RightMessage, Personalization and GDPR
What is GDPR?
The General Data Protection Regulations (GDPR) replace and unify data protection laws from throughout Europe and relate to the protection of, dealing with, processing of and handling of personal data.
Does GDPR apply to me?
The GDPR applies to all EU organisations, from sole traders to corporates, that process personal data, as well as organisations that process personal data that relates to individuals within the EU.
If you retain or process any such personal data, then you must ensure that you meet the relevant conditions of the new General Data Protection Regulations (GDPR).
What is personal data?
Personal data is data that relates to a living individual and allows that individual to be identified from such data (data subject). Under the GDPR the definition of personal data is more detailed than previous definitions and includes online identifiers such as an IP address.
Where a visitor to your website may be identifiable to you, when using RightMessage, and thus GDPR will apply.
Is RightMessage a Controller or a Processor?
Both, depending on the context.
When you’re using information about your customers or potential customers to better personalize the experience they have on your website: your visitors are the Data Subjects, you are the Controller, and RightMessage is the Processor.
In the context of RightMessage holding data about you as a customer of ours, or as a visitor to our own web site, you are the Data Subject and we are the Controller.
Am I breaching GDPR if I personalize my marketing / use RightMessage?
Nope. Personalization and GDPR are perfectly compatible, as long as you go about it the right way – we would recommend that you consider the Privacy Notice on your own website, to ensure compliance with GDPR and to ensure that your visitors are aware of how their personal data will be processed through RightMessage. Keep reading for more detail!
If I’m personalizing to top-of-funnel / anonymous visitors, do I need to do anything to be GDPR compliant?
If the data being used cannot be used to identify a living individual (for example where it is anonymized) then no measures need to be taken in relation to GDPR and thus no consent is required.
If I’m personalizing to subscribers and customers based on personal data stored against their email address in my email marketing tool / CRM, do I need to do anything to be GDPR compliant?
Yes, in this instance the data being used is personal data as it identifies a living individual, thus you will need to give the individual the following information (at the time that their personal data is collected):-
details of the personal data being collected;
purpose of processing the data;
proposed retention period; and
who the personal data will be shared with.
Consent may be required but this will depend on the lawful basis for processing the data. Consent is one of the lawful basis of processing data and the others are:-
that it is necessary for the performance of a contract;
that it is necessary for the compliance with a legal obligation;
that it is necessary to protect vital interests where consent cannot be given;
that it is necessary for public interest reasons or for controller to carry out legal function; or
that it is necessary for legitimate interests of Data Controller.
As for what RightMessage servers store about your visitors to facilitate personalization: nothing. Your visitor's browser will ask RightMessage for the data, the RightMessage servers will fetch that contact's data from your email marketing tool, and will then return it straight to the visitor's browser without storing it. None of your visitor's personally identifiable information is stored on RightMessage servers.
What about sensitive data, such as medical/health information?
Some personal data is more sensitive and so requires more protection, including (amongst others) information relation to health, race, religion, politics, sexual orientation, etc.
Where this sensitive information (known as special category data) is processed you must identify one of the reasons listed above as a lawful basis for processing the data (including consent or that it is necessary for performance of a contract) AND an additional reason (included in Article 9 of the GDPR) unless the individual has given their explicit consent for you to process their personal data in that way.
Is RightMessage part of the EU-US Privacy Shield?
The EU-US Privacy Shield (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en) protects the rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.
This ensures that US companies cooperate and ensure the protection of personal data of EU individuals.
RightMessage is striving for GDPR compliance and as such will be reflecting the requirements of the EU-US Privacy Shield.
Do you have a Data Processing Addendum?
Any time that a Data Controller uses a Data Processor, and therefore passes over personal data, the Data Controller must be confident that the Data Processor (such as RightMessage) take measures to ensure that they are GDPR compliant in order that the Data Controller meets with Article 28 of the GDPR:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
The terms of the processing must be set out in a written contract and this should include the following information:-
that the personal data will only be processed in accordance with the instructions from the Data Controller;
that the Data Processor has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
that the Data Processor has taken all measures required in relation to security of processing the personal data;
that the Data Processor will not engage another processor without prior specific or general written authorisation of the Data Controller;
that the Data Processor will impose the same conditions on any other processor that they have agreed with the Data Controller to adhere to;
that the Data Processor will assist the Data Controller in any obligation to respond to requests for exercising the data subject's rights;
that the Data Processor will assist the Data Controller in ensuring compliance with the obligations in relation to Data Security, notifying of a data breach to the ICO and the data subject, Data Protection Impact Assessments (if applicable) and consultations;
that the Data Processor will, at the request of the Data Controller, deletes or returns all the personal data after the end of the provision of services relating to processing unless legally required to continue to store the personal data;
that the Data Processor will make available to the Data Controller all information necessary to demonstrate compliance with GDPR and allow for audits, including inspections, conducted by the Data Controller.
We’ll be updating our Terms of Service to include sufficient measures for most businesses we’ve spoken with, but we can also supply this to you to sign separately on request.
Have RightMessage updated their Privacy Notice? Can I just copy theirs?
We’re in the process of updating our Privacy Notice, and Terms of Service, to be fully compliant and to explain to you how we’re handling that compliance.
A Privacy Notice is individual to your business and as such you shouldn’t just use another business’ Privacy Notice for your own use.
OK, so that explains how everything works re my visitors’ personal data. What about me as a RightMessage customer? Is my own personal data dealt with in accordance with GDPR?
you can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time.
giving you the right to request access to your personal data, enabling you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
giving you the right to request correction of your personal data, enabling you to have any incomplete or inaccurate data we hold about you corrected.
giving you the right to request erasure of your personal data, enabling you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
giving you the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
giving you the right to request restriction of processing your personal data, enabling you to ask us to suspend the processing of your personal data in the following scenarios:
if you want us to establish the data's accuracy;
where our use of the data is unlawful but you do not want us to erase it;
where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
giving you the right to request transfer of your personal data to you, or a third party you have chosen, in a structured, commonly used, machine-readable format.
How do I know if I’ve done everything right and am GDPR compliant?
Consult a solicitor specialising in Data Protection law who will be able to give you advice that is relevant to your business and your industry. There is no ‘one size fits all’ for GDPR and so you must ensure that the steps taken to become GDPR compliant are appropriate for your business.
Inform your clients and customers of what personal data you collect, how it is collected and how it is used as well as their rights in relation to that personal data. This will be covered in your Privacy Notice.
If you have any specific questions in relation to how GDPR effects your use of RightMessage, that has not been answered above, or in relation to GDPR and your own business please contact us – firstname.lastname@example.org