A shared responsibility to comply
Under the General Data Protection Regulation (GDPR), the responsibility to comply lies with both the data controller (your organisation) and data processor (a software / solutions provider), therefore you must ensure your comms practices stand up to the requirements.
Reconfirming citizens’ consent to receive information
In terms of your delivery of subscription-based digital communications (email / SMS for example), preparing for the GDPR presents a prime opportunity for you to engage the public, build citizens’ trust, and check you’re providing what they want and need. Now is an excellent time to reengage citizens subscribed to your digital updates and deepen your connection with them.
It’s important you check you have the appropriate consents from subscribers now, to help avoid a scramble to comply with the stricter consent rules that will apply come 25 May 2018 under the GDPR. This definitely doesn’t mean culling much of your mailing list, instead, if there’s any ambiguity about the source of subscribers and their consent to receive information from you, contact them now and ask them to reconfirm what they want from you. This type of outreach is also a brilliant opportunity to cross-promote other updates, services, and points of contact they may not be aware of.
Check your data processor will also help you be compliant
For example, many local and central government teams in the UK are using the GovDelivery Communications Cloud by Granicus (a “data processor”) to manage their digital communications. Granicus customers benefit from a number of important templated processes that have been designed to conform to data protection and subscription management best practices, meaning many of the GDPR requirements are already embedded in Granicus customers’ everyday practices. These organisations are already well on the way to full compliance. However not all digital marketing providers offer these robust processes, so do check with your suppliers on what they’re doing to prepare for compliance and whether you as the “data controller” need to put extra measures in place. For more on how Granicus is preparing for the GDPR visit their website.
What must you do now to get ready for the GDPR?
1) Review and update your privacy policies
GDPR includes a longer and more detailed list of information that must be provided in a privacy notice than the current data protection directive does. Please see the Information Commissioner’s Office’s guidance on privacy policies here. In summary, individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller (your organisation)
- Purpose of the data: This should be as specific (“purpose limitation”) and minimised (“data minimisation”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements below), or the processing is in the organisation’s “legitimate interest”.
2) Check you have consent from all subscribers
Under GDPR, you need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. It must also be as easy to withdraw consent (unsubscribe) as it is to give it (subscribe).
When subscribers select from topic-based specific options, for example they opt to receive your “Local Events” update, or “Tax Deadlines” update, you can be sure your mailing lists are accurate and only comprise people who have explicitly given their consent to receive your comms, thanks to the granularity of the opt-in process through solutions such as the GovDelivery Communications Cloud. You’ll also find a time-stamp detailing how and when someone came to subscribe to your services - this is proof of their consent.
Providing you have followed best practices for all subscriber acquisition methods and you haven’t extended the use of their email address beyond the original purpose permitted, you should already have full consent from all your subscribers to send them information according to their subscriber preferences.
For example, if you’ve uploaded subscribers to a topic mailing lists from other databases, you should keep a proof of their original consent to receive that comms on that topic. That proof could be housed outside of your digital subscription platform in paper form, showing where a resident has ticked a box to receive news on “Local Events”. Do keep it on record in case you ever need to show a regulator.
If you are unsure of the source of some subscribers or do not have an audit trail of their original consent to receive certain comms, send them a re-engagement email (or campaign series) to reconfirm their choices before May 2018. If your organisation uses the GovDelivery Communications Cloud, Granicus is offering extra support to customers wanting to deliver a focused reengagement campaign - get in touch with Granicus if you’re interested in their support.
Consent must be specific to distinct purposes:
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
For more guidance on preparing for the GDPR, keep an eye on the Information Commissioner’s Office’s updates.