At Wired Plus, we are committed to helping marketing professionals comply with the new GDPR regulations. Learn how to deal and comply with GDPR from our collection of resources. We’ve also included some official legislative documents as well as key resources from the ICO.
The General Data Protection Regulations (GDPR) are designed to protect the personal data of EU citizens. Every business that processes the data of EU citizens must comply. This applies no matter whether the business is based in the EU or not and is applicable to all company sizes.
'Personal data' is defined as any piece of data that can be used to identify a natural person. You need to ensure that any data collection, amendment, transmission and erasure processes comply with the new regulations after the 25th May deadline.
Businesses are defined as either data processors or data controllers depending on how they handle customer data:
• Data Controllers: Controllers determine the purpose and means of processing personal data.
• Data Processors: Takes responsibility for data processing on behalf of the data controller. Legally liable for data breaches.
Wired Plus is defined as a Data Processor and a Data Controller under GDPR.
To ensure GDPR compliance in our role as data processor, we have amended our internal practices and policies in preparation for the 25th May 2018 deadline. We have reviewed our internal processes, systems and legal documents.
We have built the Wired Plus system with GDPR in mind. Our features have each been developed after considering how the new regulations may impact their usage in the future. The Wired Plus team are constantly striving to improve the system and will continue to build features into our Marketing CRM which ensure or aid compliance both for ourselves and our clients.
• Updated Terms and Conditions: We have updated our Terms and Conditions to ensure that we are fully prepared for the GDPR regulations.
• Updated System Functionality: We have updated a large number of functions in the system to support us and you in complying with GDPR. You can request the updates from your account manager should you like to know the details.
In addition to our role as a Data Processor, we have taken a number of steps to ensure that we are compliant with the new regulations in our role as a Data Controller. Our processes have been designed around the following areas:
• Right to be forgotten: Upon request, we will delete your Wired Plus account. We will ensure that your account data and any data about you is also deleted.
• Right to object and right of access: We will inform you on how we will use your data for any product improvements and marketing activities. Where appropriate, we will collect additional consent for processing and provide you with the opportunity to opt out. We are currently reviewing the customer data that we hold and will ensure that we collect consent where required.
• Right to rectification: We have put processes in place to keep data up to date, we invite our customers to let us know of any changes or updates to account information. We will also provide easy access to update your information via the Account Detail tab in the Settings menu.
• Right of portability. We will export your individual account data to a third party at any time upon your request.
We have built our system with GDPR in mind. The following features and processes are available in our system to ensure that all the data we store is fully compliant with the new regulations:
• Consent: We monitor the date and time that consent is given including the opt in status for each contact. Opt-in options include single and double opt-in. Once a contact confirms their subscription using the link in the confirmation email, their status is changed to Double Opt-In Verified.
• Account Summary Report: Wired Plus provides you with the tools you need to monitor each action which is taken inside your account. You can monitor your contact behaviour on an action-by-action basis giving you a full overview of their activity.
• Deletion Request: Wired Plus gives you the option to delete your data at any time as part of your 'Right To Be Forgotten'. To act on the Right To Be Forgotten, contacts need to get in touch with their Wired Plus Account Manager.
• Updating Data: To comply with the 'Right To Rectification', Wired Plus allows you to update and rectify customer data.
Companies are now required to have a legal basis for data processing. This basis should be logged and kept up to date. Six legal bases are available for data processing under GDPR, as defined by the ICO. These are:
• Performance of Contract
• Fulfilling a Legal Obligation
• Protection of Vital Interests
• Performance of A Public Task
• Legitimate Interests
In many cases, data controllers using Wired Plus will use consent as their legal basis for processing data. Consent should only be used when no other means for data processing are available. To use consent as the legal basis for data processing, it must be:
• Obtained with a double opt-in sign up process
• Written in plain, understandable terms
• Positive and unambiguous - no pre-checked boxes can be used
• Specific for the intended purpose
• Easy to withdraw
• Evidenced and updated
• Freely given
Companies must not rely on consent where another legal basis for data processing can be used.
Before you can comply with GDPR, you need to know what actions you need to take. We have compiled several resources to help you prepare your own businesses for the changes that you will need to make in the next few weeks.
The first step you may wish to take is reading the full GDPR document which is available on the ICO website. The ICO website provides you with a detailed guide of how you will be affected.
We have produced a guide to GDPR compliance which is available from our website. The document is free to download and contains key considerations that you need to make your business compliant.
You will also find several shorter advice articles in our Marketing Hub.
Here's a short checklist to help you prepare:
• Read and understand how GDPR will affect your business
• Create an action plan detailing the steps you need to take before the 25th May 2018 deadline.
• Create a log of all the personal data you collect and manage. Detail where it is stored, how and who processes it.
• Ensure that you have legal grounds for processing the data including any double opt-in consent that you require.
• Check and update your historical data to ensure it is also fully compliant
• Decide whether you need a Data Protection Officer and appoint or outsource one for your business.
ICO – Guide To General Data Protection Regulation: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
ICO GDPR Blog Posts: https://iconewsblog.org.uk/tag/gdpr/
Data Protection Network GDPR: https://www.dpnetwork.org.uk/gdpr/
Data Protection Network GDPR Checklist: https://www.dpnetwork.org.uk/gdpr-consent-10-point-quick-guide/
European Commission Data Protection: https://ec.europa.eu/info/law/law-topic/data-protection_en
IAAP GDPR Resources: https://iapp.org/resources/topics/eu-gdpr/
Article 29 Working Party: http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_annex_en_40854.pdf
DMA – GDPR checklist: https://dma.org.uk/article/dma-advice-gdpr-checklist
DMA Data Retention Advice: https://dma.org.uk/article/dma-advice-data-retention
DMA Insights – Legitimate Interests: https://dma.org.uk/article/dma-insight-the-legal-base-for-legitimate-interests
DMA GDPR Resources: https://dma.org.uk/gdpr
Österreichische Datenschutzbehörde: http://www.dsb.gv.at/
Commission de la protection de la vie privée. Commissie voor de bescherming van de persoonlijke levenssfeer: http://www.privacycommission.be/
Commission for Personal Data Protection: http://www.cpdp.bg/
Croatian Personal Data Protection Agency: http://www.azop.hr/
Commissioner for Personal Data Protection: http://www.dataprotection.gov.cy/
The Office for Personal Data Protection: http://www.uoou.cz/
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): http://www.aki.ee/en
Office of the Data Protection Ombudsman: http://www.tietosuoja.fi/en/
Commission Nationale de l'Informatique et des Libertés – CNIL: http://www.cnil.fr/
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit: http://www.bfdi.bund.de/
Hellenic Data Protection Authority: http://www.dpa.gr/
National Authority for Data Protection and Freedom of Information: http://www.naih.hu/
Data Protection Commissioner: http://www.dataprotection.ie/
Garante per la protezione dei dati personali: http://www.garanteprivacy.it/
Data State Inspectorate: http://www.dvi.gov.lv/
State Data Protection: http://www.ada.lt/
Office of the Data Protection Commissioner: http://www.dataprotection.gov.mt/
Autoriteit Persoonsgegevens: https://autoriteitpersoonsgegevens.nl/nl
The Bureau of the Inspector General for the Protection of Personal Data – GIODO: http://www.giodo.gov.pl/
Comissão Nacional de Protecção de Dados – CNPD: http://www.cnpd.pt/
The National Supervisory Authority for Personal Data Processing: http://www.dataprotection.ro/
Office for Personal Data Protection of the Slovak Republic: http://www.dataprotection.gov.sk/
Information Commissioner: https://www.ip-rs.si/
Agencia de Protección de Datos: https://www.agpd.es/
The Information Commissioner’s Office: https://ico.org.uk/
Icelandic Data Protection Agency: https://www.personuvernd.is/
Data Protection Office: https://www.llv.li/#/1758/datenschutzstelle
Data Protection and Information Commissioner of Switzerland: https://www.edoeb.admin.ch/edoeb/de/home.html