The European Union’s new privacy law, The General Data Protection Regulation (GDPR), made its appearance on May 25th, 2018.

This has left many Cyberimpact users asking questions, more specifically the users who send emails to European contacts.

At Cyberimpact, we agree that those questions are completely warranted, but rest assured, considering our expertise with CASL (Canada’s Anti Spam Law), we feel confident that we’ll also manage to decipher the GDPR for you; we are not legal experts, but we think we can still help our users better understand what this law is all about.  Let’s begin with a few simple explanations and recommendations that will, without a doubt, help you comply with this new law.

FIRSTLY: Does this apply to you?

Your head office is located in Canada, you communicate exclusively with Canadian and North-American contacts, the GDPR does not apply to you. In your case, only Canada’s Anti Spam Law (CASL) applies. Consult our very thorough CASL guide if needed.

However, no matter where in the world your company is located, if you collect personal data from European citizens (for example, the subscription form on your website) and/or, send them commercial emails, the GDPR applies to you and it is your duty to comply. In addition, if you own or operate a subsidiary or if your company employs individuals on European soil, keep reading…

DEFINITION: What does “personal data” mean for the GDPR?

The GDPR regulates the collection and use of personal data by companies and organizations. By personal data, they mean anything that can identify the identity of an individual. For example: someone’s name, phone number, or email address.

Is Cyberimpact GDPR compliant?

It’s only normal that this question is more frequently asked as of late. The answer is yes, but there’s more to it. Let me explain…

The simple act of using Cyberimpact for your email marketing needs does not guarantee GDPR compliance. It’s a little more complex than that. As it stands, Cyberimpact does have the tools necessary to help you comply with the GDPR, if you have European subscribers or visitors; but it’s the way you use it that will dictate whether or not you are being compliant, and not the tool itself.

How do you do this? Simply follow the recommendations below to take a step (or several) in the right direction!

Recommendations for GDPR compliance

1. SEGMENT LISTS

If you can segment your European contacts into distinct groups, do it. It will be easier to send them specialized emails (if necessary) and find them if you need to manage contact profiles and make adjustments. Cyberimpact allows you to sort your contacts according to specific criteria during the creation and organization of dynamique groups. Soon, you will also have the option to filter your searches based on your contacts’ country of origin.

2. HAVE PROOF ON FILE

The GDPR requires a record of written documentation and overview of procedures by which personal data are processed. It must include data categories, the group of people it concerns, the purpose of the processing, and the data receivers. This record must be completely provided to authorities upon request.

It’s important to note that companies or organizations with fewer than 250 employees are exempt from keeping a record of this documentation if the processing undertaken does not pose a risk to the rights and freedoms of those concerned, if no processing of sensitive personal data is done, or if the processing is done only occasionally. The good news is that when using a tool like Cyberimpact, the required information about your relationship and your activities with your contacts will be saved automatically. Just make sure to fill out all the fields available to you to ensure that your record is complete and up to date.

One crucial piece of advice — only add the European contacts in Cyberimpact from whom you have received express consent, and only if you have the proof of consent on file. You can note the proof in the field “proof of consent” in the contact profile.

The rule stipulates that the person needs to give a clear express consent before a company can save and use an individual’s personal information. Adding a contact to your email list and sending him or her an email constitutes using their personal data. So make sure to save the proof of consent. Cyberimpact allows you to save electronic proof accepted by numerous laws as soon as click to accept sending emails with the double opt-in. Use the consent blocks available to you for subscription forms and emails. We do have a consent block made specifically for the GDPR that you can simply add to your emails.

On the continent where the European union reigns, there are a few exceptions to the rule that a company must obtain consent before it can start sending promotional emails:

  • The promotional email is sent from your professional email address and its contents are in direct correlation with your profession;
  • The message comes from a company from which a person is already a client of and concerns products similar to the products already purchased by the client;
  • The message comes from a charitable organization.

In these three cases, the organization or company must let you know in advance of the use of the email address and must give a clear and easy way to oppose. An unsubscribe link must always be present and functioning in all emails. Cyberimpact includes this automatically to every email you send.

In Canada, with CASL, we got into the habit of sending commercial emails to people we have a business relationship with, which means we have an implied consent, without actually having an express consent.

3. ADVISE YOUR CONTACTS

If you have subscription forms on your website or other, make sure to clarify the reason for which you are collecting this information and what you plan to do with it. A phrase like “Sign up here to receive our newsletter & promotions by email” — in the spirit of being crystal clear. Of course, you should never use the collected data for other purposes. You can use examples from  the National Commission on Informatics and Liberty website.

In case of data violation, you should signal it to the GDPR authorities within 72 hours. If there is a risk that privacy and rights of the individual concerned may have been violated, they should also be made aware.

4. ADOPT THE DOUBLE OPT-IN

Use the double opt-in option with all your subscription forms. It’s good practice to do so!

5. LESS IS MORE

Minimize the amount of personal information requested on your subscription forms. Also, the personal information that doesn’t serve a purpose won’t be saved, reducing the concerns of your contacts in regards to your email list and the usage of their personal data for commercial use. For the GDPR, keep in mind that in order to carry on with your communications efforts all you need are the email address, the geolocation of the IP address, and the proof of consent.

6. BE TRANSPARENT

Let your contacts know that they can access the information you hold about them and that it can be modified at any time. Those two elements are crucial points for the GDPR. Name a DPO (Data Privacy Officer), and ensure that this person will be responsible for your contacts’ data at all times. For the time being, it’s not possible with Cyberimpact to let your contacts verify and modify their own profile. However, it is possible to write in your email footer that they can request for you to do this, by simply sending you an email with the request. It’s that simple!

Add a block to your emails in which you mention “to receive a copy of your personal data or to request a modification, respond to this email”. Also, you will receive these replies to your return email address selected in the application, then you will be able to make the modification or delete the contact, as per their request. You can save this personalized block and use it in your next emails.

Please note that we are currently working on adding a functionality, that will remove the step of doing this manually. This will be available to all of our users soon.

7. DELETE

From your Cyberimpact account, you can delete European contacts that have requested to be deleted. It’s important to do this right away to avoid any complications.

When deleting a contact, all the information held in his or her profile will automatically be deleted. Note that the email address will stay visible in the previous email statistics, however, you will not be able to use the email address or access the client profile.

8. UPDATE

If you have a website, make sure to update your privacy policy or create one (if you don’t have one, this website is an excellent ressource). Make sure to have a link towards this policy on the homepage footer of your website, so it’s easily accessible.

Great news for Canadian businesses and organizations!

GDPR only accepts that the personal data of European citizens be transmitted and hosted in certain countries that they consider to have an adequate level of protection. Thankfully, Canada is on that list! All Cyberimpact servers are located in Canada, so you can rest assured on this front.

Cyberimpact remains the best specialized tool for Canadian SMBs

You may have already deducted from reading this blog post, that using Cyberimpact makes it possible for you to do email marketing in compliance with the GDPR. With Cyberimpact you will have access to functionalities that will help you take the proper steps to become compliant. We are currently working towards adding new features to the tool that will help you even further.

In conclusion, Cyberimpact remains the email marketing platform of choice for CASL compliance. If the majority of your communication activities are within North America, more specifically in Canada, Cyberimpact is the best solutions to address your needs.

If you still have questions about the General Data Protection Regulation (GDPR), or about using Cyberimpact, do not hesitate to contact us, it will be our pleasure to help!

You’re not using Cyberimpact to send your promotional emails? Try it out for free!