As a digital marketer, we expect you know all about the General Data Protection Regulation, better known as GDPR, but here is a very brief reminder of what it means to you as an Emarsys customer.
The most important things for you to know as an Emarsys customer
First and foremost, remember that GDPR affects you and your customer data.
If you are in breach of these regulations, any resulting legislation will affect you, not Emarsys.
As your partner in digital marketing, we provide all the tools, means and advice you need to stay compliant, but it's up to you to use them properly. It should also be stressed that we are not qualified to offer legal advice, and at all times it is assumed that you are using the Emarsys Marketing Platform properly, as instructed in our documentation or by our support teams.
We can protect the data you hold on your customers, through data security best practices and ISO compliance, but it is still up to you to collect and use that data in the right way.
In other words, we advise, encourage and enable you to be GDPR compliant, but it is your responsibility to take the necessary steps.
We feel this point is important enough to make it twice, and in a different color.
Emarsys is not a law firm specializing in data security legislation, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as an Emarsys customer, and this article assumes that you are using the Emarsys Marketing Platform properly, according to our documentation.
You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
What are the most important points of GDPR in a nutshell?
GDPR concentrates on the following:
Consent - Now more than ever, you have to be 100% sure that your contacts have given you explicit permission to collect and use their data. Not only that, you have to be able to demonstrate that now and in the future.
This should always have been the case (if you have been a good marketer), but now many of the loopholes and grey areas have been tightened and cleared up.
- Access to data - Customers have always had a theoretical right to know what data you hold on them, but in the past it has been hard to make companies comply. Now this right is more robust, with more stringent rules applied to costs and a lowered, 30-day maximum timeframe.
- Data protection officer - Article 37 of GDPR lays out the conditions under which you are obliged to appoint a designated data protection officer, to monitor your data processing activities and to act as point of contact for incoming data processing requests from customers.
- The right to be forgotten - Customers can demand that you delete all the data you hold on them.
- Data portability - Customers can request that you provide their data in an easily accessible format.
- Child protection - Under 16 years, children require parental consent. That is, they cannot subscribe themselves.
It also acknowledges that the Internet has made the location of your HQ all but irrelevant. You still need to comply if you offer goods or services to EU data subjects, or monitor their online activities.
And in addition to this, enforcement is stricter, and the penalties are larger.
In short, GDPR puts the law firmly on the side of the individual when it comes to collecting and using their data. And it makes it much, much more painful for the companies who fall foul of it, with the maximum fine now €20 million.
How does the retrieval and deletion of our contact data work?
- For a current contact record in your Emarsys database, this is simply a case of making a single export of a contact record with all fields included.
- Likewise for data deletion, you can simply delete the individual user from the Platform interface.
If you are using Web Extend, you can send a request to us to retrieve or delete the historical data that we hold on a contact.
Send the relevant email addresses, along with your account name and login environment, to email@example.com. We will then deliver you the data record in a .csv file, which you can pass on to your customer.
Requests for data deletion should be processed in the same way.
For security reasons we will only accept requests to retrieve or delete contact data from an Account Owner, or a nominated Data Protection Officer whose contact details have been passed to us.
We are working on an automated solution to this, but for now this manual process is our only option.
Emarsys and Data Protection
Emarsys has prepared a Data Processing Agreement for all our customers. You can download a signed copy here (requires a login):
If you have not already done so, please download the version appropriate to the Emarsys office with which you signed your contract, countersign it, save a copy for your records and email us a scanned copy to firstname.lastname@example.org.