GDPR Checklist – Download the checklist with the most important points for your company to think about before GDPR
When we posted this blog in Sweden the traffic and Interest was overwhelming. GDPR is as we all know important for all companies that handles personal data and therefore needs to get a consent from each subscriber in there database.
We at Triggerbee have also launched a solution to handle the registering & documentation of consent that we named “Triggerbee Consent” so if you also need help with this don’t hesitate to contact us.
In any case we hope that this blog can be helpful in understanding GDPR in an easy way so keep on reading and please share it with others.
GDPR fulfills all the criteria to be probably one of the biggest talking points during 2017. People are worried and companies are forced to change their processes within their organizations.
But the truth is that the new data protection laws only brings positive benefits for all businesses.
With transparency as one of the main requirements we should rather see GDPR as an incredible opportunity to gain even more trust from our current and potential customers. To show them that we have nothing to hide.
This might not be measurable right away but will definitely make a difference in the long run.
In this blog post we have taken the assistance of data protection lawyer Axel Tandberg to really dive deep in this issue and to give you a short, easy to understand summary of what it actually entails for Swedish businesses.
You will learn what GDPR actually are, how consent works, examples of how consent must look like, what other laws that interact with GDPR, and what applies when your company handles and stores personal or customer data.
TABLE OF CONTENTS:
- INTRODUCTION TO GDPR
- WHAT IS GDPR?
- WHAT YOUR COMPANY MUST CONSIDER BEFORE GDPR
- WHAT IS PERSONAL DATA ACCORDING TO GDPR?
- PROCESSING OF PERSONAL DATA ACCORDING TO GDPR
- LEGAL BASIS IN GDPR
- WHAT IS CONSENT ACCORDING TO GDPR?
- CONSENT – EXAMPLES OF RIGHT AND WRONG
- EPR – EPRIVACY REGULATION
Introduction to GDPR
In 1989 Tim Berners Lee started a project that would change the world in a way no one could predict…
A year later, on december 20, 1990, he published the world’s first web page on something called The World Wide Web.
And much have happened since:
Each day we send 205 million emails, upload over 350 million photos on Facebook, make over 3.5 million google searches, pay our bills, share documents and buy stuff online…
But we rarely think about how much information we actually leave behind (thinking smiley)
Information that could be linked to us as individuals, possibly sensitive information.
Today, the Data Protection Act decides how personal information are to be handled by companies, and these laws are based on an EU-directive from 1998.
When those laws were implemented, only 3,6% of the world’s population had a connection to the internet. At that time, the prediction that personal information and data would be as valuable as it is today, wasn’t so obvious…
On May 6, 2017, The Economist published an article that data — personal data — is the new oil, and companies such as Facebook, Amazon, Netflix and Google, thrive on it by adding more data on each individual and using it to increase their conversion.
Bild från: David Parkins, The Economist
But have you ever taken a moment to ask yourself…
“What actually happens to all my personal information once I have given it away?”
That question was posed by the European Parliament, and the response was the need for a new data protection act under the name of GDPR – General Data Protection Regulation.
Every day hundred and thousands of contracts are accepted where the most important information has been written only in capital letters, and where the text in the fine print is written in the smallest possible font size. (Emoji; pergament-rulle eller skrift-rulle)
Researchers from US University Carnegie Mellon conducted a study on how long it would take the average American to read through all the privacy policies they accept in a year…
What they concluded was astounding… It would take approximately 76 workdays.
This is what is stated in Section 9 of Facebook’s Swedish Terms of Service translated to english:
“You give us your permission to use your name, profile picture, content and information associated with commercial, sponsored or related content (such as a brand you like) that we deliver or enable. that you grant us your permission to pay by company or other entity displaying your name and / or profile image together with your content or information, without any compensation. ” Kolla Facebook
And then, we haven’t even mentioned that Facebook owns nine other apps and services with tens, hundreds and millions of users – and these apps have separate terms, conditions and data policies.
But, having said that, the world’s largest social network is one of the companies that probably has the best data policy.
You can read how to change your visibility when using the service, how they use your data, and how to delete yourself and your data.
If the policy is transparent enough can be discussed, we will leave that to the lawyers to decide. We will continue to use Facebook regardless, since we all just read the agreement?
How your business needs to adapt depends on how far you have come with the preparations and how well you have followed DPA so far.
The truth is that when GDPR comes into force, you need to fully understand the new rights of individuals and how to comply with them.
What is GDPR?
GDPR is an abbreviation for General Data Protection Regulation, and it is a collective name for the new data protection laws that come into force across Europé on May 25, 2018.
In short, new regulations are introduced to protect individuals within the EU from having their personal information involuntarily sold, and to prevent privacy impairment.
Since the GDPR is a regulation, it means that the laws enter into force immediately to become part of the national laws of each EU country.
In Swedish, the GDPR is called “nya dataskyddsförordningen” and when it enters into force, it will replace PUL (Data Protection Act), which since 1998 has regulated how organizations, associations and authorities can handle personal data.
But, because of the shortcomings in PUL, companies have been able to hide behind the unreadable agreements and hidden information to be able to do basically what they want as long as you have accepted “the agreement”.
Now, this comes to an end.
On a sidenote, it’s only within the USA that the privacy shield agreement includes all companies.
Within most other countries you need to have a separate agreement such as the standard model clauses with each separate company.
There are many reasons why GDPR is introduced into the EU, but here are the biggest three:
a) Individuals want more control over how their personal data are used.
b) By giving all companies within the EU borders the same laws to adhere to, you hope to create a better and safer business climate.
c) Prevent personal data from being purchased and sold by companies, mainly outside the EU’s borders.
Just as Gustaf Wiklund writes in his opinion article on GDPR at IDG, the Data Inspectorate (the government entity in Sweden that make sure that these laws are enforced) is (unfortunately) alone in seeing the new regulation as something positive.
The 1998 data protection directive, that the GDPR is based on, already applied to all member states of the EU. The problem was that it was up to every country to interpret and implement the directives.
This resulted in a whirlwind of laws and regulations that made it difficult for companies to do business between different countries, and difficult for individuals to keep control of how their personal data are being used.
With the GDPR, the same legal text applies to all countries.
Companies must keep track of their databases and contact lists, there must be a documented legal basis for processing personal data, and individuals must consent that their personal data may be processed (e.g. in a contact form or in a Widget) for one or more purposes.
In other words, there is a great focus on transparency and personal data management, and for companies, perhaps the most comprehensive task will be to document how personal data is moving between different systems and for what purposes.
The truth is that if you compare GDPR with PUL, it’s not really that many changes.
Some parts of the PUL will be removed completely (the abuse rule (“missbruksregeln”)), some laws will be upgraded (rights for individuals (“rättigheter för privatpersoner”)), as well as the requirements for order and good practice (från svenska: “kraven på ordning och reda”)) and some parts will remain unchanged.
PUL also requires that consent be given to process a personal data, but guidelines on how consent should be issued or documentation requirements does not exist – that is something that GDPR will take care of.
Something worth thinking about is that GDPR is not complete, many parts are still just suggestions and nothing is written in stone until May 25th.
There are about 50-100 different laws that need to be adapted in Sweden alone and according to lawyer David Frydlinger a new data law will be required.
Because personal data and privacy are so incredibly important, we proceed to explain what a personal data is in GDPR, and what applies when handling them.
Here are the most basic points your business needs to think about for GDPR:
- The new rights of individuals must be known and you must be able to accommodate them. The right to be forgotten is one of the most important rights.
- Inform your contact database about what rights they have, as well as how they can extract their information, correct them or delete them.
- Map and document where all personal data comes from and in what systems they are stored in.
- Report any data breach or leaked personal data to the Data Inspectorate within 72 hours, and inform the affected individuals.
What your company must consider before GDPR
The most basic preparations your company can do before GDPR are to map your data and figure out how it moves between different systems (e-mail services, CRM, databases, etc), establish security measures, create new routines for handling personal data and document all processes.
Since all european individuals get extended rights, this is also something you have to accommodate to.
You must for example be able to remove a person and all their data on request, according to the right to be forgotten.
Here are the rights that individuals get when GDPR come into effect:
- The right to be informed – An individual has the right to be informed of what data gets collected and how it gets collected.
- The right to rectify – An individual has the right to correct or update previously faulty or inaccurate data.
- The right to be forgotten (deletion right) – An individual has under certain circumstances the right to be removed from a company’s entire database.
- The right to limit processing – Individuals has under certain circumstances the right to request that their data are not allowed to be processed. The data are allowed to exist if this is the case, but the processing must be limited.
- The right of data portability – An individual has the right to get all of his or her information extracted and be able to move it between different social networks, services and companies.
- Right to object – In some cases, an individual is entitled to object to the processing of his or her personal data by the entity responsible.
- Automated decision making – An individual has the right not to be subject to a decision made solely by automated decision making.
- Right to complaint – If an individual deems his or her personal information are not used according to the consent given or to the data protection reform, he or she has the right to file a complaint to the Data Inspectorate.
- Damages – An individual who has been harmed by the processing of personal data other than in accordance with the GDPR may, under certain conditions, be entitled to damages by the company responsible.
- Right to access – An individual has the right to know how, and what their personal data are used for by requesting a registry extract.
- Bonus: Legal basis for data handling – There must be a legal basis and justification for why someone’s personal data are processed.
You also have an obligation to be clear and transparent when you formulate texts for consent and privacy agreements, and you are not allowed to hide information behind hard to understand legal terms that most people don’t understand.
GDPR creates a reason for you to find out and keep track of where your personal information is stored.
Handling customers that want to be “forgotten” in an easy way is just positive – if it can be solved easily, the customers will be satisfied, and your dissatisfied colleagues who are unaware of the internal processes will be no more.
What is a personal data according to GDPR?
According to GDPR, a personal data is every type of information that could be used to identify a living human being, and it’s also the combination of different data, that after closer analysis, could identify an individual.
The truth is that the difference between your e-mail address and your social security number is as thinner than paper.
Just like your social security number is unique, so is your email address.
And since it’s only you that own your e-mail… it’s considered a personal data.
With a high focus on privacy protection in GDPR, it’s really important that your company knows what is considered personal data, and what isn’t.
Here are a few examples of information that counts as personal data:
- IP number
- Social security number
- Phone number
- Home address
- Customer number
- Political opinion
- Sexual orientation
- Religious belief
- Credit information
- Payment information
If you have many different types of data that on their own can’t identify anyone specifically, but combined with analysis will identify individuals, that too is considered personal data.
Data that is considered personal data with analysis:
- Hair color
- Eye color
- Zip code
- Annual income
- Purchase history
As you might understand already, there is almost no personal information that won’t count as a personal data.
GDPR Checklist: This is what your company must think about when handling personal data
- Document what personal data you collect today and motivate why you do.
- Find a way to abide bythe new regulations (the right to be forgotten for example)
- Clean up your database and delete old information that is no longer in use or isn’t active or valid.
Would you be able to do your marketing or sales activities without any personal data?
Almost all companies have a database that contain contact information to customers, prospects, leads or newsletter subscribers.
And if that database contain names, email addresses or phone numbers, that also means that this information at some point has been processed.
How your company processes personal data is an important part of the new data protection regulation, and here we try to explain what applies 👇
Processing of personal data according to GDPR
Processing of personal data is, according to GDPR, almost everything you do with it, except to send out communication.
As soon as you store an IP-address or send an e-mail to your e-mail system, a processing of personal data has occurred.
If you have contact information in a CRM, email system, an excel spreadsheet or other types of lists or databases, they have at some time been processed.
Companies will be required to have someone responsible for overseeing the processing of personal data to make sure it is handled properly.
Today this person is called “personuppgiftsansvarig” (person responsible for personal data), but when GDPR enters into force, this new role will change name to “dataskyddsombud” (person responsible for data protection).
Processing of personal data is not about how you send out communication, but where you store personal data, how they are handled, analyzed or used within the organization.
Here are a few examples of what counts as a personal data according to GDPR: 👇
- To send an email to one or more of your systems (for example; Mailchimp, Pipedrive, APSIS, Carma, Salesforce, etc.)
- To automatically analyze and add additional data, based on the information you already have(also called “populate”)
- To divide different personal data into groups or segments to restrict or allow certain communications
- To extract an excel spreadsheet to manually add name, phone number or the like
- Analysis or combination of personal data
And for your company to be allowed to process personal data there must be a legal basis (remember: consent is one of the legal bases) that allow processing.
Legal basis in GDPR
In Article 6 of the new Data Protection Regulation there are exactly six bases that makes the processing of personal data legal, but to simplify, it’s really just three things your company needs to think about to be able to collect new leads and email addresses in accordance with the new Data Protection Regulation.
Personal data processing is only legal if one or these following conditions are met:
- Consent – The registered individual has given consent to that his or her personal data can be processed one or multiple purposes.
- Contracts – The processing is necessary to fulfill an agreement that the registered takes part of or to be able to fulfill certain agreed upon terms, before the registered accepts such an agreement.l
- Legitimate interest – Personal data may be processed in certain other situations that the law dictates. If the processing is necessary and if the person responsible for handling personal data deems the processing not to violate the personal integrity, then it’s allowed. It is in other words a judgement call for the person processing the personal data, and if the processing in any way can lead to a violation of the registered individuals personal integrity, it can lead to heavy fines or other consequences for the company in question.
As you can see, consent is one of the legal pillars – and whether you need active consent or not is entirely dependant on the situation and the design of your offer.
As an example…
Here is an example of how SVT Play inform about their placement of cookies on your computer and the storing your IP-address. They then refer you to their privacy agreements where they explain in detail how they process the personal data collected.
Even though an IP address counts as a personal data in GDPR, the hard part is to find out who actually sat behind the computer – Therefore no separate consent is needed to track a visitor as long as they don’t collect other personal data at the same time.
As you can see, the button only says “Jag förstår” (I understand), which implies that you don’t give away enough data to have your privacy violated.
If you don’t want your IP address to be tracked you have the option to just not use the service, or to shut down cookie tracking in your web browser.
As said, depending on what data are collected, it’s a bit different what you need to document after GDPR enters into force.
- Data minimization – Don’t collect more data than you will use.
- Purpose limitation – You are not allowed to use the data for anything else than what you explicitly say you are going to use it for.
- Storage minimization – Don’t store any data longer than what’s necessary to fulfill the end goal.
- Data Protection Officer – Appoint a “dataskyddsombud” (Data Protection Officer) responsible for processing and collection of personal data, to ensure that it follows the rules and regulations (in PUL this position is called “personuppgiftsombud” (data representative))
Consent is probably the one thing that have created the most buzz on the web and resulted in a lot of doomsday articles that predict the death of digital marketing…
This is of course as far from the truth you could possibly get.
But then we are posed with the question…
What is “consent” according to GDPR?
A consent according to GDPR is an active and voluntary act from an individual who, after being informed of the consequences, agrees to having his or her personal data processed in order to receive marketing communication, or in other ways have their personal data processed.
If you leave consent, this works like a kind of “contract” between you and the company you submit your personal data to that limit or allow different types of communication or personal data processing.
According to “Datainspektionen” (Data Inspectorate) a consent must be the following:
When GDPR replaces PUL the law will say that all companies must document all consent given, so it’s important to know what constitutes as a valid consent and an invalid consent.
It’s also important that you can differentiate a consent according to GDPR and a consent according to “Marknadsföringslagen” (Marketing Act).
Both laws requires their own consent, but for different reasons:
- “Marknadsföringslagen” (Marketing Act) states that you need a consent to communicate with prospects and leads.
- GDPR states that you need a consent to process the personal data you collect.
But does this mean you have to collect two separate consent?
No, it doesn’t. Depending on the situation/context you almost always just need one consent.
If you formulate your offer clearly enough can you automatically kill two birds with one stone and suffice with one consent for both parts.
Here below we have illustrated a few examples of valid consent according to GDPR, and we have thoroughly described how and why it is valid or not.
Don’t forget to document all consents! You can do this easily with Triggerbee Consent and get complete control over what contacts has given their consent to receive communication.
Consented communication through e-commerce
This image is supposed to illustrate a form on a checkout page in an e-commerce shop.
If you as a customer fill out your information to finalize a purchase is it implicit that you first and foremost give the e-commerce owner permission to:
- Process your information for the purpose of finalizing the purchase and deliver the product to you.
- Send communication related to your purchase or the delivery of the product.
It is on the other hand not implicit that you give the e-commerce owner permission to send newsletters or other communication to you.
Since this example has a ticked checkbox with the text “Jag vill även få nyhetsbrevet” (I also want to receive the newsletter), this is an invalid consent form.
Giving consent must always be active, voluntary and individual. That is not the case when there is a ticked checkbox.
Instead it should look like this:
In contrast to the previous example, you can clearly see that the checkbox “Jag vill även få nyhetsbrevet” (I also want to receive the newsletter) isn’t ticked.
By ticking the checkbox you are giving an active consent to the e-commerce owner to send newsletters to you.
Many wonder what applies if they want to collect email addresses by giving away coupons and what applies for continued communication after someone have submitted their email address.
Here is a pop-up that offers a voucher for 20% off your first purchase to new customers.
To receive the voucher you must submit your name and email address.
Since the text only focuses on giving a voucher, there is nothing giving permission to send further communication.
If this was your e-commerce shop and your pop-up, you would only be allowed to give the voucher and nothing more.
For you to be allowed to send communication it must look like this:
As you can see, this version have an entirely different wording, and there is a checkbox that explain what the terms are.
Instead of just saying “”Få 20% rabatt på ditt första köp”” (Get 20% off your first purchase) it says:
“Prenumerera på nyhetsbrevet och få 20% rabatt på ditt första köp” (Subscribe to the newsletter and get 20% off your first purchase).
Samtycke för kommunikation inom B2B
In this example we give away an ebook about email marketing.
If a visitor submit their information, then we have permission to process their information in order to send the ebook, but we don’t have permission to send newsletters or other communication.
If we want to be able to send any other communication it must look like this:
We could change the heading to say “Prenumerera på vårt nyhetsbrev och få e-boken om Epostmarknadsföring” (Subscribe to our newsletter and get the ebook about email marketing), but that wouldn’t be perceived like an equally strong offer.
Consent for communication intended for publicists
Many publicits and online newspapers use “Paywalls” or “locked content” to limit what articles different users are allowed to read.
Some want to send you to a payment form, andom some just want the visitor to pay with their email address.
But if it looks like in the example above, that you only need to submit your email to unlock the article, you are not allowed to send any digital communication to the person submitting the email address.
It then must look like this:
You could just as well change the content to be more descriptive, so no consent would be needed if it’s only the newsletter you want to send out. Like this:
GDPR-certify your digital marketing with Triggerbee Consent
When do I need a checkbox for consent?
If you need a checkbox or not depends entirely on the situation and how the offer is formulated.
On a checkout page for example, a newsletter isn’t really relevant to complete the order and to deliver the product, and you then need an active consent to have permission to send newsletters or other digital communication.
The purpose and copy is important in this context, and the whole packaging actually determines if you need a checkbox or not.
Since you also need to document every consent, this is something you need to look over how it’s done.GDPR Checklist – What does your company need to think about when it comes to consent:
- Document – Document all consent you collect! You can do this with a service like Triggerbee Consent
- Vouluntary – Make sure the consent happens voluntarily. That means no ticked checkboxes!
- The right to be forgotten – Make sure you can remove all data from the individuals in your database.
- “Personuppgiftsansvarig” (Data Controller) – Appoint a “personuppgiftsansvarig” (Data controller) that is responsible for the data collection process and processing of the personal data follows the rules and regulations.
Triggerbee Consent is a solution that makes it easy for all companies to collect email addresses just like before and at the same time get total and complete documentation over how, when and what agreement they consented to!
EPR – ePrivacy Regulation
Something that has complicated and confused many are the second part of the new “dataskyddsförodningen” (data protection regulation) called EPR.
EPR stands for e-Privacy Regulation and unlike GDPR, EPR regulates how companies are allowed to communicate with customers and subscribers.
Talks about EPR began as late as January 10, 2017, and the goal was that is should be finalized May 25, just like GDPR, but since it had to adapt to the new “dataskyddsförordningen” (Data Protection Regulation) the EU-parliament has yet to had the time.
This leads us to the big question…
How are we allowed to communicate in the future?
EPR will primarily affect the privacy of how we communicate and that is not only regarding email or text messages…
It will entail social media and set higher demands on those managing any type of electronic communication – for example Skype, Whatsapp, Facebook Messenger, Snapchat and similar services.
You will find the swedish translation of EPR on EU’s own website, but keep in mind that most of it could change. It’s all just a proposal and we can’t make any assumptions.
Here are the most important points that your company must take in consideration before EPR:
Content of the communication – Information like time stamps or geolocation in email, chat conversations, snapchat pictures and the like must be anonymized or be removed if the user hasn’t given consent or if it’s not related to payment.
Spam protection – Email and SMS spam will remain illegal, and depending on national laws, all individuals will either have automatic protection from spam, or there might be a “do not contact me”-list available.
GDPR and EPR are constructed to protect the integrity of individuals and to support the business climate within the European market 💪 (this also includes England, Norway, Luxemburg and Island).
GDPR and EPR is positive for all of us. It will contribute to a safer Europe, and in the long run also weed out companies that work in illegal ways.
If your company collects email addresses and serve other businesses, then you must have the processes under control and do your homework – that is something we all must do.
Down below is all the reference material and sources used in creating this articles, and if you have come this far we would like to just say thank you for sticking with us.
You are more than welcome to contact us if you would like to know more about how your company can GDPR-certify your digital marketing and how you can work with simple tools to collect and process personal data in the future.
We have developed Triggerbee Consent so that our customers can collect consent when they collect email addresses, and you can get assistance with it by either contacting us or exploring how it would benefit your company on your own.