Please sign in to get the most from this site.

GDPR implementation Best Practices?

Comments

2 comments

  • Sion Stedman
    Great post, Marten. At my company we are taking a similar approach.

    Ahead of the GDPR taking effect, I have proposed to my marketing manager colleagues that they run a campaign to promote to existing contacts the benefits of opting in to receive marketing communications. We would then have a record of those who have opted in together in a 'consent master list', which can feed automated programs to update other Act-On lists as necessary.

    In January I am planning to ask our teams to extract from our various CRMs lists of all current clients. We will then update our Act-On master list. Following that, colleagues can run campaigns to get as many contacts as possible explicitly double opted in, and opted in to receive marketing communications (as required by the legislation).

    In the summer we will have a tidy-up to remove from Act-On all individuals whose details we do not have consent to contact or hold for marketing purposes. We plan to do such a cleansing exercise every nine months thereafter.

    After the GDPR takes effect in May, I am planning that when our customer service team sends their 'welcome email' to clients, there will be a link to a page where they can opt in to receive marketing communications. If clients chose to opt in, this then triggers a double opt in process and will record that they have opted in and what their marketing communication preferences are.

    Elements of the four pieces of legislation we are following (the GDPR/the Data Protection Act/the PECR/the ePrivacy Regulation) are yet to be finalised, and there is a chance we might need to take further action to be compliant. But the above is the plan in the meantime, as of course what is known is that from 25 May 2018, we can only contact people for marketing purposes where they have double opted in and given us their explicit consent to receive marketing communications.

    Alongside these Act-On activities, we are updating the company Data Protection Policy, Privacy Policy and Cookie Policy. We will also have a specific Marketing Data Protection Policy which sets out the processes and policy that marketing colleagues are expected to adhere to.



    ------------------------------
    Sion Stedman
    Idox Software Ltd
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: 12-24-2017 03:03
    From: Marten Hoekstra
    Subject: GDPR implementation Best Practices?

    Hello,

    Anybody already has GDPR implementation best practices? I will start with the ones we have.

    Getting and storing consent
    In certain situations under the GDPR you have to get consent from the individual for using their personal data. The best know example is the checkbox in a webform.

    B0aDqTyFQEmtl5vztRAy_image2016-6-17 13:1:54.png

    With every form submit Act-On already stores the following data: Ip adress, time and date stamp, reffering URL. This has to be extended with three extra fields:

    • Optin type = How did the individual give consent? Was it ticking a checkbox? Then store the value checkbox.
    • Optin text = What was the exact text that the individual gave consent to? Store the exact text.
    • Optin = Did the person optin (tick the checkbox)? Store Yes or No.

    You could end up with several different consents from one individual. We are figuring out how to deal with this. You could copy them to one general optin list. 

    Act-On tracking beacon
    The Act-On tracking beacon collects personal data of all the known and unknown individuals. This means that an individual has to give consent for Act-On collecting this data on behalf of you. So the Act-On tracking beacon can only be loaded after a website vistor has clicked YES (giving consent) in a cookie banner. Act-On has standard functionality for this see https://university.act-on.com/User_Guides/Inbound_Marketing/Using_the_Website_Prospector/Managing_Opt-In_Cookie_Options_and_Disabling_Beacon_Tracking

    The individual rights
    The GDPR gives the individual certain rights that are connected with personal data being available in Act-On: The right of access, The right to rectification, The right to erase (the right to be forgotten), The right to restrict processing, The right to data portability, The right to object and Rights in relation to automated decision making and profiling.

    Basically you must put the processes in place to delete, alter and export personal data from Act-On. Deletion and altering personal data is standard functionality in Act-On, but not yet for behavioural data.

    Always keep a note of every request made by an individual. Create an extra field that keeps note of all changes made to personal data based on GDPR rights.

    The right to data portability (export data) is in Act-On not yet as a standard functionality available for behavioural data. I am guessing this is part of the personal data so must be included in a request of data portability.

    DPA (Data Processing Agreement)
    Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Act-on is a processor so you need a contract which is often reffered to as a Data Processing Agreement. Act-On has a standard contract (DPA) which you have to request and sign.

    DPIA (data protection impact assessment)
    Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals' expectations of privacy.

    Our feeling is that when using marketing automation you have to make a DPIA. See also https://www.thehouseofmarketing.be/blog/the-impact-of-gdpr-on-marketing-data-protection-impact-assessment

    Additions / comments are welcome!
    Any addition or comment is welcome.



    ------------------------------
    Marten Hoekstra
    Stan and Stacy
    ------------------------------
    0
    Comment actions Permalink
  • Sion Stedman
    Further to the above – and Act-On might already be advising users of this – organisations handling EU-based data should implement a double opt-in process for every sign-up form. GDPR means that in the EU, a double opt-in process will be a standard requirement (that is, collecting evidence of a person's consent that a) the submitted email address belongs to them, and b) that you can contact them using that address for whatever it is they have signed up to).

    New Act-On clients in particular should be advised to implement a double opt-in process from the outset. Unfortunately my company missed this opportunity, as a double opt-in process was previously only 'good practice', rather than the requirement it will become under GDPR. We will now be applying the process to our existing forms and contact lists.

    ------------------------------
    Sion Stedman
    Idox Software Ltd
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: 01-03-2018 15:48
    From: Sion Stedman
    Subject: GDPR implementation Best Practices?

    Great post, Marten. At my company we are taking a similar approach.

    Ahead of the GDPR taking effect, I have proposed to my marketing manager colleagues that they run a campaign to promote to existing contacts the benefits of opting in to receive marketing communications. We would then have a record of those who have opted in together in a 'consent master list', which can feed automated programs to update other Act-On lists as necessary.

    In January I am planning to ask our teams to extract from our various CRMs lists of all current clients. We will then update our Act-On master list. Following that, colleagues can run campaigns to get as many contacts as possible explicitly double opted in, and opted in to receive marketing communications (as required by the legislation).

    In the summer we will have a tidy-up to remove from Act-On all individuals whose details we do not have consent to contact or hold for marketing purposes. We plan to do such a cleansing exercise every nine months thereafter.

    After the GDPR takes effect in May, I am planning that when our customer service team sends their 'welcome email' to clients, there will be a link to a page where they can opt in to receive marketing communications. If clients chose to opt in, this then triggers a double opt in process and will record that they have opted in and what their marketing communication preferences are.

    Elements of the four pieces of legislation we are following (the GDPR/the Data Protection Act/the PECR/the ePrivacy Regulation) are yet to be finalised, and there is a chance we might need to take further action to be compliant. But the above is the plan in the meantime, as of course what is known is that from 25 May 2018, we can only contact people for marketing purposes where they have double opted in and given us their explicit consent to receive marketing communications.

    Alongside these Act-On activities, we are updating the company Data Protection Policy, Privacy Policy and Cookie Policy. We will also have a specific Marketing Data Protection Policy which sets out the processes and policy that marketing colleagues are expected to adhere to.



    ------------------------------
    Sion Stedman
    Idox Software Ltd
    ------------------------------

    Original Message:
    Sent: 12-24-2017 03:03
    From: Marten Hoekstra
    Subject: GDPR implementation Best Practices?

    Hello,

    Anybody already has GDPR implementation best practices? I will start with the ones we have.

    Getting and storing consent
    In certain situations under the GDPR you have to get consent from the individual for using their personal data. The best know example is the checkbox in a webform.

    B0aDqTyFQEmtl5vztRAy_image2016-6-17 13:1:54.png

    With every form submit Act-On already stores the following data: Ip adress, time and date stamp, reffering URL. This has to be extended with three extra fields:

    • Optin type = How did the individual give consent? Was it ticking a checkbox? Then store the value checkbox.
    • Optin text = What was the exact text that the individual gave consent to? Store the exact text.
    • Optin = Did the person optin (tick the checkbox)? Store Yes or No.

    You could end up with several different consents from one individual. We are figuring out how to deal with this. You could copy them to one general optin list. 

    Act-On tracking beacon
    The Act-On tracking beacon collects personal data of all the known and unknown individuals. This means that an individual has to give consent for Act-On collecting this data on behalf of you. So the Act-On tracking beacon can only be loaded after a website vistor has clicked YES (giving consent) in a cookie banner. Act-On has standard functionality for this see https://university.act-on.com/User_Guides/Inbound_Marketing/Using_the_Website_Prospector/Managing_Opt-In_Cookie_Options_and_Disabling_Beacon_Tracking

    The individual rights
    The GDPR gives the individual certain rights that are connected with personal data being available in Act-On: The right of access, The right to rectification, The right to erase (the right to be forgotten), The right to restrict processing, The right to data portability, The right to object and Rights in relation to automated decision making and profiling.

    Basically you must put the processes in place to delete, alter and export personal data from Act-On. Deletion and altering personal data is standard functionality in Act-On, but not yet for behavioural data.

    Always keep a note of every request made by an individual. Create an extra field that keeps note of all changes made to personal data based on GDPR rights.

    The right to data portability (export data) is in Act-On not yet as a standard functionality available for behavioural data. I am guessing this is part of the personal data so must be included in a request of data portability.

    DPA (Data Processing Agreement)
    Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Act-on is a processor so you need a contract which is often reffered to as a Data Processing Agreement. Act-On has a standard contract (DPA) which you have to request and sign.

    DPIA (data protection impact assessment)
    Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals' expectations of privacy.

    Our feeling is that when using marketing automation you have to make a DPIA. See also https://www.thehouseofmarketing.be/blog/the-impact-of-gdpr-on-marketing-data-protection-impact-assessment

    Additions / comments are welcome!
    Any addition or comment is welcome.



    ------------------------------
    Marten Hoekstra
    Stan and Stacy
    ------------------------------
    0
    Comment actions Permalink

Please sign in to leave a comment.