(Fourth in a series of articles from Arke on the practical application of the GDPR to clients who use marketing technology platforms. You can read the introduction to the GDPR in part one. Part two is on Consent and Data Governance. Part three covers Data Security & International Transfers.)
The EU’s General Data Protection Regulation (GDPR) requires marketers to give people more control of their personal data — a change designed to strengthen citizens’ rights and build trust.
Notably, the GDPR requires marketers to thoughtfully consider the length of time they retain the personally identifiable information (PII) they collect. Marketers must disclose how long the data will be retained in their GDPR consent policy.
GDPR Data Retention
Marketers can set their own retention policies based on the needs of their organization. However, once a policy is adopted it must be strictly followed. If the policy states personal data will be retained for six-months unless the data subject becomes a customer, then be prepared to delete such data.
Companies typically receive personal data from web forms. But the GDPR requires marketers to verify the data they receive to ensure consent was given freely and specifically.
In the post-GDPR era, practical marketers will disregard all submitted data until the person who submitted it verifies it.
Double Opt-In Process
Called a double opt-in process, it involves sending an email in response to the information you receive. It requires the recipient to take action validating their intent. Typically, action requires clicking a link in the email.
The goal is to clearly verify the person’s intent to provide information.
This is important because anyone can fill out a form on a website. However, if the individual does not complete the double opt-in, then we must assume the subject data was provided without consent.
After a reasonable amount of time — but definitely within the stated retention period — you must delete this subject data.
Right to Be Forgotten
The GDPR provides individuals “the right to be forgotten”; that is, to have personal data erased. They are entitled to have data erased as easily as it was for them to provide the data.
If someone can simply provide their information by completing a form on your website, then you should provide an equally simple way for someone to exercise their right to be forgotten.
Individuals can make a request for erasure verbally or in writing. Organizations have one month to respond to such requests.
It’s good practice to follow the same process for data erasure as for data retention. Use an email verification to confirm the right to be forgotten requests. Once verified, delete the data from your systems.
GDPR Data Deletion
How would you respond if someone asks to have personal data deleted? Do you know where to find it?
Whether because of an erasure request or the expiration of the retention period, marketers should have a clear understanding of where and how data is stored. Your system map is therefore very useful.
The data map identifies all areas in your marketing systems where PII could exist. These locations might include a website database, customer relationship management database, marketing automation lists, database backup files, log files, and data caches.
Be sure your deletion processes account for all the possible locations of the data. In some cases, your systems might need to keep the existence of a record, for example, for data analytics. However, you must ensure that you delete any PII from these records. This is referred to as anonymizing the record.
Also, in all databases where you store subject data, maintain timestamps of when the record was created and when the record expires according to your data retention policy. If your system is GDPR-ready, like Sitecore 9, then these timestamps already exist.
But if your system isn’t GDPR-ready, then work with your development team to add timestamp fields so you can manage data retention properly. With timestamps in place, your system should be setup with a process for scanning all your databases to delete expired data.
Don’t Forget Database Backups
When you’re deleting PII, be sure to consider your database backups. This can be tricky. While it is easy to delete subject data from live databases, your database backups may extend back a month or more. These are the archives you use for restoration after a catastrophic system failure.
It’s not practical to delete the PII from all the database backups — and in many cases, technically not possible. So how can you ensure GDPR compliance?
Our recommendation is to maintain a journal of all right to be forgotten requests. Of course, once you delete PII, you cannot keep it. So your journal cannot even use an email address as a subject’s data key.
Therefore, your system must use a surrogate key, such as a globally unique identifier (GUID) to identify each subject. Keep a record of the GUIDs affected by erasure requests. Then, if you must restore a database backup, you can cross-reference the GUIDs on your list and delete them. And finally, whenever restoring a database, you must run it through the data retention process to delete any expired records.
GDPR Data Access Requests
Under the GDPR, people have the right to access their personal data and supplementary information. This includes their PII, consents, emails, order history, and any other relevant data you consider part of their “account.” Again, your system map, as shown above, is very helpful in locating the relevant data.
Organizations should respond to Data Access Requests within 30-days to avoid penalties. Therefore, it’s advisable to automate the process entirely.
Generally speaking, you must provide a copy of the information requested by these Data Access Requests without charge. However, you can charge a ‘reasonable fee’ for “manifestly unfounded or excessive” requests, as well as duplicate requests of the same information.
Like erasure, the data access request should be an easy process. Just be sure to validate all data access requests before releasing any data.
It’s not advisable to email a person a copy of his data since you can’t control it. Instead, create a ZIP file containing a copy of the data, store it at a secure URL, and provide the individual with the URL and password.This way, the data can only be accessed with the provided URL with a password.
Marketing Technology Supports the GDPR
Your marketing technology is the key to GDPR compliance. Start with a strong core marketing stack, including a content management system, marketing automation platform, and customer relationship management software.
Once your system is aligned and working seamlessly together, you can enable select features to ease GDPR compliance. For example, you can add a Preference Center within your marketing automation environment to make it easy for users to change their communication preferences.
It gives your prospects and customers options about the information and content they receive. In addition, it gives them the ability to unsubscribe at any time.
It also gives you the opportunity to re-engage with people, potentially persuading them from changing their mind about unsubscribing. For example, a publisher with multiple content sections could offer a person who was no longer interested in one newsletter an alternative.
The preference center also gives people the ability to control the frequency of communication. Fewer emails, for example, can sometimes prevent a person from walking away completely.
Remember, the GDPR puts the emphasis on people: It aims to make it easier for them to both control their personal data and the way organizations use it. By offering them options, you are mirroring the spirit of the regulation.
For More Information
- How to Cope With GDPR: New EU Data Law Promises Big Changes for Marketers
- Consent and Data Governance
- Data Security & International Transfers
- Data Retention, Erasure, Access Requests, Preference Management
- The GDPR Is Here: Is Your Site Still Accessible in the EU?
Arke is providing these articles for informational purposes only. They are not intended to provide, and should not be relied on, for legal advice. Do you want to learn more about GDPR compliance? Email Eric Stoll for more information.
Atlanta-based Arke develops strategies and implements digital technologies for better brand experience for your customers.