March 7, 2018 Are you GDPR-ready? How ShortStack Is Preparing for the May 2018 Deadline
Are you familiar with the General Data Protection Regulation (GDPR)? Do you know how, or if, the new regulations will affect your business? Below you’ll find a quick overview of what GDPR is, who it affects, and what ShortStack is doing to prepare for the May 25th, 2018 deadline.
Before you get started, please know that our team here at ShortStack has been working hard to make sure our platform is GDPR compliant well before the deadline. In fact, ShortStack already follows many of the data protection and security practices required by the GDPR, so there aren’t many updates for us to make. We’ll keep this post updated as we release more features or make GDPR-related changes.
What is the GDPR?
The GDPR is a new set of data protection laws created to replace the current European Union (EU) data protection law. The current law dates back to 1995, so the new law aims to address the changes that have taken place over the last 23 years, with regard to how personal data is obtained and used.
Does the GDPR apply to all businesses?
It depends. If you are located in the European Union, then, yes. However, even if you aren’t located in the EU, it’s still possible that the GDPR applies to the personal data you collect.
It’s important to understand what is considered “personal data” in relation to the GDPR: Personal data is any data related to an identified individual or data that, when processed along with additional data or alone, could identify a specific individual.
The GDPR applies to you if you perform any of the following actions in regard to the data of EU citizens:
- Collect personal data,
- Organize personal data,
- Transmit personal data,
- View personal data,
- Delete/erase personal data,
- Modify personal data,
- Store personal data, or
- Use personal data in any other way.
Consent and Individual Rights
The two elements of the GDPR most relevant to ShortStack users are:
- obtaining consent to process individuals’ data, and
- individuals’ rights regarding how their data is used.
Consent: Per the GDPR, you are considered a “data controller” when you collect form entries via ShortStack. As a data controller, you must use a legal basis to process individuals’ data. In the case of collecting entries for your email marketing list, you should ask individuals for their consent to collect and process their personal data. An individual’s consent must be explicit and verifiable.
To obtain “explicit” consent, use a double opt-in method for adding people to your list.
First, you will use a form with a checkbox. The checkbox must clearly state that the individual is opting into your list. The checkbox should not cover any additional topics. For example, you can’t ask someone to agree to your contest’s terms and conditions and opt into your email marketing list with the same checkbox field. The checkbox cannot be pre-checked or marked as a required field that the entrant must check to enter.
DON’T: One checkbox for multiple issues
DO: Separate checkbox for each issue
Next, be sure you make individuals aware of all the ways you might use their data.
DON’T: Form with no indication of how the data will be used, or terms and conditions link
DO: Form with short description of how data will be used, along with link to full terms & conditions
- By opting into our mailing list, your data will be used for the purpose of distributing special offers, coupons, product updates, and announcements via email.
- By submitting an entry to this contest, you agree to have your data used for the purposes of choosing a winner.
- We will never provide your data to 3rd parties.
- Read the entire Terms & Conditions for this contest.
After the user submits their information, a double opt-in confirmation email should be sent to the individual. At this point, the user should click the link in your email to complete the steps required for double opt-in.
How about the “verifiable” part of consent? This is something ShortStack handles. We record when someone opts in to your list.
Individual Rights: The GDPR outlines rights individuals have with regard to how you use the data of EU citizens, and what the individuals whose data you collect can ask you to do with their data. Data controllers should be able to tell folks who submit their data what they’re using their personal data for and how it is being stored. Likewise, you must be able to share the data you have about an individual with him or her.
Furthermore, under GDPR, individuals have the “right to be forgotten.” This means you need to be able to completely remove an individual’s information from your databases/lists. (See how ShortStack is addressing the “right to be forgotten.”) In addition, folks must be able to have their data corrected, barred from certain uses or transferred to another organization. All of this must be accomplished in what the GDPR defines as a “timely” manner (unfortunately, they fail to provide an exact definition of what “timely” is, as it can vary by industry).
What is ShortStack doing to become compliant?
At ShortStack, we know just how important and valuable every individual’s personal data is. Even before the GDPR passed, we practiced a high-level of data security. Because of our longstanding commitment to data security, we only needed to make a few changes in order to be fully compliant.
Read on to learn what we’ve already done, and what we are working on.
Updates already in place
The consent portion of the GDPR is the most important portion for ShortStack users who are sending emails with our platform. We have added some tools to help ensure you can allow new subscribers to double opt in, as well as continues using some of the emails you have already collected in your ShortStack lists. These updates include:
- Double Opt-in Confirmation links in emails. Now, you can add a double opt-in confirmation link when sending autoresponders, scheduled emails and follow-up emails. These URLs are used for the “consent” portion of the GDPR regulations. We recommend using the double opt-in confirmation links in:
- Autoresponder emails to anyone who signs up for your list; and
- [Before May 25th] Scheduled emails for people who you have collected email addresses for and you are currently sending email marketing to, but who have not yet agreed to double opt-in to your list.
- Require Double Opt-in to receive emails. Now, you can set your Company Profile so only folks who double opt into your mailing list will receive emails from the lists associated with that profile.
We’ve also completed some updates that will help you stay compliant with the individual rights portion of the GDPR. The features we have added are:
- Customizable “From Email Address” field. When setting up your campaign, you have the option of adding a “From Email Address.” Yes, this is helpful in confirming the email is being sent from you/your company. However, more importantly, using a real email address allows people to respond to your email. It also allows people to reach out to you to inquire about how their data is being used, as well as submit requests to update their data, transfer it or remove it.
- An “Unsubscribe link” in the email footer. Every email you send with ShortStack includes a footer with your company’s address and an Unsubscribe link. The Unsubscribe link allows people who have subscribed to your list to change their mind and unsubscribe at any point.
The Double Opt-in Confirmation links are a very important part for the GDPR consent portion. With that out of the way, we also plan the following consent-related updates:
- Adding Opt-In Checkbox fields to the Form Designer. This checkbox will ensure that only folks who check this box will receive the double opt-in link to opt into your mailing list.
- Double Opt-In indication within lists. We are adding a opt-in indicator to our lists that will allow you to see at a glance which entrants opted into your list. The indicator also comes in handy when you export your databases, as you will be able to see which email addresses meet the double opt-in standard.
We are also working on some updates to comply with the individual rights portion of the GDPR. These projects are:
- A search tool for locating user data. We are creating a search tool to allow you to find an individual within your lists. This will help you with updating the individual’s profile, providing them with the information you have collected about them, and deleting their data entirely.
What can I do to continue using my ShortStack lists for email marketing?
Great question! The main thing you’ll need to worry about is ensuring that folks know they are consenting to opt into your mailing list.
- Make sure you are reaching out to folks currently on your email marketing lists, but who haven’t confirmed double opt-in yet. Send them a scheduled email with the double opt-in link, so they can remain on your list after the May 25, 2018 deadline occurs.
NOTE: It is important you only reach out to individuals you are currently sending emails to in order to “renew” their consent. Do not email individuals who you are not currently sending email marketing to.
- On or before May 25, 2018, set your company profile so it will only send emails to folks on your list who have completed the double opt-in process. You will want to do this after you have sent your emails asking people to opt in.
- Add a checkbox field to your form that includes explicit language regarding the individual opting into your list and indicating how their data will be used.
- After form submission, set up an autoresponder with your double opt-in confirmation link. This allows new entrants to double opt into your list.
- Add a way for people to contact you. Use an email address that your team monitors in the From Email Address field, and include an email address and other contact information for your business in the email footer.
Check out our blog post, “GDPR Compliance: It’s easier than you think” for more in-depth information on making your ShortStack email marketing lists GDPR-compliant.
We’ll be updating this post as more GDPR-related updates are made. Be sure to check back from time-to-time to stay informed.
If you have any more questions, shoot us an email at email@example.com.