May 3, 2018

There’s a new buzzword (or should we call it “buzzacroymn”) around town - GDPR. GDPR stands for “General Data Protection Regulation”, and is the EU’s new data protection framework.

Coming into effect on the 25th May 2018, the framework is designed to not only harmonize data privacy laws across Europe, but strengthen an individual’s privacy rights by placing tighter limits around the processing of personal data, expanding the rights of the individual, and holding organizations accountable for data privacy and transparency with their consumers.

It’s been hailed as the most important change to data privacy regulations in the last 20 years, and everyone’s talking about it. So, should you be doing something about it? The answer is ‘yes’, and we’ll tell you why below.

1. GDPR in a Nutshell: what is it, and how does it affect you?
2. 8 basic steps on your journey to becoming GDPR compliant
3. What is Autopilot doing about GDPR?
4. How can you use Autopilot to help become GDPR compliant?

GDPR In A Nutshell: what is it, and how does it affect you?

Whilst GDPR is an EU protection framework, it doesn’t just apply to companies and entities in the EU that handle personal data as a part of their activities. It also applies to companies and entities outside of the EU who handle the personal data of EU data subjects (individuals residing in the European Union). So, if your business is based in the US, Australia or any other part of the world outside of the EU and you process personal data in connection with goods and services offered to or monitor the behaviors of individuals within the EU, the laws will apply to you. Disregard them, and you could be fined up to 4% of your global annual revenue.

But what exactly is personal data, and how do you know if you’re responsible for it?

Personal data is any piece of data that can lead to the identification of a living individual - whether that be directly (i.e. name, email, address etc.) or indirectly through the online and offline information you possess (i.e. location, customer ID, IP address etc.). Interestingly, this definition has also been expanded to include sensitive personal data such as genetic data and biometric data that can be traced back to an individual.

For the GDPR, there are two types of entities that handle personal data - Controllers and Processors. A controller is an individual or company that determines the purpose and means by which personal data is processed, and a processor is an individual or company that processes personal data on behalf of the controller. Data processors are often a third party or an entity external to the company. If you’re unsure which category you fall into, the European Commission has a great example of the two on their website:

“A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor.”

Or, to put it even more simply, as an Autopilot customer you are defining the data that is captured from your contacts, and how it should be used to market to them. Autopilot provides you with a platform to store this data, and the tools in which to communicate. This makes you the data controller, and Autopilot the data processor.

So we’ve established that you’re a data controller, and that you collect personal data. But what does this actually mean for you and your business?

For a long time, marketers have operated under a guise of “consent = not opting out”. Under GDPR, this will no longer be the case. Now, individuals need to provide their consent to be marketed to with a “statement or clear affirmative action”. It must be “freely given, specific, informed and unambiguous” and obtained through a “closed-loop” or “double” opt-in process. A large part of this transaction involves being fully transparent, at the time of collection, about what personal data you’re collecting and how it’s going to be used. This means linking through to your privacy policy and outlining your obligations under GDPR, ensuring they’re clear and easy to understand. Most importantly, the data that you collect should be “adequate, relevant and limited to what is necessary in relation to the purpose for which it was collected”, and “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.

GDPR also grants individuals a number of additional rights that you need to be prepared to honor. These include:

• The right to be informed
• The right of access (for free, unless this is overly burdensome)
• The right to rectification
• The right to erasure (although this is not absolute, and only applies in certain circumstances)
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

To learn more about these individual requirements, we’d encourage you to check out the UK’s Information Commissioner’s Office (ICO) comprehensive Individual Rights write up here.

This seems like a lot, but there are some basic steps that you can take to ensure you’re on the right path to becoming GDPR compliant.

8 basic steps on your journey to becoming GDPR compliant

1. Identify the lawful basis that you have for processing personal data.
2. Put together a document outlining the data that you store, where it comes from, and who you share it with.
3. Ensure your data is clean and up-to-date.
4. Review your opt-in policy. Do you have consent to market to your contacts in the way that you do? Or do you need to reach out to your database and seek additional levels of approval? Are you linking to your privacy policy at the point of collection?
5. Review the rights that GDPR grants individuals, and ensure you’re setup to honor each and every one of them. Define processes that you can follow internally - what will you do if someone requests to see the data you have for them on file? How will you delete an individual’s record if they request that you do so? Do you specify how long you will retain data for?
6. Review your privacy policy and ensure it meets the new requirements under GDPR. Are you clearly outlining why you’re collecting an individual’s data, and under what lawful bases you have to collect it? Are you providing individuals with the avenue they need to contact someone on your team should they wish to ask a question, raise a concern or submit a complaint? Make sure it’s transparent, easy to read and quick to understand.
7. If you’re a processor of data, confirm with your CTO (or relevant technical security owner) that you have processes in place to investigate, and react to, a data breach.
8. Analyze your database. Do you market to children or store special information such as sexual preference or biometrics? If you do, then start thinking about age restrictions and whether you need to put in place an age verification system. Under GDPR, you may need a parent or guardian’s consent to process data for individuals under the age of 16.

This list is by no means exhaustive so we encourage you to do your research and make use of the following resources to find out more, plan appropriately and action accordingly:

• https://ico.org.uk - The ICO is the UK’s independent body set up to uphold information rights. We recommend taking a look at their compliance checklist and guide to preparing for GDPR (you’ll notice that we pulled a number of our recommendations from this list).
• https://www.eugdpr.org/ - an educational portal for all thing GDPR. Check out their resources page for a great list of relevant articles and videos.

You can also read the final version of the Regulation, released April 6th 2016.

What is Autopilot doing about GDPR?

Like you, we are committed to data privacy and, as a processor of personal data, are taking all necessary steps to become GDPR compliant. We have certified our commitment to the EU-US Privacy Shield principles (you can view our listing here), and have initiated and/or completed several projects focusing on the processing of our EU customers’ personal data. These projects include, but are not limited to:

• Undertaking a Data Protection Impact Assessment and GDPR readiness assessment.
• Creating a record of all personal data processing activities.
• Obtaining, documenting and maintaining a legal basis for each processing activity that we carry out.
• Reviewing and updating our processor and sub-processor agreements.
• Verifying the GDPR readiness of our 3rd party vendors and making sure they are compliant.
• Creating a procedure for notifying third parties when customer data needs to be deleted.
• Reducing our backup retainment timeframe to 29 days, in line with GDPR requirements.
• Creating policies and procedures to respond to data rights requests.
• Appointing a Data Protection Officer.
• Ensuring that all personally identifiable data is encrypted at rest and in flight.
• Enabling you to define how you handle cookies through Autopilot’s tracking script (more on this below).
• Updating our Proactive Headsup functionality so that you can include an opt-in checkbox and link to your privacy policy. This will apply to the Reply Back and Subscribe versions of Proactive Headsup.
• Requesting your consent in-app to comply with GDPR when using our services.
• Carrying out extensive penetration tests to highlight and resolve any vulnerabilities.
• Updating our privacy and security policy and procedures, which you can access below:
• Autopilot Terms and Conditions
• Autopilot Privacy Policy
• Autopilot Privacy Shield Notice
• Autopilot IT Security

We have also run a number of staff training programmes, and prepared customer DPAs which you can find in-app (under Settings > GDPR)  and sign electronically.

We will also continue to make updates over the coming months, to ensure we’re staying at the forefront of GDPR compliance. Upcoming projects include:

• Upgrading Autopilots “list handling” so that you can have double-opt in capability for all subscriptions and have Autopilot check this for you in journeys.
• Putting in place a Breach Notification Plan.
• Setting up comprehensive monitoring systems to track, limit and log all data access by Autopilot employees.
• Setting up comprehensive monitoring systems to monitor threads to data access.
• Scrubbing all log files of personally identifiable information.
• Setting up an intrusion detection system across our databases to monitor for malicious activity.

We will continue to update you as and when these projects have been completed. Please feel free to refer back to this article and be sure to look out for in-app messages and email communication.

Some important messages around tracking and consent:

Online cookie tracking & compliance

We now provide you with 2 different versions of our web and app tracking code – a version that can be used by customers who operate in the EU or handle EU data, and a version that can be used by customers who aren’t bound by GDPR. The latter is our standard tracking code, whilst the former version of the tracking code enables customers to either (a) handle cookie-tracking opt-in on their own, or (b) use Autopilot’s cookie-tracking opt-in popup. Depending on your selection, we either provide documentation on how to activate cookies if managing your own opt-in, or enable the Autopilot opt-in popup on your tracked pages. If your contacts opt-in to cookie tracking, we then run our tracking code. You can find a link to our web page tracking code advanced options support documentation here.

Proactive Headsup

You can now include a compulsory terms and conditions link in your Reply Back or Subscribe Proactive Headsup message. Simply click in to the ‘Advanced Options’ when configuring your message, and select this option to add a mandatory checkbox that includes a link to your terms and conditions or privacy policy.

Email & form tracking

Autopilot uses cookies to enable email and form tracking. If you’d like to continue to use these features and remain GDPR compliant, we recommend you update your Privacy Policy to include this collection and usage.

How can you use Autopilot to help become GDPR compliant?

There are a number of different ways that you can utilize Autopilot to become, and stay, compliant with GDPR. Here are a few of our favorites, but we’d also encourage you to reach out to our Support or Success teams if you’d like more information or help with setting anything up:

Asking for, and capturing, double opt-ins:

You can create a very simple Journey in Autopilot that captures first time opt-ins and sends an automatic email requesting confirmation that the contact wants to be subscribed to your database (a “double” opt-in). See below for the Journey setup, as well as a quick email that we put together using the ‘Personal Touch’ template in our Advanced Email Editor:

To capture the second opt-in and update your database accordingly, you will need (a) a “thank you for confirming / subscribing” landing page that you can direct contacts to when they confirm their opt in via your email Call To Action, and (b) a unique set of UTM parameters that you can append to the end of the confirmation URL, that qualify their acceptance in Autopilot.

If you haven’t used UTM parameters in the past, then we’d encourage you to check out this support document to learn more. Once you’ve added your UTM parameters and sent your Journey live, you will want to build a Smart Segment that listens for any contact landing on your “thank you” page with the UTM parameters in question, then use this Smart Segment to trigger a quick operational Journey that updates a custom “Double Opt-In” field to ‘true’. If you’d like, you can also add these contacts to a list, which can be used to start your marketing Journeys or refine your contact segmentation in future. Here’s a quick example of the Smart Segment setup and operational Journey (note that you can add this operational Journey to the same canvas as your double-opt in process, to keep everything together):

Enabling contacts to access their data:

As we mentioned earlier, one of the rights that GDPR grants for individuals, is the right to access their data from you at any time. Keeping track of these requests and actioning them can be a cumbersome task, so we’ve devised a quick and easy way for you to capture enquiries and respond to your contacts. It starts with a simple request form on your website (we recommend using Typeform, Instapage or Unbounce to power this piece of the Journey if you don’t yet have a preferred form or landing page builder), that can then be used as a trigger for a notification Journey:

There are then a few different ways that you can supply the required personal data to the requestor, but we’d recommend either:

1. Identifying the personal data points that you keep on file for contacts in Autopilot, and building an automated email that uses personalization variables to surface these data points to the end user; or
2. Exporting the list of contacts from Autopilot on a weekly basis and manually following up with each person, using the data from the exported .csv file.

If you opt for (1), you can also use fallback variables to let contacts know if you don’t contain a particular data point for them on file (i.e. “We don’t have this data on file for you”). Here’s a quick example, with the fallback variables highlighted in orange:

Allowing contacts to have their data deleted from your database:

In a very similar fashion to #2, you can also use the request form > list to manage deletion requests. Simply capture the deletion request form in Autopilot, add everyone to a list, and send a notification to your team whenever a new request comes through. You can then delete these contacts from Autopilot on an hourly, daily or weekly basis depending on your policy. See below for a quick GIF showing you how to delete a contact from a list (please note that when you delete a contact from Autopilot, you delete all of their data and historical activity, so be sure that you want to do this before proceeding):

If you’re looking for a less manual approach, and have access to technical resources, please also note that the Autopilot API has a “Delete Contact” method that can also be used to delete contacts from our database. You can read more about it in our API documentation.

Aaaaaaaaand breathe…

There’s no need to panic. If you’re committed to GDPR, then it’s important to accept that you’re in it for the long haul. Be smart about what you prioritize, be open and transparent with your customers, and ensure you have buy-in from company stakeholders to make the necessary changes.

Autopilot’s team of “Awesome People” is here to help and support you, so please reach out with any questions and we’ll gladly answer them for you.

Note - this post is in no way legal advice and it’s important to speak to a legal professional and seek advice before taking actions towards GDPR.