The GDPR (General Data Protection Regulation) comes into effect on 28th March, 2018 and applies to all people residing in countries of the European Union, and organisations (of any country) who store or process their personal data. The legislation can be read here.
As with most legislation of its kind, it cannot be fully complied with simply by using services, such as Enudge, which are compliant. Instead, compliance requires your organisation to implement certain processes around the collection, storage, and use of personal information.
Just in case you are wondering, the type of data stored about your contacts in Enudge is personal data by the definition of GDPR, and if your contacts are located in any country of the European Union, then you must comply with the GDPR or be liable for hefty fines.
Using Enudge for your SMS and email marketing will assist you to be GDPR compliant in the following ways:
A person must take specific action in order to express their consent for you to store and process their personal data - when you use an Enudge subscribe widget or the hosted subscription form, the subscriber has to click a button to 'Subscribe' i.e. their subscription is not the result of a hidden or pre-ticked box. (See definition 11).
Right of access to personal data held about the person - the subject of the data can see most of the data held about them in your Enudge account by clicking on the 'Update Your Preferences' link in the bottom of your emails. The remaining information (e.g. notes and categories to which the contact is attached) is available easily for you, so that you can provide this data upon request (see article 15). Enudge automatically includes your organisation's name and contact details at the bottom of each email, ensuring that it is easy for a person receiving emails from you to get in contact with you should they have any concerns.
You can also quickly and easily correct the personal data if required, as can the subject again by using the Update Preferences functionality.
Right for a person to have their data erased - this is a little more tricky within Enudge because actually, when you 'delete' a contact, their information isn't actually removed, instead the recorded is given a 'deleted' status. That allows you to bring that person (and all their information) back in the event that they decide to re-subscribe to your list, for example. If a person requests that their personal information is permanently and irrevocably deleted, we can promptly carry out such deletion for you or directly for the requesting person (see article 17). You can't charge for this activity, and we won't charge you either.
Whilst the type of data generally stored about your contacts in Enudge is of low impact to a person, security of stored personal data, security of the data stored about your contacts is paramount for Enudge (article 32). The Enudge codebase embodies all the standard security protocols and methods to reduce the likelihood of a data breach, and our hosting platform is highly secure. In the unlikely event that a data breach occurs, we will ensure communication with your data protection officer, and provision of all required information - please provide the details of your data protection officer upon registration.
Easy for a person to remove their consent to the storage and use of their data. Enudge makes it easy for your contacts to opt out via an unsubscribe link which is automatically included at the bottom of every email sent through Enudge. You can also include the automated unsubscribe link within the body of your email if you would like to make it more prominent (article 7).
Easy for a person to request that you cease profiling them e.g. for the purpose of segmenting your marketing to target a person based on their attributes. You may be using Enudge categories to do this, or select a group of contacts to receive an email or SMS message based on the combination of a variety of attributes you have stored about each person. The best way to do that in Enudge, upon request of the contact, would be to remove the person from all categories, and remove any profiling data that you have stored on their contact record e.g. year of birth (article 22).
As your data processor (as defined by the GDPR) we have a record of the information required in Article 30.
We strongly recommend that you read the GDPR yourself to ensure that you are compliant with the regulation, including:
Ensuring that you can prove that you have obtained consent from all the contacts on your list with regard to the storage and use of their personal data - and that consent must be explicit e.g. no pre-ticked consent boxes. Additional information about gaining consent pursuant to the GDPR. You may need to refresh the consent of people on your list.
Publishing a privacy policy which describes how a person's data is stored, what purpose the data is used for, how you might profile your contacts so as to target / segment your list, any 3rd parties that you may pass the data onto, and how long you will store it.
Appointing a data protection officer to oversee the compliance with GDPR throughout your organisation.
Recording all your activities in relation to your contact's data records as you move your data in and out of Enudge.
Planning your marketing and other operational processes that involve collecting, using or storing your customer's personal data, by thinking about those processes with a 'privacy-first' attitude.