GDPR goes into effect May 25th and as you might expect has some potentially serious ramifications for your outreach program.
As of now, there are many areas of the regulation which seem intentionally vague, and some which appear downright contradictory. Over the next few months things will become more clarified as the regulations take full effect.
In the meantime it is important to understand the aspects of the regulation that apply to your outreach teams as well as how it impacts your usage of third party programs such as BuzzStream.
Please note: any opinions in this article are based on our best interpretation of the GDPR regulation and are not legal opinions. You should definitely consult in whatever manner appropriate for your business on the best way to manage your outreach and relationships with contacts. Even the legal consultants have been getting some aspects of the regulation wrong, so take the time to read the legislation carefully and balance opinions with your particular situation.
How GDPR Affects Data Processing for Outreach
The important thing to remember is that the GDPR is primarily concerned with handling data ethically and according to the intended purpose.
Because the majority of the time consent will not be explicitly given on the part of your contacts (because you’ve found relevant bloggers through a Google search, for example), the relevant part of the GDPR legislation governing outreach is Article 6 (f) which states:
- Processing shall be lawful only if and to the extent that at least one of the following applies:
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The legitimate interests clause does bring about some debate as it is one of the most frustratingly vague components of the legislation, however a closer look at Recital 47 seems to clarify that as long as the outreach is legitimate and relevant it is acceptable to collect information for that purpose.
Recital 47 states:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
According to the ICO (the UK’s independent authority with the mission of upholding information rights) the at a glance summary of legitimate interest is as follows:
- Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
- Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
- There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
- You must include details of your legitimate interests in your privacy information.
As of now, it is important to discuss within your organization whether the types of outreach you are sending meet the criteria set forth in GDPR for European outreach targets. There is no one size fits all approach.
Data Storage for Outreach
One of the other big questions around GDPR as it relates to outreach falls under the data storage criteria set forth in the regulation.
Again, there’s a lot of grey area surrounding the requirements around data storage. Effectively, you should keep data only so long as it is appropriate for you as an organization. Based on a fairly in-depth overview of the policy (also from ICO):
Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:
- the current and future value of the information;
- the costs, risks and liabilities associated with retaining the information
- the ease or difficulty of making sure it remains accurate and up to date.
Where personal data is held for more than one purpose, there is no need to delete the data while it is still needed for any of those purposes. However, personal data should not be kept indefinitely “just in case”, or if there is only a small possibility that it will be used.
If you know that a campaign will be a one-off where you will almost certainly not be reaching out to those contacts again and have completed all reporting on said campaign, it may be prudent to remove those contacts from your database after a period of time defined by your organization. Again, there is no firm regulation around “appropriate time periods” as of now, so you’ll need to determine the right time constraints around the storage of contact data for your organization.
Third Party Processors (Like BuzzStream) and Outreach Data
To really understand the relationship that third party processors (like us) have with your data, and the legality of using such processors for your outreach and relationship management needs are, you’ve got to understand a few different definitions of the actors involved:
Formal definition: The Data Subject is a living individual to whom personal data relates.
The data subject, quite simply, is the person or entity whose data you are processing. So, for example, if you are gathering info on a site author so you can reach out to them to ask for help promoting your content, that author is the data subject.
Formal definition: The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In other words, the data controller is the entity that is using personal data for their benefit. Using the example above, if you are gathering information on a site author so you can reach out to them to promote your content, you are the data controller.
Formal definition: The Data Processor is any person (other than an employee of the Data Controller) who processes data on behalf of the Data Controller.
In this example, if you were using a third party tool to enrich, store or otherwise process the data you collect, that third party is the data processor.
So, if you collected information on an author so you could send them outreach, then uploaded that data to BuzzStream so you could manage your relationship from there, BuzzStream would be the data processor.
Formal definition: Data Processor that is in turn used by a Data Processor to assist in providing services laid out in their service agreement.
Effectively, if a data processor uses their own data processors to enrich or store data in any capacity, then they are considered sub-processors from the perspective of the data controller.
For example, if one of your third party data processors uses a tool to communicate with you in app, if that tool leverages your personal information, that in-app communication tool is considered a sub-processor.
The key factors that come into play when using a data processor are as follows:
- You are always liable for the data your data processor stores or processes, unless the processor violates their data policy
- You must ensure that your data processor agrees to uphold all the same rights and restrictions on data that your business does in order to maintain compliance
- If your data process uses sub-processors, those sub-processors must also be in compliance and your data processor must let you know about those sub-processors in an updated list so you can review them for compliance as you see fit.
What this means for you is that you must be comfortable with the manner your third party tools process your data and have some sort of agreement in place. Most commonly that agreement will come in the form of a Data Processing Addendum (DPA).
A signed DPA stipulating all of the ways a business will handle, secure, and process data, as well as who they in turn use to store and process data, is probably the most ironclad way of ensuring compliance.
Transferring Data Out of the EU
Another piece of the puzzle as relates to GDPR is data transfer.
Effectively, you can only legally transfer data out of the EU to an approved country. According the the European Commision site:
“The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the U.S. (limited to the Privacy Shield framework) as providing adequate protection. Adequacy talks are ongoing with Japan and South Korea. (as of the time of this writing)”
It’s worth talking about Privacy Shield for a second, because it’s really important to note that the U.S. overall is not approved to transfer data out of the EU.
In order to transfer data, companies must become certified through Privacy Shield by going through a comprehensive process which, once completed, brings them up to code relative to the GDPR as related to the transfer of data. Put simply, if a U.S. company hasn’t been certified through Privacy Shield, you can’t legally use them to process or store EU data. You can view a list of all approved organizations on the Privacy Shield List.
BuzzStream Compliance with GDPR
As of this writing, BuzzStream has taken necessary steps to operate under GDPR. Please keep in mind that there is no GDPR certification like there is for Privacy Shield, so until such time as that certification exists we will review and take steps to ensure we are operating in adherence with the new regulation.
Here’s what we’ve done so far:
- Certified compliance with Privacy Shield (yup, we’re on the list!)
- Added a web-based and signed DPA option for our customers. If you’re a customer and need access, just email us at firstname.lastname@example.org
BuzzStream Tools to Assist Customers with GDPR Compliance
BuzzStream offers a number of tools to help you maintain compliance with GDPR regulation.
Amending, Deleting, or Sharing Data
First, you will always have full control over contact data.
You can amend or delete data directly within the BuzzStream app.
If a contact lawfully requests access to their data, you can export data directly to share with them.
BuzzStream allows you to add an unsubscribe option to any of the emails you send. Although it may not be necessary in all outreach contexts, it is highly recommended you provide this option as an alternative to getting reported for unsolicited outreach.
BuzzStream gives you complete control over the types of outreach data you track. You can easily turn open and click tracking on or off from anywhere you send outreach.
Ongoing GDPR Updates
As mentioned above there’s going to be a lot that shakes out over the near future as the regulation goes into full effect. We’ve added a document covering GDPR in more detail in our knowledge base. We will be updating that document regularly as elements of the regulation become further clarified, so feel free to check there for the latest information.