented by eMarketer, 84 percent of questioned individuals worry about their privacy when engaging in online activities.

A good privacy policy builds trust:

It encourages visitors to explore your website and in this way, it can potentially boost engagement. If you are interested in the long-term success and monetization of your online project, the drafting of a privacy policy should be at the top of your to-do list.

To fulfill the legal requirements and to have a perfectly customized privacy policy for your website, you can’t just copy and paste the document privacy policy templates are not a good pick either. Consulting an experienced privacy policy lawyer is the best strategy for helping you fulfill all legal conditions while also getting a custom-made document based on your content and services.

Posted on Leave a comment

Legal Checklist For An Online Startup

Legal Checklist

Forming a new business is an exciting adventure. However, the dream of self-created success and wealth can sometimes cause new business owners to overlook the essentials of creating a new business. These overlooks can potentially cause serious harm down the road. This legal checklist, while not exhaustive, is meant to help new business owners ensure that they maintain compliance and protect themselves from any mishaps. 

1. Find A Business Structure That Best Fits Your Needs: 

Prior to forming your new business, you should first work with a legal professional to determine which business structure would work best to fit the needs of you and your company. Some of the more common structures include LLCs or C corporations. 

2. Protect Yourself and Your Intellectual Property:

 Work with a legal professional to determine if you should file for a copyright, trademark, patent, or any other form of intellectual property. Such protections will work to ensure that your idea cannot be stolen by another. This is of particular importance for online startup companies, as the business is exposed to innumerable others. 

3. Money Management: 

Once you have settled on a business structure, work with your professional to determine what your tax obligations are. It could be a bad start for your startup if the IRS begins to focus on you for improperly filing taxes. 

You will also want to create a separate bank account for your company money. This should be kept completely separate from all personal accounts and funds. Co-mingling personal and business funds could cause serious issues down the road.

4. Take Care of the Technicalities: 

Online startups have an additional responsibility to maintain compliance with internet standards, while protecting the company at the same time. This will require the new business owner to work with his or her legal professional to draft privacy policies, disclaimers, and terms of service. It is also very important that you adhere to those policies that are put into place. 

New business owners will also need to work with their professional to incorporate all necessary licensures. Many jurisdictions impose severe fines if companies fail to maintain required licenses. 

5. Create Strong Contracts: 

There are three main types of contracts that new businesses should work with a professional to implement. The first of these contracts is a Non-Disclosure Agreement. These agreements work to protect confidential information from being released to the public. Not all businesses require non-disclosures, but they are highly important for those that do.

The second type of required contract is an employee contract (if you have anyone working for you). Employee contracts should outline the rights and responsibilities of those working, as well as the appropriate and expected conduct.

Finally, business owners should work with a professional to draft a Buy-Sell Agreement. Such agreements detail what would happen in the event of an owner or founder choosing to leave or dying. Specifically, these agreements details how much money should be paid out and what would happen to that person’s stake in the company.

While the above list is not exhaustive, it’s a good start for online startups to utilize in order to create a successful business. It should be noted that the critical point in all of the above-listed points is that startups should always work with a legal professional to ensure compliance.