May 19, 2018 GDPR Compliance for 2018: It’s easier than you think
Update: ShortStack is GDPR compliant as of May 23, 2018.
Marketers located within the European Union (EU), or those with customers in the EU, know that May 25, 2018 is a big day. No, it’s not the first day of the World Cup (that’s the 14th of June!). It’s the date that the European General Data Protection Regulation (GDPR) is set to go into effect.
What does GDPR mean for you? If your business is based in the EU, or you process the personal data of individuals located in the EU, then you need to be compliant with the laws. If you’re a U.S.-based business and you have customers in the EU you also need to be GDPR compliant. But don’t worry: ShortStack has you covered. We’re providing our customers with all the tools they need to make sure they are GDPR ready; read about all of our updates here. This post will tell you what you need to know to make sure your ShortStack forms and email lists are compliant, including steps you should take RIGHT NOW to make sure you can continue sending emails to current subscribers.
Already know you need to make GDPR updates to your mailing list? Then skip the background information.
Please note: For the purposes of this blog post, I group all European countries together. Why? Most European countries, even those that are not part of the EU, appear to be implementing similar data protection regulations.
What is the GDPR?
The European GDPR is a set of data protection laws created to update the current data protection laws that have been in place since 1995. However, a WHOLE lot has changed over the last 23 years with regard to how data is handled and used. The new legislation is intended to offer consumers more protection for how businesses handle their personal data. There are three GDPR requirements ShortStack users should pay particular attention to, namely:
- Stricter consent requirements (consent must be both explicit and verifiable);
- Increased rights for individuals (individuals have more power over how their data is used); and
- More transparent data-use information (businesses must provide more information on how they plan to process or use the data).
What is “Personal” Data?
Personal data is any data associated directly with an identified individual, such as name, address, and IP address. Personal data also applies to any data that, when processed along with additional data or alone, could identify a specific individual.
Who is a Data Controller
A natural or legal person or entity, who alone or with others, determines how personal data is, or will be, processed.
Who is a Data Processor
A natural or legal person or entity charged with the processing of personal data on behalf of a data controller.
What does “processing” data mean?
In short, anyone who personally, or on behalf of someone else, collects, organizes, transmits, updates, stores, deletes or otherwise uses or works with the personal data of individuals is considered to be processing data.
For the purposes of data you collected using ShortStack, you would be considered the data controller and ShortStack is the data processor. However, there may be other cases when you are working with individuals’ personal data in which case you would be the data processor.
Do I need to do anything to prepare my business for the GDPR?
First things first: the GDPR does not apply to everyone. In short, the GDPR only affects businesses and individuals who collect, organize, transmit, update, store, delete or otherwise use or work with the personal data of individuals located within the EU.
More specifically, the following groups are affected:
- Individuals or businesses located within the EU who are considered either personal data controllers or processors;
- Individuals or businesses not located within the EU, but who are considered processors or controllers of the personal data of individuals located in the EU;
- Individuals and businesses located in countries whose data protection laws are set to change alongside the GDPR — examples include the United Kingdom’s proposed Data Protection Bill, Switzerland’s updates to the Swiss Data Protection Act, and Norway’s new Personal Data Act;
- Individuals or businesses not located within the EU or other European countries with data protection laws similar to the EU, but who are processors or controllers of the personal data of individuals located within these countries.
If you do not fit into one of these categories, then you don’t need to worry about reading any further (unless you want to). For example, folks from the United States and Canada who are not collecting information from or sending emails to customers located within Europe do not need to worry about these updates.
For ShortStack users who are affected by the GDPR, our platform offers the tools you need to make sure the email marketing lists you built using ShortStack are compliant.
Easy Steps to Prepare Your ShortStack Email Marketing List
Below are four easy steps you should take to prepare your ShortStack lists for the GDPR. I suggest making these updates NOW so you can continue reaching out to customers once the legislation goes into effect.
1) Reach Out to Existing Members of your Email Marketing List(s) with a Double Opt-in Confirmation
You worked hard for your mailing list, so make sure you can still contact these folks after May 25, 2018. Simply send a double opt-in email and ask individuals to confirm their subscription to your list.
In this case, since you’re sending an email to individuals who have already submitted their information to your list, you will use a scheduled email. Within that scheduled email, include the “Email Subscribe URL” merge field. When someone clicks the “Email Subscribe URL” link within the email, they will then have confirmed their desire to opt into your list.
IMPORTANT: You need to send this email BEFORE May 25, 2018. I suggest sending a few rounds of double opt-in emails, just to make sure folks have a few opportunities to read your email. However, it is important you only reach out to individuals you are currently sending emails to in order to “renew” their consent. Do not email individuals who you are not currently sending email marketing to.
2) Enable Double Opt-In Requirement for your ShortStack Company Profile(s)
You will need to enable the double opt-in requirement on your company profile if you want to make sure future emails are only sent to folks who have opted in twice. Here’s how:
- When prompted to choose a company profile while setting up an email for your list, click the “Edit” option beside the profile that you wish to require double opt-in for
- At the bottom of the Edit Company Profile Page, check the box beside “Require Double Opt-in?”
- Click the blue Select button
The “Require Double Opt-In” feature applies the double opt-in requirement to all ShortStack lists associated with this company profile. After you enable this requirement, only people who have completed the double opt-in process will receive emails you send using ShortStack Marketing Automation features.
NOTE: Autoresponders are the type of email you will use to ask folks to opt in to your list. Because of this, autoresponders are not impacted by the “Require Double Opt-in?” requirement.
3) Create GDPR-Compliant Forms
Per the GDPR, you must ask users explicitly if they wish to opt into your mailing list. Also, you must make clear what their information will be used for. To stay compliant, you will need to use an opt-in checkbox on your entry form, as well as post clear information to let users know what they are opting in to.
To stay compliant, we recommend adding a checkbox to your form that indicates the individual’s desire to opt into your mailing list. Some options for the language you could use for the checkbox field include:
- [ ] Yes! I want to receive emails from [YOUR BUSINESS NAME].
- [ ] Sign me up for company announcements and industry best-practice emails from [YOUR BUSINESS NAME].
- [ ] I want to receive up-to-date information via email, including product updates, coupons, special offers and contest announcements from [YOUR BUSINESS NAME].
IMPORTANT: This checkbox field cannot be pre-checked or required for entry.
In addition, you must provide individuals with information regarding how their data will be used. It is a best practice to include a second checkbox field asking the entrant to indicate that they have read your terms and conditions before they enter.
You could add this text via a Rich Text field within your form, in the Form Settings under the Disclaimer section, or within a Rich Text Widget on your campaign. Not sure what to say? Here’s an example:
Your data will not be used for reasons other than contest administration by [YOUR BUSINESS]. Specifically, your data will be used to help choose and announce a winner. If you opt in to our email marketing, you agree to receiving [TYPES OF EMAILS — special offers, discounts, company announcement, product update, etc] emails from [YOUR BUSINESS]. We promise not to share or sell your data with 3rd parties.
4) Set Up Double Opt-In Confirmation Autoresponders for Every List
For any form where you are asking individuals to sign up for a list, you will need to create an autoresponder that includes the “link after form submission.” This help doc and the following video include easy-to-follow steps.
5) Include business contact information in your emails
It is important to provide folks with a way to contact you in order to stay compliant with both the “Individual Rights” and the increased data processing transparency potions of the GDPR. The easiest way to do this is to use your company’s email address as the “From Email Address” email address when setting up your autoresponder, scheduled email or follow-up email. However, you should include additional contact information, including your company’s contact address, in the footer of your email.
6) Review and complete our Data Processing Addendum (DPA)
Under the GDPR, you (the ShortStack customer) are considered a Data Controller, while ShortStack is the Data Processor. ShortStack’s EU-U.S. Privacy Shield certification and a completed and signed DPA will allow you, the Data Controller, to legally transfer personal data you collect via ShortStack from within the EU to the U.S. (where ShortStack’s servers are located). To stay compliant with the GDPR, you should download, review, complete and sign our DPA, then send it back to us at email@example.com. Review our Data Processing Addendum here.
Is Your Business Located Outside of Europe?
For the most part, the GDPR only affects folks located within Europe or those processing the personal data of individuals located within Europe. However, if you want to be sure you are only collecting data from people located in your country, then you could try the following suggestions:
1) On your entry form, ask entrants “Which country do you live in?”
Try adding a field to your form asking people to choose the country they are located in from a dropdown list. Only include the countries where you wish to collect entries from in the dropdown. This should prevent most people who are not located in the listed countries from entering.
2) Implement country-based visibility settings
On our Agency, Brand and custom plans, we offer country-based visibility settings. These settings allow you to show or hide campaign Widgets in specific countries. You could set the Widgets on your campaign to display only in non-European countries to prevent people located in Europe from entering your contest.
3) Enable double opt-in anyway
Even if you don’t believe you are affected by the GDPR, you could implement the double opt-in process for your lists anyway. Why? Double opt-in is used to stay compliant for laws like the GDPR, and it is used to build high-quality lists. When you use double opt-in, you ensure that only folks who are certain they want to receive your emails sign up for them. This increases your open rates and decreases your unsubscribes, improving the quality of your list. Win-win!
While staying compliant with the GDPR is important if you are located within the EU or processing the personal data of individuals located in the EU, when you use ShortStack, it isn’t difficult to comply with the requirements. We have nearly everything handled for you. All you need to do is:
- Enable the double opt-in requirement on your lists;
- Send autoresponders with the Email Subscribe Link after form submission;
- Create GDPR-compliant forms; and
- Include your business contact information in emails.
If you have any questions on the GDPR and ShortStack, feel free to reach out to our support team: firstname.lastname@example.org.