How this impacts your email marketing efforts:

[sourovk291]

Privacy and security laws are continually changing to keep up with the ever-changing technology landscape and adapt to new digital realities, but it’s rare that we see updates as far-reaching as those regarding personal data protection and compliance with the European Union’s (EU) General Data Protection Regulation, or GDPR, which is set to come into effect on May 25, 2018.

As digital marketers, there’s a good chance that GDPR will impact your marketing efforts, specifically, and your business, in general, especially if you’re located in the EU or doing business with EU companies or citizens, just as it does ActiveTrail. In this guide, we’ve compiled our knowledge and insights on GDPR and its implications, and we’re offering it to you to help you prepare for and navigate the impending changes that GDPR implementation will bring with it.

NOTE: This guide is for informational purposes only and is not intended france telegram phone number list be a substitute for legal advice or counsel. To understand how the GDPR may impact your business or organization, we strongly recommend consulting with appropriate legal, business, or other professionals.

GDPR – Introduction
Since 1995, data protection in Europe has been governed by Directive 95/46/EC and, as you can imagine, it has been due for a major overhaul for some time. As a result, in 2016, the European Commission (EC – the EU’s executive branch) adopted the General Data Protection Regulation, a comprehensive privacy law that is to be fully implemented across the European Union.

The GDPR is scheduled to officially come into force on 25 May 2018.

Due to the extended time between enactment and implementation, organizations will not benefit from a “grace period” and will have to comply with the GDPR as early as May 25.

Purpose of GDPR
Over the years, the EC and EU member states have adopted amendments to Directive 95 and local data protection legislation to keep up with technological developments and keep up with the times, leading to a desynchronization of privacy laws across the continent. In the words of the European Commission, the GDPR “…was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens, and to reshape the way organizations in the region approach data privacy…” (The GDPR Portal, https://www.eugdpr.org/).

The GDPR reinforces the European vision of the right to privacy as being on an equal footing with other fundamental rights, and controls how individuals and organisations can collect, use, store and dispose of personal data . With such a broad scope and EU-wide applicability of the GDPR, it has substantial implications for businesses, governments and organisations around the world.

Who is concerned?
More specifically, the GDPR affects two types of central entities:

EU Organisations – All organisations formed or incorporated in the EU.
“Extraterritorial ” organisations – All organisations involved in the processing of personal data of EU citizens, i.e. the GDPR applies to any organisation in the world that processes the personal data of EU citizens, regardless of where that processing may take place.
The implication of #2 is that GDPR has the potential to impact the vast majority of organizations on the planet. Therefore, all organizations across all sectors and industries should ultimately conduct a thorough review to verify whether they are processing the personal data of EU citizens.

Compliance and penalty
Among the most far-reaching aspects of the GDPR are the excessively high penalties and fines imposed for non-compliance. Companies or organizations that violate the GDPR could be fined up to €20 million or 4% of annual global turnover (whichever is higher).

We have already mentioned that if you are an EU business or organisation, or if you process personal data of EU citizens (such as a common element like EU citizens’ email addresses), you are required to comply with the GDPR if you wish to continue activities related to that data. The scope of this integration is so broad that most organisations are encouraged to seek legal and other professional advice regarding their need to comply with the GDPR and, if applicable, the steps they need to take to ensure compliance after 25 May 2018.

It’s also worth noting that EU privacy legislation is often adopted, in one form or another, in other regions and countries around the world, so it may be to your advantage to prepare your organization for GDPR compliance, even if you believe that GDPR does not currently impact your business.

Main components of the GDPR
Terminology
For a better understanding of the important articles of the GDPR, here are some key terms defined in the regulation:

Personal Data : The GDPR defines personal data as “any information relating to an identified or identifiable natural person (hereinafter referred to as the ‘data subject’)”, i.e. any information which, by itself or in conjunction with other information, could serve to identify a specific person. This very broad definition encompasses data such as geographic data, financial information and IP addresses, as well as “traditional” personal data such as passport and social security numbers, names, biometric data and email addresses.
Most subscriber information you collect and store in ActiveTrail could potentially fit this definition, even pseudonyms and aliases that can be linked to specific individuals. Additionally, GDPR requires stronger protections for sensitive personal information such as health or racial data, and you should not store such data in your ActiveTrail account.

Data Processing : According to the GDPR, you are processing EU citizens’ personal data if you in any way collect, manage, use or store EU citizens’ personal data. Quoting the GDPR, processing is “any operation or set of operations which is performed on such data, irrespective of the means used, and in particular collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”
With respect to the use of the ActiveTrail system, if one or more of your mailing lists contain personal data of an EU individual, such as their name or email address, then you are considered to be processing EU personal data under the GDPR.

Data Controller : A data controller is an organization that uses EU citizens’ personal data for its own purposes. Data controllers determine what personal data to collect, for what purposes, and how the data will be processed and used. The vast majority of ActiveTrail customers are considered data controllers in their interaction with the ActiveTrail system, i.e. ActiveTrail customers decide which pieces of personal data they want to collect and insert into the ActiveTrail system, what data to transfer to their own systems, and how to use that data.
Processor : A processor is an organization that processes data on behalf of a controller. Through the services we provide to our customers, ActiveTrail serves as a processor.
Key concepts of GDPR
Although the 1995 Directive provides a starting point for the GDPR, many of the core principles of the GDPR are aggressive and significantly modify those of the 1995 Directive. Of particular interest, in our view, are:

A. A broader definition of personal data , as described above.

B. Covers a much broader group of organisations , including not only EU organisations, but also organisations outside the EU, or 'extraterritorial' organisations that process data of EU citizens.

C. Extension of data privacy rights for EU citizens, which organisations processing EU citizens' data must protect, including:

Right to be forgotten : An individual can request that their personal data stored by an organization be promptly erased.
Right to object : An individual may declare that certain parts of their personal data cannot be used.
Right of access : Individuals can request from any organisation to know what personal data about them the organisation processes and how it does so.
Right of rectification : Individuals can ask an organization to complete incomplete data or correct inaccurate data.
Right to portability : Individuals can request that personal data held by an organisation is transferred to another organisation, for example, if they change service providers.
D. Stricter requirements for obtaining consent, the most important of which is that organizations will need to obtain consent from an individual whenever they use their personal data, except under certain conditions described below. As a user of ActiveTrail software, you will need to obtain consent from your subscribers and mailing list members. Some points regarding consent:

Consent must be given in the context of a specific use.
Consent must be proactive, meaning that subjects must explicitly authorize or agree to give consent to the storage or use of their personal data, which may result in the disqualification of checkboxes or other similar means as a means of obtaining consent.
Consent must be given separately for different types of processing, so you should ensure that you explain how personal data will be used when asking for user consent.
Stricter processing requirements that require subjects to receive a “fair and transparent” description of how their personal data is processed, including:
The purpose for which the data is collected : The purpose must be specific and the data must only be used for the stated purpose (“purpose limitation”). In addition, you should, where possible, only collect and use data that is necessary for the stated purpose and not for more (“data minimisation”). Organisations must be aware of and able to justify (to authorities) what data they collect and why.
Retention period : The organization should retain personal data for the shortest period possible (“retention limitation”).
Contact details of the data controller (see below).
Legal bases : Organisations must have a justifiable legal basis for processing personal data (they cannot do it simply because they want to), such as needing the data to fulfil contractual obligations or that consent has been given to use personal data for a specific reason.
GDPR and data transfer across borders
We have mentioned a number of times that the GDPR has global implications, and this has a lot to do with how the GDPR treats cross-border transfers of EU citizens’ personal data from EU countries to countries outside the EU. However, in this respect, the GDPR does not depart from the 1995 Directive, as it deals with the conditions that must be met in order to transfer personal data outside the EU, implicitly suggesting that it is permissible to make such a transfer. Essentially, these conditions are provisions under which organisations can legally transfer EU citizens’ personal data outside the EU.

One of these provisions states that the European Commission may take explicit “adequacy” decisions, whereby the European Commission “may decide, with effect throughout the Union , that a third country, a territory or a specified sector within a third country, or an international organisation offers an adequate level of data protection… In such a case, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation ”. For example, the European Commission may take a blanket decision that a given country has sufficient data protection measures in place, so that organisations transferring personal data to that country do not need to rely on another authority to transfer the data.

Controllers and Processors
Organisations that interact with EU citizens’ personal data are either controllers or processors, according to the definitions outlined earlier in this document. These definitions are almost unchanged from the 1995 Directive, but the GDPR imposes greater (and different) responsibilities on each category of organisation. Naturally, controllers are primarily responsible for protecting personal data. Data processors, while not primarily responsible, also have direct responsibilities. It is therefore imperative that you are aware of your status as a controller or processor under the GDPR and, therefore, your obligations.

Most ActiveTrail users fall into the category of controllers because they decide what information passes through and/or is stored in ActiveTrail and request ActiveTrail to process this personal data on their behalf (i.e. act as a data processor), for example by configuring ActiveTrail to send personalized emails to their subscribers.

Of course, these are just a few of the concepts and principles set out in the GDPR and it is recommended that you review the GDPR in its entirety (and seek advice, if necessary) before making any decisions about how to best prepare for the GDPR.