GDPR Resources and Implementation Notes

What is GDPR and does it affect me?

The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It comes into force on May 25th 2018.

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

How do you know if you process data for EU citizens? If you do not have a confirmed mailing address associated with each data record, it can be hard to tell. Since GDPR penalties are steep, if you are unsure if your contacts are strictly outside the EU, it is safer to treat all of your contacts in the same way and adopt GDPR practices.

What rights does the GDPR provide?

The GDPR pertains to you and your customers and contacts, and provides the following rights to EU residents:

Right to be informed: You and your contacts have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’ which is published in a Privacy Policy. You must provide privacy information to individuals at the time you collect their personal data from them.

Right of access: You, or your contact, can ask us what personal data is being processed (used), why and where. Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

Right to rectification: If you, or your contact, want to correct, revise or remove any of the data we retain – as explained in our Privacy Statement – you may do so at any time. We have one month to respond to this request.

Right to be forgotten: If you, or your contact, need to cancel your ContentMX account, or want to be removed from a contact list at any time, we will permanently remove your account or contact record and all information associated with it.

Right to restrict processing: If you, or your contact, believe your personal data is inaccurate or collected unlawfully, you may request limited use of your personal data. When processing is restricted, you are permitted to store the personal data, but not use it.

Right of portability: We provide you with the ability to move any of your account data to a third party at any time.

Right to object: If you, or your contact, decide that you no longer wish to allow your data to be included in our analytics or for us to provide personalized (targeted) marketing content at any time, you may contact us to request removal of this data.

ContentMX will provide the necessary mechanism to comply with requests from you, and support you in fulfilling GDPR requests from your customers and contacts.

What do I need to do to be compliant with the GDPR?

Both you and ContentMX have obligations and requirements for GDPR compliance. Our Terms of Service and Privacy Policy require you to lawfully obtain and process all personal data appropriately. You will need to continue to do this to be compliant with the GDPR.

If you collect EU residents’ personal data, you are likely to be classified as a data controller under the GDPR. This means you will have some additional obligations around such things as data subject rights. We urge you to understand this and seek legal advice where you think necessary.

You are the Data Controller and we are the Data Processor

Suppose a contact of yours is an EU citizen. She’s called the “data subject,” and your company is called the “data controller” of that data. If you’re a ContentMX customer, then ContentMX acts as the “data processor” of your contacts data on behalf of your company. With the introduction of the GDPR, data subjects are given an enhanced set of rights, and data controllers and data processors like you and ContentMX, respectively, receive an enhanced set of regulations.

ContentMX Features Supporting GDPR

ContentMX provides a number of product features that can be used when applying GDPR policies and procedures. Here we outline some of the key GDPR requirements along with a brief description about how to satisfy these requirements using our platform.

Using these GDPR features, on their own, will not make your process GDPR compliant; rather, these are the features that will help you comply.

Lawful basis of processing

What it Means: You need to have a legal reason to use your contact’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into), performance of a contract (e.g. she’s your customer and you want to send her a bill), or what the GDPR calls “legitimate interest” (e.g. she’s a customer, and you want to send her products related to what she currently has).

What ContentMX Does: We provide the ability to track that reason (also known as “lawful basis”) for communicating with a given contact. A multiselect permission property associated with each contact record is used to track lawful basis. This property can be set to Express, Implied, or Unknown permission and is editable manually via the platform UI or set automatically through lead capture forms. When permission is set, the date and time and IP address of the user is also recorded.

Consent

What it Means: One type of lawful basis of processing is consent with proper notice. In order for your contact to grant consent under the GDPR, a few things need to happen:

  • She needs to be told what she’s opting into. This is called “notice.”
  • She needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Her filling out a form alone cannot implicitly opt her into everything your company sends.
  • The consent needs to be granular, meaning it needs to cover the various ways you process and use her personal data (e.g. marketing email or sales calls). You must log auditable evidence of what she consented to, what she was told (notice), and when she consented.

What ContentMX Does: In ContentMX, we have added features to make it easy to collect, track, and manage consent in a GDPR-compliant way.

The most common way for ContentMX customers to acquire new contacts online is through Lead Capture Forms (also known as Promotions). This is one of the ways new contacts might initially engage with your company. When lead capture forms are published, they will provide proper notice to contacts before they provide information to you (using text prompts on the forms), and to collect the appropriate consent when contacts are ready to grant it.

An additional detail on notice: if you need to link out to additional notice provisions (like privacy notices), you can do so using hyperlinks in forms.

Once your contact submits her information, we will store a link to the promotion form provided, information about which consent she provided, and the IP address and timestamp of the interaction.

This level of consent tracking is also available during the import process so that you can upload your contact lists that are lawful for processing and assign them Express permission.

Withdrawal of consent (or opt out)

What it Means: Your contact needs the ability (as data subject) to see what she’s signed up for, and withdraw her consent (or object to how you’re processing her data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.

What ContentMX Does: In ContentMX, your contact can withdraw her consent using the subscription link at the bottom of every email message. On your subscription preferences landing page, she can easily withdraw that consent. Alternatively, if you receive a withdrawal of consent directly from your contact (verbal or written), you will be able to sign in to your ContentMX account and modify the permission property for her contact record.

Cookies

What it Means: Your contact needs to be given notice that you’re using cookies to track her (in language she can understand) and needs to consent to being tracked by cookies.

What ContentMX Does: We’ll update the default language for enabling cookies on ContentMX landing pages to reflect affirmative opt-ins, and make it possible to show different versions of the cookie consent message based on information you specify.

Deletion

What it Means: Your contact has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of her contact record from your database, including email tracking history, activity records, form submissions and more.

What ContentMX Does: In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply. You will be able to perform a GDPR-compliant permanent delete in your ContentMX account.

Access / Portability

What it Means: Just as she can request that you delete her data, your contact can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV).

Your contact can also request to see and verify the lawfulness of processing (see above).

What ContentMX Does: ContentMX enables you to grant any access/portability request by easily exporting your contact’s record into a machine-readable format.

You can verify your contact’s lawfulness of processing using the associated permission property we mentioned above.

Modification

What it Means: Just as she can request to delete or access her data, your contact can ask your company to modify her personal data if it’s inaccurate or incomplete. If and when she does, you need to be able to accommodate that modification request.

What ContentMX Does: In ContentMX, if your contact asks you to change her information, you (or your portal admin) can do so by accessing her contact record using the ContentMX user interface.

Security Measures

What it Means: The GDPR requires many data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.

What ContentMX Does: As part of ContentMX’s approach to the GDPR, we are strengthening our security controls across the board. In addition to industry standard practices around encryption, ContentMX’s infrastructure teams are also improving our systems for authentication, authorization, and auditing to better protect our customer’s data.

LAST MODIFIED: May 7, 2018