Are you GDPR-ready? How ShortStack Prepared for the May 2018 Deadline

GDPR-Ready

Are you GDPR-ready? How ShortStack Prepared for the May 2018 Deadline

Update: ShortStack is GDPR compliant as of May 23, 2018.

Are you familiar with the General Data Protection Regulation (GDPR)? Do you know how, or if, the new regulations will affect your business? Below you’ll find a quick overview of what GDPR is, who it affects, and what ShortStack did to prepare for the May 25th, 2018 deadline.

Before you get started, please know that our team here at ShortStack has been working hard to make sure our platform is GDPR compliant. In fact, for years, ShortStack already practiced many of the data protection and security practices required by the GDPR but you can read about our most recent updates here. And you can read and complete our Data Processing Addendum if the GDPR applies to you.

What is the GDPR?

The GDPR is a new set of data protection laws created to replace the current European Union (EU) data protection law. The current law dates back to 1995, so the new law aims to address the changes that have taken place over the last 23 years, with regard to how personal data is obtained and used.

Does the GDPR apply to all businesses?

It depends. If you are located in the European Union, then, yes. However, even if you aren’t located in the EU, it’s still possible that the GDPR applies to the personal data you collect.

It’s important to understand what is considered “personal data” in relation to the GDPR: Personal data is any data related to an identified individual or data that, when processed along with additional data or alone, could identify a specific individual.

The GDPR applies to you if you perform any of the following actions in regard to the data of EU citizens:

  1. Collect personal data,
  2. Organize personal data,
  3. Transmit personal data,
  4. View personal data,
  5. Delete/erase personal data,
  6. Modify personal data,
  7. Store personal data, or
  8. Use personal data in any other way.

Consent and Individual Rights

The two elements of the GDPR most relevant to ShortStack users are:

  1. obtaining consent to process individuals’ data, and
  2. individuals’ rights regarding how their data is used.

Consent: Per the GDPR, you are considered a “data controller” when you collect form entries via ShortStack. As a data controller, you must use a legal basis to process individuals’ data. In the case of collecting entries for your email marketing list, you should ask individuals for their consent to collect and process their personal data. An individual’s consent must be explicit and verifiable.

To obtain “explicit” consent, use a double opt-in method for adding people to your list.

First, you will use a form with a checkbox. The checkbox must clearly state that the individual is opting into your list. The checkbox should not cover any additional topics. For example, you can’t ask someone to agree to your contest’s terms and conditions and opt into your email marketing list with the same checkbox field. The checkbox cannot be pre-checked or marked as a required field that the entrant must check to enter.

DON’T: One checkbox for multiple issuesGDRP Compliant Double Opt In Don't

DO: Separate checkbox for each issue

GDRP Compliant

Next, be sure you make individuals aware of all the ways you might use their data.

DON’T: Form with no indication of how the data will be used, or terms and conditions link

GDRP Compliant

DO: Form with short description of how data will be used, along with link to full terms & conditions

  • By opting into our mailing list, your data will be used for the purpose of distributing special offers, coupons, product updates, and announcements via email.
  • By submitting an entry to this contest, you agree to have your data used for the purposes of choosing a winner.
  • We will never provide your data to 3rd parties.
  • Read the entire Terms & Conditions for this contest.

GDRP Compliant

After the user submits their information, a double opt-in confirmation email should be sent to the individual. At this point, the user should click the link in your email to complete the steps required for double opt-in.

GDPR Compliance

How about the “verifiable” part of consent? This is something ShortStack handles. We record when someone opts in to your list.

Individual Rights: The GDPR outlines rights individuals have with regard to how you use the data of EU citizens, and what the individuals whose data you collect can ask you to do with their data. Data controllers should be able to tell folks who submit their data what they’re using their personal data for and how it is being stored. Likewise, you must be able to share the data you have about an individual with him or her.

Furthermore, under GDPR, individuals have the “right to be forgotten.” This means you need to be able to completely remove an individual’s information from your databases/lists. (See how ShortStack is addressing the “right to be forgotten.”) In addition, folks must be able to have their data corrected, barred from certain uses or transferred to another organization. All of this must be accomplished in what the GDPR defines as a “timely” manner (unfortunately, they fail to provide an exact definition of what “timely” is, as it can vary by industry).

What did ShortStack do to become compliant?

At ShortStack, we know just how important and valuable every individual’s personal data is. Even before the GDPR passed, we practiced a high-level of data security. Because of our longstanding commitment to data security, we only needed to make a few changes in order to be fully compliant.

Read on to learn what we did to meet GDPR requirements.

The consent portion of the GDPR is the most important portion for ShortStack users who are sending emails with our platform. We have added some tools to help ensure you can allow new subscribers to double opt in, as well as continues using some of the emails you have already collected in your ShortStack lists. These updates include:

  1. Double Opt-in Confirmation links in emails. Now, you can add a double opt-in confirmation link when sending autoresponders, scheduled emails and follow-up emails. These URLs are used for the “consent” portion of the GDPR regulations. We recommend using the double opt-in confirmation links in:
    1. Autoresponder emails to anyone who signs up for your list; and
    2. Scheduled emails for people who you have collected email addresses for and you are currently sending email marketing to, but who have not yet agreed to double opt-in to your list.
  2. Require Double Opt-in to receive emails. Now, you can set your Company Profile so only folks who double opt into your mailing list will receive emails from the lists associated with that profile.

This help doc will provide you with instructions for implementing the double opt-in process for your list.

We’ve also completed some updates that will help you stay compliant with the individual rights portion of the GDPR. The features we have added are:

  1. Customizable “From Email Address” field. When setting up your campaign, you have the option of adding a “From Email Address.” Yes, this is helpful in confirming the email is being sent from you/your company. However, more importantly, using a real email address allows people to respond to your email. It also allows people to reach out to you to inquire about how their data is being used, as well as submit requests to update their data, transfer it or remove it.
  2. An “Unsubscribe link” in the email footer. Every email you send with ShortStack includes a footer with your company’s address and an Unsubscribe link. The Unsubscribe link allows people who have subscribed to your list to change their mind and unsubscribe at any point.

GDPR Compliance Unsubscribe

Other ShortStack Updates

The Double Opt-in Confirmation links are a very important part for the GDPR consent portion. Other consent-related updates include:

  1. Customizable “From Email Address” field. When setting up your campaign, you have the option of adding a “From Email Address.” Yes, this is helpful in confirming the email is being sent from you/your company. However, more importantly, using a real email address allows people to respond to your email. It also allows people to reach out to you to inquire about how their data is being used, as well as submit requests to update their data, transfer it or remove it.
  2. An “Unsubscribe link” in the email footer. Every email you send with ShortStack includes a footer with your company’s address and an Unsubscribe link. The Unsubscribe link allows people who have subscribed to your list to change their mind and unsubscribe at any point.
  3. A search tool for locating user data. We are creating a search tool to allow you to find an individual within your lists. This will help you with updating the individual’s profile, providing them with the information you have collected about them, and deleting their data entirely.
  4. Updated privacy policy and security information. Our updated privacy policy and security information will allow you to better inform individuals who submit their data to your ShortStack forms about how their data is being used, and where it is stored.
  5. A Data Protection Addendum (DPA), which is available by request. We offer a DPA for customers to fill out and send back to us. To request the DPA, please email contact@shortstacklab.com and request the GDPR DPA.
  6. Performed a platform audit and removed or anonymized non-essential data. We audited all areas of the ShortStack platform to determine what personal information we collect and for what purpose. Where not essential for the execution of the services we provide, we removed or anonymized that data.
  7. Audited data-deletion process. We audited our data deletion process to ensure all non-essential data is destroyed.

Other Great question! The main thing you’ll need to worry about is ensuring that folks know they are consenting to opt into your mailing list.

  1. Make sure you are reaching out to folks currently on your email marketing lists, but who haven’t confirmed double opt-in yet. Send them a scheduled email with the double opt-in link, so they can remain on your list after the May 25, 2018 deadline occurs.
    GDPR Compliance by May 25th
    NOTE: It is important you only reach out to individuals you are currently sending emails to in order to “renew” their consent. Do not email individuals who you are not currently sending email marketing to.
  2. On or before May 25, 2018, set your company profile so it will only send emails to folks on your list who have completed the double opt-in process. You will want to do this after you have sent your emails asking people to opt in.
    GDPR Compliance
  3. Add a checkbox field to your form that includes explicit language regarding the individual opting into your list and indicating how their data will be used.GDRP Compliant
  4. After form submission, set up an autoresponder with your double opt-in confirmation link. This allows new entrants to double opt into your list.GDPR Compliance
  5. Add a way for people to contact you. Use an email address that your team monitors in the From Email Address field, and include an email address and other contact information for your business in the email footer.
    GDPR Compliance

Check out our blog post, “GDPR Compliance: It’s easier than you think” for more in-depth information on making your ShortStack email marketing lists GDPR-compliant.

We’ll be updating this post as more GDPR-related updates are made. Be sure to check back from time-to-time to stay informed.

You can learn more about how ShortStack handles your data by reading our Privacy Policy.

If you have any more questions, shoot us an email at theteam@shortstacklab.com.

Try a ShortStack template to create your first contest fast and easily.

No credit card required. Risk-free.

Jane Vance
jane@shortstacklab.com

Jane is ShortStack’s Client Services Director. She holds a Masters of Public Affairs from the University of Texas at Austin. Jane has worn many hats at ShortStack over the years, including leading our customer support and success team. Read more articles by Jane Vance.



Share
Tweet
Share