GDPR (General Data Protection Regulation) is an EU regulation that significantly improves the personal data protection of EU citizens and increases the obligations of organizations that collect or process personal data. The regulation builds on many of the privacy and data security requirements of the 1995 directive but includes new provisions to strengthen the rights of data subjects and add tougher penalties for breaches. The regulation went into effect on May 25, 2018.
Years after the General Data Protection Regulation (GDPR) came into effect in 2018, many businesses are still grappling with the regulatory challenges and risks associated with implementing and maintaining data privacy processes. ZINFI and ZINFI UPM for GDPR compliance support better compliance with configurable data management solutions.
- Overview
- GDPR and ZINFI
- FAQs
- Policy Documentation
- Functional Documentation
Overview
Data Control
The foundation of this GDPR element is the principle that, ultimately, individuals are the owners of their own personnel data. This means that whether an organization is selling through the channel or is a channel partner of that organization, it has no intrinsic right to the personal data it possesses. The data owner may provide temporary consent to a vendor or its partner to use that data for the purpose of providing services, but no marketing or sales contact can be made without explicit written (digitally accepted) authorization for such contacts. The law specifically says that each instance of consent by the data owner must be explicit, and cannot be bundled with terms and conditions or with any other agreements. If no such explicit authorization exists, then use of the data is non-compliant. If an organization or reseller reaches out to a prospect for sales and marketing activities with explicit authorization, this may lead to a potential violation. This could have a profound impact in channel marketing, because in most cases channel partners use email or event marketing as the primary way of sharing information with their existing customers or potential new prospects. If they require the explicit authorization of the target recipients in every instance, most of these vehicles of marketing will be pretty much useless. So, while the world of buying and selling has moved to a digital platform, it is possible one of the most common and easiest means of reaching end prospects may now have become one of the hardest means (from a legal perspective).
Data Security
GDPR also covers in explicit terms how data needs to be secured and protected, including various mechanisms for disaster recovery that are designed to properly store end-user contact data. As per Wikipedia, “[u]nder the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33)…. However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).” This creates the second major challenge, because in many cases, while channel partners may have consent from their customers and prospects, they may not have the right level of technology to comply with data security policies.
Data Privacy
Among the primary updates imposed by the GDPR are new rules related to “Privacy by Design” and “Privacy by Default.” Significantly, data privacy assessments need to be conducted during design stages of all channel marketing processes, and the lifecycle of the relevant data process will be needed to be taken into account. The primary obligation is that the data controller/processor must take appropriate measures in order to protect personal data from unlawful processing. Privacy by Design provides the recognition of this right and how it is to be enforced. With the GDPR Privacy by Design requirements, channel marketing businesses need to design policies, procedures and systems that comply with the GDPR from the inception of a product’s or process’s development. When designing these, businesses are supposed to consider factors regarding the processing of personal data, including the ease of collection, how the data can be suppressed (for example, if a customer chooses to not receive direct marketing) and how portable the data is. Privacy by Design lays the groundwork for the Privacy by Default obligation. Under the latter obligation, data controllers must implement appropriate measures on both the technical and organization levels to ensure that personal data collected is used only for the specific purpose mentioned. Channel marketers must implement a privacy impact assessment template which can be formulated for each new system that comes into being.
Summary of Regulations
The GDPR regulates the “processing” of data extending to collection, storage, transfer or use. The processing of the personal data of EU individuals by organizations is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Data can be processed only if there is at least one lawful basis to do so. The lawful bases for processing data are:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Privacy Law Updates and Non-Compliance
The key updates related to Privacy Law can be summarized as follows: expanded data privacy rights for EU individuals, data breach notification, added security requirements for organizations, customer profiling and monitoring. The financial penalties for failing to comply with the GDPR are clearly defined: for each instance of noncompliance, the organization could face a fine of up to 20 million euros or 4 percent of worldwide annual turnover (revenue), whichever is higher.
Five Rings of GDPR
-
Rights of EU Data Subjects Enhanced rights for data subjects in the EU include access, rectification, erasure and portability within one month of a request. Data subjects are provided with controller identity and contact details, the purposes and legal basis of the processing, the categories of data concerned, the recipients and the expected storage period.
Security of Processing 72-hour breach reporting is required. Pervasive and intelligent internal restrictions are implemented to reduce data risks, including monitoring and encryption techniques.
Lawfulness and Consent Lawful processing is done on the following pretexts: consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest. Data subjects must be kept informed and requests managed in a transparent, efficient and effective manner.
Accountability of Compliance Proof of compliance with the principles relating to personal data processing is required.
Design and Default Data controllers must implement technical and organizational measures to demonstrate compliance with GDPR core principles.
Definitions
- Personal Data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
- Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data.
- Data Processor – the entity that processes data on behalf of the data controller.
- Data Subjects – “identified or identifiable natural person[s]”; in other words, data subjects are people—human beings from whom or about whom information is collected in connection with a business and its operations.
- Anonymous Data – sets of data that can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) by any means or by any person, ensuring that there is no way in which individuals can be identified. This is a technically complex task.
- Consent – GDPR requirement that businesses have a defined purpose for collection of personal information. This reason (or purpose), should always be supported by a legal basis. A legal basis can be a contractual obligation, a legitimate interest for storing and using data, or that explicit consent has been given.
GDPR and ZINFI
The General Data Protection Regulation (GDPR) is a new set of laws aimed at strengthening the protection of personal data of EU citizens and increasing the obligation for organizations to process this data transparently and securely. The GDPR applies not only to businesses in the EU, but to any business that controls or processes the data of EU citizens. At ZINFI, our entire organization works hard to ensure our own practices are GDPR compliant. But it’s equally important for us to help you, our partners and customers understand what GDPR means for your business and create compliance processes yourself. A big part of that is making sure the UPM platform sets up GDPR compliance for you. We are fully committed to providing features in ZINFI UPM that facilitate GDPR compliance.
Disclaimer: This website is not a tome on EU data privacy, nor is it intended to serve as legal advice for your business to comply with EU laws. EU on data privacy such as GDPR. Instead, it provides background information to help you better understand how HubSpot deals with some important legal issues. This legal information is not the same as legal advice, in which a lawyer applies the law to your specific situation, so if you need advice on your interpretation of this information or its accuracy, we strongly recommend that you consult a lawyer. In short, you should not consider this article as legal advice or a recommendation of a legal concept. The products, services and other features described here are not available in all situations and their availability may be limited.
Below is a detailed list of features that we have designed to help you meet your needs. But first, a quick primer on the legalese associated with the GDPR.
Let’s say that Partner X is a contact of yours and an EU citizen. Similarly Prospect Y is a Lead/Prospect of yours and an EU Citizen. The Partner X and Prospect Y are called the “data subject,” and your company (let’s call you X Corp.) is called the “controller” of that data. If you’re a ZINFI customer, then ZINFI acts as the “processor” of Partner X’s and Prospect Y’s data on behalf of X Corp. With the introduction of the GDPR, data subjects like Partner X and Prospect Y are given an enhanced set of rights, and controllers and processors like X Corp and ZINFI, respectively, an enhanced set of regulations.
GDPR Fundamentals
GDPR Definitions
You need to have a legal reason to use Partner X’s or Prospect Y’s data. That reason could be consent (opted in) with notice, or what the GDPR calls “legitimate interest” (e.g. Partner X is a Partner, and you want to send products related info).
ZINFI Solutions
Ensure that your Users and Partners are uploading Contacts possessing a legal lawful basis of processing – by agreeing to your custom Terms and Conditions via ZINFI UPM. If a Partner or User disagrees – the Partner User is automatically logged out and has to Agree to Login and continue. You can easily utilize a multiselect property to track lawful basis in ZINFI UPM. The property will be editable manually or via automation. For example, you might configure an automated workflow to set the lawful basis property when Partner X or Prospect Y signs a contract.
GDPR Definitions
You need the ability to track that reason (also known as “lawful basis”) for a given contact.
ZINFI Solutions
In addition, you’ll be able to track and audit the grant of lawful basis using the property history for that new property via ZINFI UPM.
GDPR Definitions
One type of lawful basis of processing is consent with proper notice.
ZINFI Solutions
ZINFI Forms are integrated with features which you can customize to manage and accept consent in a GDPR-compliant way as straightforward as possible.
GDPR Definitions
For Partner X to grant consent under the GDPR, a few things need to happen:
ZINFI Solutions
Most common ways that OEMs and Partners acquire new customers are through Forms (including Lead Flows), Newsletter Subscriptions, Event Participations and more. These are different channels through which Partner X might initially engage with the OEM – X Corp. In each of these tools, you’ll be able to provide proper notice to Partner X before she provides information to you (using text boxes on forms), and to collect the appropriate consent when the Partner’s ready to grant it.
GDPR Definitions
Partner or Prospect needs to be told what it’s opting into. That’s called “notice.”
ZINFI Solutions
An additional detail on notice: if you need to link out to additional notice provisions (like privacy notices), you can do so using hyperlinks in forms using UPM FluidCMS and FlexiFlow.
GDPR Definitions
Partner or Prospect needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Filling out a form alone cannot implicitly opt her into everything your company sends.
ZINFI Solutions
Once the Partner or Prospect submits information, we will store a copy of the notice that was provided, information about which consent got provided, and the timestamp of the interaction in ZINFI UPM.
GDPR Definitions
Partner or Prospect needs the ability (as data subject) to withdraw her consent (or object to how you’re processing her data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.
ZINFI Solutions
All ZINFI Emails are auto integrated with consent withdrawal hyperlinks. Once a Prospect or Partner completes the un-subscription process, the contact parameters viz. Email ID, Phone, etc. won’t be usable and would be completely red flagged in the system, so that they cannot be re-used by any User and the Super Admin will only have the privilege to manage the details explicitly.
GDPR Definitions
Partners and Prospects to be given notice that you’re using cookies to track her (in language she can understand) and needs to consent to being tracked by cookies.
ZINFI Solutions
We have a defined Cookie Policy with details of cookie usage. On request, we can provide you the Policy which you can utilize during Partner/Prospect Signup and host it through your Custom Terms and Conditions Page for your Partners to Accept and utilize UPM services.
GDPR Definitions
Partner/Prospect has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of contact from your database, including email tracking history, call records, form submissions and more.
ZINFI Solutions
We have a defined process for such deletion and you will be auto-notified on such a request. Once you review, you will be able to perform a GDPR contact disable in your UPM portal.
GDPR Definitions
Just as the Partner/Prospect can request that you delete the associated data, Partner/Prospect can request access to the personal data you have about him/her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).
ZINFI Solutions
ZINFI UPM enables you to grant any access/portability request by easily exporting contact record into a machine-readable format.
GDPR Definitions
Just as the Partner/Prospect can request to delete or access him/her data, the Prospect/Partner can ask your company to modify his/her personal data if it’s inaccurate or incomplete. When it happens, you need to be able to accommodate that modification request.
ZINFI Solutions
In ZINFI UPM, if the Partner/Prospect asks you to update his/her information, you (or your portal admin) can do so from within her contact record.
GDPR Definitions
The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls and more.
ZINFI Solutions
As part of UPM’s approach to the GDPR, we’re SOC 2 Type 2 compliant and constantly strengthening our security controls across the board. In addition to industry standard practices around encryption, our infrastructure teams are also improving our systems for authentication, authorization, and auditing at a massive scale to better protect our customer’s data.
Now that we have the product details, a quick note on our mindset as GDPR marketers. When a new set of rules is first introduced, our first reaction is often fear. Fear of compliance, penalties, and bureaucracy. But here’s the thing: All the recent data protection laws, from the CCPA to the GDPR and more, were enacted for one simple reason: to provide a better experience for our customers and those who trust us. In this way, they are fully aligned with the concept of inbound.
Be relevant, be helpful, be transparent and you’ll be well on your way to compliance. Spam, annoy people, be aggressive and you’re in trouble. Complying with the GDPR takes effort, and that effort can create stress between now and the deadline. But at the end of the day, if GDPR makes life better for your customers, your business will grow too.
Here are some key business interests to consider in the process:
- GDPR has specific rules that allow your contacts to specify exactly what they want to receive from you.
- From a business perspective, this makes perfect sense. Don’t send to contacts who don’t want to hear from you, and make sure those who do choose what they want. This will significantly reduce unsubscribes and improve deliverability.
- GDPR requires greater transparency in the collection and processing of data. In legal terms, these are “right to access” and “portability”, which means that your contacts can request a copy of their data in a common format.
- In other words, your contacts should be able to ask you what they’ve recorded and get a fast, accurate, and easy-to-understand response. In the end, it’s not that crazy, right? Transparency breeds trust, pure and simple.
- GDPR requires you to give contacts the “right to be forgotten”. They may ask you to delete them from your database. This will not only keep relevant contacts happy, but it will save you from wasting time trying to market and sell to people who aren’t interested in your product or service. That means more time to focus on your best prospects and customers.
- Perhaps more importantly, the GDPR requires a lawful basis for processing. In other words, you must have a legitimate reason to use a contact’s data, such as consent or a legitimate interest. If you’re buying ads, here’s the bad news: not only does HubSpot’s acceptable use policy allow it, but now GDPR doesn’t allow it either.
- This may seem like a pain in the short term, but it’s great news for your business in the long run. Think about it. Who is more likely to buy from you: a set of email addresses gleaned from the internet who may have heard of you before, or a set of engaged contacts already interested in your product or service? We’ll try our luck with option two. Ensuring you’ve built a legitimate base will lead to a more engaged list, better email delivery rates, and fewer irritated contacts.
FAQs
The GDPR applies not only to the data collected on its effective date—May 25, 2018—but also to the data gathered before that date. Consent records of existing contact lists must prove that the channel marketer has clear authorization to send marketing campaigns to each contact. Any ambiguous records would mean obtaining new and explicit permission from the outdated contacts.
While certain purchased lists with a clear affirmative statement of consent within the original subscription may be allowed under GDPR, GDPR still strongly recommends against this procedure for deliverability concerns.
In order to be compliant with the EU GDPR, every channel marketer is supposed to ensure a proper process for their contacts to unsubscribe. The unsubscribe process under GDPR needs to be clear and simple. Each marketing campaign should include a visible unsubscribe link in each marketing campaign whereby the subscriber can unsubscribe to all communications.
A consent message needs to be easily understandable to individuals. Practices such as pre-ticked opt-in boxes, confusing or vague language (double negatives or inconsistent language) and disruptive mechanisms are banned by the Regulation. An example of a clear and concise consent message: “You agree that [your organization name] may collect, use and disclose your personal data which you have provided in this form for providing marketing material that you have agreed to receive, in accordance with our data protection policy [available at link]. Please check the relevant boxes below if you agree to receive: [boxes].”
Soft opt-ins are not considered as explicit consent under GDPR, and using them is not an acceptable practice. Soft opt-ins are a form of temporary consent given by individuals while providing their email details.
Double opt-in is when individuals need to confirm their email address before being added to a marketer’s email list and receiving communications. It is the double confirmation of their subscription to newsletters or any services needing their personal details. Double-opt-ins are a good way to ensure compliance regarding consent under GDPR.
A record of the process of obtaining the express consent of the data subject is mandatory. That includes: the data subject who gave the consent, when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given.
You should review consent data regularly to check that the relationship, the processing and the purposes have not changed, and you should consider using privacy dashboards to make it easy for individuals to update their consent preference. Any consent withdrawal requests should be processed as soon as possible, and records kept.
If you provide or transfer personal data to third parties, the data controller must have agreed to this data sharing. Consent for categories of third parties is not enough for the new European regulation, because you now need to list the third-party providers involved. If you use personal data from third parties, you must confirm that each individual’s consent was collected properly.
Based on Article (6)(1)f, private-sector organizations can process individuals’ data without their consent if they have a legitimate and genuine reason to do so, and such act must not be outweighed by unwarranted impact on the individuals. The subject’s fundamental rights and freedom should not be harmed; i.e., processing of personal data for the purpose of preventing fraud is considered a legitimate interest whilst direct marketing purpose is not. Check out the Consent Checklist to make sure you follow the right guidelines for your transition to GDPR.
Under Article 19, upon the data subject’s request to halt the profiling, the processing must cease unless the controller demonstrates that the objection overrides the interests, rights and freedoms of the data subject.
Because the new European regulation impacts profiling, you must comply with its requirements in order to send personalized and targeted emails. For more information, check out the GDPR and Profiling section. Check out the Email Marketing Checklist to make sure you’re working with third-party providers correctly as your business transitions to GDPR.
The GDPR applies not only to the data collected on its effective date—May 25, 2018— but also to the data gathered before.
Any ambiguous records would mean obtaining new and express permission from the outdated contacts in order to ensure the sending of email marketing communications is compliant.
While certain purchased lists with a clear affirmative statement of consent within the original subscription may be allowed under GDPR, ZINFI strongly recommends against this because of deliverability concerns. What is permitted may not be good for your email strategy.
Every email marketer should ensure a proper way for their contacts to unsubscribe in order to be compliant with the GDPR. The unsubscribe process under GDPR needs to be clear and simple. You should include a visible unsubscribe link in each marketing email where your subscriber can:
- Unsubscribe to this marketing communication
- Unsubscribe to all of your communications
- Contact a return email address
Allowing your contacts to easily subscribe and unsubscribe are equally important in achieving compliance with GDPR.
Yes, as long as these third-party solution providers adhere to GDPR guidelines on data processing and storage. Personal data can only be transferred outside of the EU to countries that satisfy the adequacy requirement, or if you can assure an adequate level of privacy protection through Binding Corporate Rules.
Binding Corporate Rules are the EU gold standard for data privacy. BCRs allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of it where an adequate level of protection is not ensured. The BCRs must be in line with the requirements of the Article 29 Working Party (on BCR):
- Privacy principles (transparency, data quality, security…)
- Tools of effectiveness (audit, training, complaint handling system…)
To ensure approval for their BCRs, companies must choose a lead data protection authority to approve BCRs and coordinate securing approval from other relevant data protection authorities.
- Make a list of all the third-party cloud solutions you currently use.
- Map out the path of your data during the lifecycle of the process to ensure adequate levels of security at every step.
- Assess the level of risk you could pose to individuals should your data be compromised.
- Determine whether you need to appoint a data protection officer.
- Review all your contracts to understand where your data and applications are stored and whether your data is ever processed out of the EU.
- Include strict confidentiality, data privacy and data residency clauses in your contract.
- Ask your solution providers, especially those based outside of the EU, whether they are compliant with the GDPR regulation.
- Start evaluating and planning the switch to GDPR compliant solution providers if your current solution providers do not have plans to be GDPR compliant by May 25.
In June 2016, a majority of UK voters voted in favor of leaving the EU in the “Brexit” referendum. In March 2017, Theresa May gave notice to leave the EU under Art. 50, triggering commencement of the Brexit negotiations. As it stands now, the UK is scheduled to leave the EU at 11 p.m. UK time on March 29, 2019. This means if you’re based in the UK, you’ll need to work on your compliance as if Brexit never occurred. The UK has drafted legislation to update the current Data Protection Act (DPD) in line with the GDPR. The bill is currently working its way through the UK Parliament. If you’re based outside the UK but have vendors or affiliates in the UK with whom you share personal data, you’ll also need to keep an eye on developments in this area. When the UK leaves, cross-border data flows may not automatically have adequate safeguards, and therefore additional protections may be required to protect data you transfer to the UK.
Individuals already have numerous rights which protect their personal data under the 1995 Data Protection Directive, but the GDPR significantly strengthens these rights such that data subjects can now:
- Obtain details about how their data is processed by an organization or business;
- Obtain copies of personal data that an organization holds on them;
- Have incorrect or incomplete data corrected;
- Have their data erased by an organization, where, for example, the organization has no legitimate reason for retaining the data;
- Obtain their data from an organization and have that data transmitted to another organization (data portability);
- Object to the processing of their data by an organization in certain circumstances;
- Not to be subject to (with some exceptions) automated decision-making, including profiling.
Policy Documentation
-
Cookie Policy
Is your cookie policy GDPR-compliant? Under the GDPR, any cookie or identifier uniquely attributed to a device is considered personal data. This includes almost all advertising/targeting cookies, many web analytics cookies, and quite a few functional services like survey and chat tools that record user IDs in cookies.
View Document -
Partner Terms and Conditions for GDPR
Compliance Read the terms and conditions integral to the Master Subscription Agreement or other written or electronic agreement between ZINFI, OEMs and partners for the mutual processing of online channel management services. These updates reflect the parties’ agreement with regard to the processing of personal data.
View Document -
ZINFI and GDPR Readiness
As the developer of the #1 Unified Partner Management (UPM) platform, ZINFI provides channel marketers with visibility into and control of their customer data, helping organizations accelerate compliance with GDPR while unleashing the power of that data to optimize channel performance.
View Document
Functional Documentation
-
ZINFI and GDPR Readiness
If you haven’t yet started your journey to GDPR readiness, now is the time to put your plan into action. To help, we have created a checklist to guide your decision-making, enable fast-track GDPR readiness and track your progress.
View Document -
GDPR Count down and You
ZINFI recently held a Q&A with customers about the implications of the impending GDPR requirements. The new rules are intended to strengthen and unify data protection for individuals within the European Union (EU), and they will have a major impact on marketers who do business with EU citizens.
View Document -
GDPR and Marketers
If you’re a marketer doing business with EU clients, it’s important that you carefully analyze your current data acquisition and customer contact practices, and consider modifications to these practices in order to ensure compliance. Read our overview of the new GDPR requirements and our tips for ensuring readiness.
View Document
-
Unified Partner Management (UPM)
How ZINFI Can Help Protect Your Channel
Learn More