Disclaimer: MoEngage is only a marketing automation service provider, and the article does not constitute technical and legal advice about GDPR compliance. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.
Unless you have been living under a rock, you would have stumbled upon the acronym GDPR (General Data Protection Regulation). GDPR is the new set of guidelines that deal with how companies handle personally identifiable information of customers residing within the EU. GDPR is set to impact several businesses that operate directly or indirectly in the EU and non-compliance could result in severe reprimands, sometimes up to 4% of the company’s annual revenue.
It may sound scary, especially if you have never heard of GDPR. But there is no need to panic as you are not alone (see the chart below). A mere 36% of marketers and business leaders are aware of GDPR, and several companies are still figuring their path for GDPR compliance. There is still time, and hopefully, with the help of this article, you could be the rainmaker driving your organization towards achieving total GDPR compliance.
We have put together an exhaustive guide that gives marketers a background about GDPR, what has changed, how it can potentially impact their business and a few pointers to achieve GDPR compliance. Let’s get started.
What is GDPR?
The EU’s pursuit of better consumer data protection and consumer rights has finally taken shape in the form of GDPR (General Data Protection Regulation). GDPR is a set of necessary compliance, that regulates how companies interact with, collect, and store personal information about consumers. GDPR lays down particular emphasis on lawful consent for obtaining customer information, customer rights over the information they share, and legal basis for processing the information by companies. This compliance also means consumers have more freedom to choose what personal information they share with the companies and how they (companies) make use of it.
When is it coming into effect?
Announced in May 2016, the GDPR commission provided companies with a two-year window to comply with the new law. Going by this, GDPR will be effective May 25, 2018, and all companies that record, store, process information of EU residents are required to comply with GDPR standards by this date.
Is my organization affected by GDPR?
The GDPR affects only companies that collect, store, and process ‘personal data’ of users in the EU. However, there is a high chance that your organization could be one of them. “Personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. For example Cell phone number, Gender, user preferences, etc. If you are a customer of MoEngage operating out of the EU or running campaigns targeting users who belong to the EU, the answer is YES.
Company categorization under GDPR
Under GDPR, companies are broadly classified as “data controllers” and “data processors.” Data controllers are companies or organizations that collect the data from EU consumers. Data processors are companies or organizations that process the data on behalf of the data controllers. Simply put, if you are a customer of MoEngage, you then become the “data controller,” and MoEngage becomes the “data processor.”
How does this affect me?
The definitions are not limited to just categorizing companies. This also means legal ramifications and implications for both controllers and processors. For example, if you are a ‘processor,’ you are required to maintain records of personal data and also legally liable in the case of a breach. If you are a ‘controller,’ your contracts and agreement with a ‘processor’ should comply with the required GDPR guidelines.
What is GDPR’s impact on user rights?
Under GDPR citizens of EU have right to consent, reject, erase, and control private information companies collect for business purposes. In general, it provides users with more freedom and control over what information they share with companies and how companies can make use of it.
How does this affect me?
User rights to privacy and data protection are the primary goals of GDPR. So, as a marketing organization, you will have to factor all of the above rights of the user throughout the process of data collection, processing and usage.
User Consent and Opt-in under GDPR
Under the new implementation, companies that collect data of EU consumers may require a fresh consent from its users.
GDPR sets a high standard for consent which must be obtained through an affirmative action such as an Opt-in (It specifically bans pre-checked opt-in checkboxes). Opt-in terms must be unambiguous, and users must have a right to withdraw their consent.
Moreover, the consent for opt-ins is different for distinct processing operations meaning the consent is specific and not bundled. So you will need additional terms to obtain consent for opt-in and location tracking.
The GDPR also provides users an option to withdraw consent. This means you should have a mechanism to store consent and remove it upon the user’s request.
How does this affect me?
More likely you will need to revamp your consent/ opt-in process to meet the GDPR guidelines. Make your consent request is prominent, simple, and unrelated to other terms and conditions. A genuine consent must include:
- the name of your company;
- Identify third-party controllers who will rely on the consent;
- The purpose for which you are collecting the data and what you wish to do with it.
- Inform individuals about the right to withdraw consent at any time.
Don’t use pre-checked tick boxes, opt-out boxes or other default settings. Users must actively opt-in. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
Keep records to evidence consent – who consented, when, how, and what they were told.
Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.
Here’s a handy infographic-cum-checklist that covers more or less everything about consent and opt-in.
Lawful bases to process data (for companies)
Under GDPR there are six lawful bases for processing the personal information of users.
The new GDPR guidelines make it harder to transfer the data of customers residing in the EU to a destination outside of the EU. Even if the user is residing outside of the EU and is a citizen of the EU, your brand is required to comply with GDPR guidelines.
How does this affect me?
This would mean you may need to set up a data storage mechanism that collects and stores the data within the EU. MoEngage recently set up a data center in Frankfurt, Germany which will help us and our customers be compliant with the upcoming General Data Protection Regulation (GDPR) regulations.
What is MoEngage’s take on GDPR?
At the onset, GDPR may look intimidating making it harder for marketers to access user information. However, it also provides marketers with an opportunity to reconnect with their audience and strengthen the brand-consumer relationship. Take the opportunity to inform users of the data you collect and how you use them, make them aware of their rights which can be reassuring and builds trust.
How does GDPR apply to MoEngage?
When it comes to using of our platform by MoEngage clients, those clients are the controllers and MoEngage is a processor—and that means that MoEngage will follow the instructions of its clients when it comes to the processing of personal data on their behalf. However, MoEngage is the controller when it comes to personal data that it collects from its own employees (well, the employees who are EU citizens) and from EU citizens who visit the MoEngage website or have their data collected in other ways through our marketing programs.
MoEngage’s commitment to data security and privacy
At MoEngage, we believe in “security by design,” meaning that we have built security into the core of our product and have made it a key focus area since day one. MoEngage’s security by design committee meets on a regular basis to review, discuss and implement privacy principles in the design and development of the features, functionalities, and operations of the MoEngage. MoEngage’s security by design committee includes manager level employees from product, engineering and operations organizations together with MoEngages privacy and security teams.
How we enable our customers to be GDPR compliant?
As a data processor, MoEngage is focused on automating—as much as is technically feasible—the ability of its clients to comply with the rights of EU citizens. For instance, MoEngage has already updated its platform so that clients can respond to requests of individual data subjects. MoEngage already provides a way for the customers to export the user data. If required, clients can raise a support ticket to delete the customer data on demand.