The General Data Protection Regulation (GDPR) is being introduced to harmonize data privacy laws across Europe. It aims to protect all EU citizens from privacy and data breaches and give citizens greater control of their data.
It comes into effect on 25th May 2018 and will be enforced by the Information Commissioner's Office.
Details about GDPR can be found at the following sites:
- The European Union’s GDPR portal.
- The full GDPR legislation.
- The Information Commissioner's Office (ico) Guide.
Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
The GDPR applies to any organisation processing personal data of EU citizens. This can be a name, email address, address, phone number, social media account or even an IP address. It also applies to all industries and sectors.
The GDPR features an expansion of individual rights including:
- Right to be forgotten: An individual can request that an organisation remove all personal data they hold without delay.
- Right to object: An individual can prohibit personal data being processed in certain ways.
- Right to rectification: An individual can request incorrect personal data to be corrected.
- Right of access: An individual has the right to know what personal data an organisation has about them and how it is processed.
- Right of portability: An individual can request that personal data be transported from one organisation to another.
- Right to fair and transparent processing: An individual has the right to information about the processing of their personal data.
The GDPR outlines stricter consent requirements and organisations must ensure that consent is obtained for every usage of personal data. Consent must be specific to a distinct purpose, pre-ticked checkboxes and silent consent will no longer constitute consent and you must be clear about the processing activities consent is given for.
Changes to ekmResponse
The GDPR outlines stricter consent requirements for the processing of personal data. This affects the sending of email campaigns through ekmResponse. In order to become GDPR compliant, we have had to make the following changes to ekmResponse:
Storing of consent
We have updated our system to enable the storing of consent information for each contact. Contacts we don’t have stored consent for will be visible via the Non-Consented Contact Group option in the left-hand navigation menu of ekmResponse.
Contacts are added to ekmResponse in one of three ways:
- Sign up through a signup form: Contacts signing up in this method receive a confirmation email asking them to confirm they wish to receive campaigns.
- Sign up via the checkout of your EKM shop: Contacts signing up in this method actively check a checkbox during checkout.
- Manually added by the account holder: As the account holder, you are stating that you have permission to send the contacts you are adding your campaigns. This is stated on all input screens that are affected.
Up until the 21st May 2018 when GDPR comes into effect, we will allow you to continue to send campaigns to contacts we do not have stored consent for. After that date, the system will only allow you to send to contacts we have stored consent for.
Consenting Current EKM Contacts
There are several ways that you may set consent to your existing contacts, it is, however, important to note that by clicking the available consent buttons provided by ekmResponse you are in fact stating that you have consent. You may give consent to your contacts in the following ways.
- Re-import from ekm Shop. As contacts from your ekm Shop have provided consent, re-importing them into ekmResponse will ensure that the correct consent is stored and they can be contacted in future campaigns.
- Non-Consented Contact Group. In this group, you are able to give consent to all of your non-consented contacts simply by clicking the ‘Consent All’ and confirming your decision. If you do not want to Consent all your contacts you are able to give consent to each contact individually.
- GDPR Information Modal. The model will appear when you first log into ekmResponse after the GDPR code has gone live. This gives you the opportunity to give consent to all of your contacts immediately. This modal will re-appear shortly before the GDPR legislation comes into effect.
- Re-Permission Campaign. You may send a re-permission campaign to your contacts by simply creating a campaign as normal and then adding the RePermission tag. Once the recipient has received this email they can then click the link which will take them to a consent form (in a new browser window) and once they click the button ekmResponse will be automatically updated.
Within the GDPR legislation is the need to provide a route that will allow recipients to update their personal details. To achieve this we have added a new Preferences link in the footer of each email that allows the recipient to update their personal details (except their email address) that is held by ekmResponse.
Changes to ekmDomains
There are no changes to the ekmDomains system and your domain will continue to function as normal, however, GDPR has an impact upon the whois data for all registered domains.
Currently, personal data such as name, address and email address is visible for all whois lookups. Where there is not a legal requirement to display personal data in a whois lookup, our domain providers will be taking steps to ensure that access to personal data is given to only those with a legitimate reason for accessing it for domain types where displaying this information is not a legal requirement.