How OnboardMail can help you prepare for the General Data Protection Regulation changes.
The GDPR (General Data Protection Regulation) came into force on 25th May 2018. The GDPR legislation is designed to give people in the EU more control over their data and to unify the regulations across the EU for how that data is processed. The legislation applies to all businesses operating in the EU and to all businesses (irrespective of location) who handle personal data belonging to those in the EU. OnboardMail has become compliant with the regulation and we’ve made additional improvements to our website and service platform to help you comply too.
What has OnboardMail done to achieve compliance?
Through reading the EU documentation on the GDPR and working closely with our team to grasp the impact on OnboardMail and our customers, we have taken the following steps to be compliant.- Thoroughly research where and how OnboardMail is impacted by GDPR – DONE
- Educate all staff on the GDPR – DONE
- Rewrite our Privacy Policy to clearly explain our role as both a processor and controller – DONE
- Identify features and changes to the OnboardMail website and service platform, which will help compliance – DONE
- Implement additional features, such as offering a user the option to delete their account and data – DONE
- Audit all suppliers of OnboardMail to ensure their compliance – DONE
- Make the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – DONE
How can OnboardMail help me achieve compliance?
While it’s important that OnboardMail is compliant with the changes, it’s equally paramount that you, our customers, are compliant and understand what’s involved with the changes. We’ve made the following changes to the platform which will make it simpler for you to comply and to remain on the right side of the law.- Launch Double opt-in functionality, which will make it simpler to record that subscribers have given explicit consent – DONE
- Add the option for customers to add ‘Terms & Conditions’ checkboxes to their hosted and embedded forms – DONE
- Provide support on the upcoming regulation – ONGOING
- Offer a data processing agreement which can be signed by you, the controller – ONGOING
How does GDPR affect me?
The GDPR, like any change in law, is a huge document made up of a number of different articles and concepts. Using our experience and knowledge gained by going through the compliance process ourselves we have outlined the key changes which will likely affect your businesses. We’re not lawyers, so we’d advise taking legal advice where required. We’d also recommend that you give the legislation a read yourself, the UK ICO website is a great place to start. It covers all businesses, irrespective of location This is perhaps the biggest change to data protection regulations, which is why it’s here, right at the top. GDPR applies to all companies processing the personal data of individuals (data subjects) based in the European Union, regardless of the company’s location. In short, if you run an store based in the USA which is targeting customers based in Germany, then you will need to comply with GDPR. In that case you will also have to appoint a representative in the EU. Fines One of the main reasons why companies are taking GDPR so seriously is the huge fines which can be issued if in breach of the regulations. If you are found to have breached the regulation you can be fined up to 4% of annual global turnover or €20 million (whichever is greater). The fines apply to both controllers and processors and will be issued for serious breaches. With the right advice and steps taken, though, you should be okay. Consent OnboardMail only allows you to send emails to subscribers who have opted in, or consented, to receiving communications. This will remain the same, but GDPR will strengthen the conditions for consent. Consent must be freely given, it must be distinguishable from other matters and be provided in an easily accessible form, using clear and plain language. You will need to make it as easy to withdraw consent as it is to give it, so ensure you have unsubscribe links in all emails. In short, this will not mean a significant change for most genuine businesses; if you’re using any kind of confusing double-speak and pre-ticked checkboxes to collect emails for marketing purposes, they are no longer okay. Breach notification In the event you get hacked or an employee’s laptop gets stolen you will need to notify your customers if the breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. No cover-ups allowed, regardless of size or stature of your company. Right to access Your customers, employees or other data subjects have the right to now request how their personal data is being processed, where it’s being processed and for what purpose. Furthermore, you’ll need to be able to provide a copy of the personal data, free of charge, in an electronic format. Right to be forgotten This entitles the data subject to have the controller of the data erase their personal data. This only needs to be done under certain conditions, which are outlined in article 17 of the GDPR. As a controller you should not be holding personal data for any longer than necessary – those old lists and campaigns you have in OnboardMail? If they’re not needed anymore, they should be deleted. If you have any questions, please get in touch.