The General Data Protection Regulation (GDPR) came into effect May 25, 2018. Under the umbrella of protecting privacy of their residents, the focus of this regulation is on the collection of personal data for those living in the European Union (EU).
The definition of personal data is broader than you may think and includes items such as IP address or cookies, not just the standard contact information such as names and phone numbers. The regulation is broad and penalties can be steep, so those businesses that are collecting information from EU residents do need to be aware, regardless of where they operate.
As one would reasonably expect, this impacts companies with operations in the EU and those who collect personal data from EU residents. However, the regulations extend beyond EU-based companies and potentially impact companies operating exclusively in the US or Canada, but who collect personal data from EU residents (e.g. a EU resident fills out an online form about purchasing a home in the US). In all these scenarios there are hefty fines for non-compliance, so it’s important for each company to investigate the risks.
The information in this article is not a substitute for legal advice–if you are marketing to individuals from the EU, you should seek further assistance regarding your responsibilities and any potential liability your company may have.
What You Need to do: Getting Consent
For the majority of our clients, who focus on North America, you will probably need to be mindful of someone from an EU country filling out a form on your site or a partner’s site. One of the key responsibilities is to have proper consent to communicate with them.
Similar to CASL (Canadian Anti-Spam Legislation), getting consent is important for GDPR compliance, so you need to make sure you have:
- an opt-in checkbox (that’s not pre-checked) on all your registration/contact us pages. GDPR wants to make sure that those living in the EU want to receive the emails you send as well as explaining to visitors what you’re going to do with their data.
- an easy way for EU residents to remove their personal data. There are a number of ways to make it easy for them such as an unsubscribe link, link to a preference center, or an easy means for them to contact you regarding their data in the footer of your emails.
If, like most Lasso clients, you’re not proactively marketing to EU residents, but have some names in your database and would like to continue to market to these prospects, you are required by law to get consent to send them information. For those registrants where you do not have expressed consent, you can send them an opt-in email whereby they can choose to opt-in to future correspondence or they can provide you with written notice that they would like to receive email.
For those not actively marketing to EU residents but you have EU residents in your database, you may choose to delete them from Lasso or opt-out the registrant to ensure they don’t receive further email. (Part of the regulations discusses being “responsible” for the personal data of EU residents in your database, so you need to determine the best approach for your company.)
How to Find Your EU Leads/Prospects in Lasso
Lasso manages all the data that has been entered into the platform, including address information. There are a couple of ways to find EU leads/prospects in Lasso – via the Create Custom Listfunctionality and selecting the EU countries from the Address Information; or you can perform a Client Export of your data and review/analyze your registrant data via Excel.
The quality of the data is dependent on the completeness of each record upon initial registration and update. To ensure that you are tracking the country of residence moving forward, it’s important to speak to your web developer about including this information on your registration pages; or creating geo-specific registrations pages for website visitors from the EU and track that information in Lasso.
For further information or assistance with finding this information, please contact your Client Director or email firstname.lastname@example.org
Data Roles and Responsibilities
As with any new regulation, there is always a learning curve, understanding and interpreting the information. For GDPR, two terms frequently used are Data Controller and Data Processor. (You may have seen similar notices in Google Analytics or Google AdWords.)
Essentially, if you access personal data of an EU resident, you do so as either a Data Controller or a Data Processor, and there are different requirements and obligations depending on which category you are in. Here are the definitions from the European Commission site:
Data Processor Role and Responsibilities (Lasso)
“The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company.”
In general terms, Lasso is a data processor for our clients—we process the data on behalf of the data controller (our clients). Lasso’s key responsibilities include providing the following support to clients to help them respond to data requests from EU registrants that fall under one of five expanded individual rights under the legislation. These rights include:
- the right to be forgotten
- the right to object
- the right to rectification
- the right of access
- the right of portability
For detailed information about how Lasso supports these rights, click here.
Data Controller Role (You)
“The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.”
In the context of Lasso and its application and related services, in the majority of circumstances, our clients are acting as the controller given they meet the requirements as they decide what registrant information/details is included in their Lasso database(s)/ project(s). The controller is also primarily responsible for data protection, including, for example, the obligation to report data breaches to data protection authorities. Most importantly, as mentioned previously, a key responsibility of a data controller is consent. It’s important to familiarize yourself with your responsibilities accordingly, as well as seek legal advice as necessary.
The regulation is vast and quite detailed, so we encourage you to do some further reading. Below are a few links to provide you with a deeper dive into GDPR.
More definitions: Some of the keywords to understand when looking at the legislation (Article 4)
General Requirements: Background and summary about GDPR
GDPR Checklist: GDPR checklist to help you get organized
Legal Information: Legal detail from the EU commission