On May 25th 2018, the GDPR (General Data Protection Regulation) came into effect. eTrigue DemandCenter has a tool set to simplify the implementation of (GDPR) compliance programs.
We’re committed to putting easy-to-use tools in the hands of our customers and to assist them in understanding how GDPR affects their business and assisting them in preparing their own compliant processes.
BACKGROUND
The European Union has enacted new legislation – the General Data Protection Regulation (GDPR). The regulation was agreed to and adopted in 2016 and took effect on May 25th 2018. These regulatory provisions apply to the data of EU individuals, no matter where the data may be.
There are 28 countries in the EU, and three additional countries in the European Economic Area (EEA) that this regulation applies to. If you’re a company who deals with processing data with customers in the EU, then the GDPR applies to you.
GDPR and eTrigue
GDPR compliance with eTrigue as is straightforward, with specific capabilities to simplify the implementation and management.
- Consent
- Obtaining consent
- Other options for consent
- Jurisdiction
- Respecting email consent
- Email Opt-out and subscription management
- Data privacy
- Right to understand what data is stored:
- Right to rectification (change inaccurate data)
- Right to erasure (to be forgotten)
Consent
A key part of regulatory compliance targeting email marketing is getting consent from prospects prior to sending them commercial emails. Under GDPR, for example, the data controller “shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
DemandCenter has capability to allow customers to get, store, audit, and respect email consent.
The “Jurisdiction” and “Email Consent” fields provide a way to meet the email communication requirements of each regulatory jurisdiction with the ability to suppress non-compliant communication. While the focus of this article is GDPR, these features also cover Canada's anti-spam legislation (CASL) and the U.S.’s CAN-SPAM Act requirements.
- Track and retain email consent for each prospect with a clear history of consent choices.
- Maintain a jurisdiction field for every prospect.
- Understand the context under which consent was given or modified.
- Obtain prospect consent through DemandCenter forms with consent check boxes.
Obtaining Consent
An “Email Consent” field is in DemandCenter as an integral part of the overall consent management within DemandCenter. Using the “Email Consent” field combined with additional features gives customers the ability to easily manage the request for consent, have campaigns only to those who have given consent, and to audit consent provided by prospects.
The “Email Consent” field is a checkbox field which will be set to “No” (unchecked) by default. While the field is set to no, that does not mean a prospect denied consent, but has not explicitly given consent. The email consent is different from other Boolean/checkbox fields in that it has an editable request for consent message field attached to it. The “Email Consent” field is available for use in both standard and progressive forms. On progressive forms, consent will be requested in the first form fill.
Marketers can define the messaging (the text is editable) for consent for the field.
When consent is given by a prospect, the date and the message are recorded in the prospect's activity history. This allows for, and can show multiple consent events over time.
The activity history in each prospect record can also be filtered by consent activities similarly to other standard activities.
Consent will also be shown in the Touch Management portion of the prospect record.
Other options for setting consent
While forms are the most evident method for acquiring consent, in some cases records will be imported for prospects that have given consent, records added from CRM, and the manual modification of a specific record. In all of these cases the consent will be added to the activity record with the specific source of the modification.
When a manual modification of consent is attempted, a warning will appear. The consent modification will be logged in the prospect record.
Jurisdiction
A “Jurisdiction” field is available to use in conjunction with the “Email Consent” field. By default the Jurisdiction field will include CAN-SPAM (US), CASL (Canada) and GDPR (EU) options. Additional jurisdictions can be added for future regulatory requirements.
To learn more about the Jurisdiction field, click here.
Respecting Email Consent
Jurisdiction and Email Consent fields are searchable so that lists can be created for specific markets.
Every campaign Start Action contains a “Suppress prospect emails if consent not given” section. Marketers can suppress the sending of emails to prospects who have not given consent for the specific jurisdictions they are part of, directly from a campaign. This provides the ability to use current multi-jurisdiction lists and still suppress those prospects that have yet to provide consent. It also stops email from being sent to prospects who are already in a campaign, and have subsequently revoked consent.
Email Opt-out and Subscription Management
DemandCenter’s email Opt-out and Subscription Management also affects the Email Consent status of a prospect in specific situations by automatically withdrawing Consent. Prospects who have given consent can easily update their consent choices using opt-out and subscription preferences:
If a prospect selects to opt-out
- Email Consent is revoked and the email consent field will be set to No.
- Email status will be set to Opt-Out.
- Change of consent will be logged in prospect history.
The subscription management behavior will also change.
If a prospect deselects all subscription types and clicks save:
- The prospect will be prompted asking if they would like to opt-out of all email communications.
- If Yes, it will be treated as an opt-out, and the email consent will be revoked
- If No, the prospect will be unsubscribed from all current subscription types. Note: Future subscription types will be added with Yes/No as set by the creator of the new subscription.
If a prospect deselects just a few specific subscriptions types (less than all of them) and clicks save:
- Subscription history will be updated
- No change of consent in this case
Need more information on Email Consent? Click here.
Tracking Consent
DemandCenter has capability to allow customers to get, store, audit, and respect tracking consent. For more information, click here.
Data Privacy
Data Privacy is an important part of your GDPR implementation. Prospects have the right to understand what data you have stored regarding their engagement with your organization, they have the right to have some or all data removed or rectified at their request, and finally the right to be forgotten:
The right to understand what data is stored:
The right to understand what information has been stored by an organization is one of the key tenants of the GDPR data privacy category. A capability to export all data on a prospect is part of the prospect detail screen. This allows a PDF download of all information that can be provided upon request.
There is an export button on each Prospect Profile - Details tab, to initiate the download.
The Right to rectification (change inaccurate data)
The right to rectification is supported in DemandCenter. All changes requested by a prospect can be edited in the prospect detail. No additional features are required for this functionality.
The Right to erasure (to be forgotten)
The right to be forgotten requires organizations to remove all information on a specific prospect except specific cases outlined in GDPR. A feature has been added allow admins to permanently delete a prospect and their corresponding information from DemandCenter. Because many instances are connected to CRM and other external services via integrations or the DemandCenter API, the process of deletion is designed to prevent the immediate re-population of data from an external source. The following process is used to assist customers in being able to remove prospects without having to turn off any integrations while data is removed from external sources:
- Upon selecting to clear prospect data, all data except for the email address will be hard deleted.
- The email address will be specifically encoded and used to identify any future incoming data for this process
- Any incoming data from a third party application or the DemandCenter API will be rejected based on email address for a 30 day period.
- Understand when a “forgotten” prospect has been re-created. If a prospect is recreated after the 30 day period their prospect record will reflect the fact that they were re-created after all data had been removed.
This process is designed to eliminate any unexpected incoming data while organizations clear data across all of their platforms and to maintain a record on re-creation that can be monitored to help identify legitimate re-created records vs. services that are connected to DemandCenter that for some reason did not have their data removed per the prospects request.
Disclaimer
eTrigue has made this information available to assist organizations in understanding the GDPR. The information contained herein is not legal advice and shall not be construed as legal advice.
Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required. Organizations should consult their legal counsel to interpret and understand their obligations under the GDPR, and how their organization utilizes and processes personal data.