.png?width=157&height=29&name=iZooto-blog-branding%20(1).png "iZooto-blog-branding (1)"){kind=small}
Disclaimer - This is not a legal advice for your product/company to comply with GDPR. It is simply our assessment of how it will affect businesses operating in the growth and the marketing domains.
A lot has been said and written about GDPR in the last few days. It is being termed as a watershed moment for growth and retargeting tools, and rightly so. GDPR is aimed at providing users in EU with complete control over their personal data and the kind of communication they would want to receive, enforcing businesses that deal with their data in transparent and secure manner. The penalty for non-compliance is huge, up to €20 million or 4% of the total revenue of the previous financial year, whichever is higher.
With GDPR, businesses dealing with users in EU have been asked to either fall in the line or fall by the wayside.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation under EU law to ensure data protection and privacy to all individuals in the European Union. GDPR was approved by the EU parliament in April 2016 and was enforced on 25th May 2018.
GDPR is the most significant change to data regulation in the last 20 years. It replaces the Data Protection Directive 95/ 46/ EC.
Does it apply to you?
GDPR is focused on safeguarding interests and privacy of users in EU. Whether your business operates out of EU or not, if you have any user from EU accessing your product or website, you need to comply to GDPR.
GDPR applies to you if you are
- Tracking user activities on your website or within your app for personalization or marketing
- Capturing any Personally Identifiable Information (PII)
PII is any information that can identify a user uniquely such as
- Name
- Email address
- IP address
- Cookie
- Location
If your product or service is involved in any of the activities mentioned above without taking explicit consent from end-users, you should change the user flow to ensure that users make informed decisions before opting-in or sharing their data.
What are the compliance requirements?
Let’s go through the guiding principles of GDPR compliance. GDPR emphasizes on following two things primarily-
- Right to data collection: This part addresses whether you as a business have the right to collect and process user data and personal information or not.
- Right to Data processing: This part addresses the way the user data is handled.
Right to data collection
Businesses can collect and process personal level data provided that they have the ‘lawful basis’ to justify the same. Lawful basis gives businesses rights to process user data under following scenarios.
1.Consent
If users give explicit consent to share their personal information for the exact reasons the business is requesting it for, it grants permission for a business to collect and process personal information.
A consent is an affirmative action taken by the user allowing the business to capture required data, every user consent has to be
- A clear affirmative action: No pre-checked checkboxes
- Given freely: Users should not be incentivized or enforced to give consent to the promise of a service
- Specific, informed: Users should be aware of the exact information they are going to share and the reasons they are going to share it for
- Unambiguous
- Documented
- Easily withdrawable
Please note that you need to seek consents from your existing users from EU again i.e. re-opt in your existing subscribers.
A non-GDPR compliant flow to use cookies by Facebook
A GDPR compliant email consent from dpnetwork.org.uk
Reference - https://www.reforge.com/blog/gdpr-growth-marketing
Other valid grounds for collecting and processing personal information are -
2. Contractual obligation
Contractual obligation is when the nature of the contract between the business and the users require processing of personal data. For instance, purchasing an insurance policy would require users to provide their personal information.
3. Legal obligation
If the business is bound by a legal obligation, it can collect and process personal data. For instance, providing social security number while opening up a new bank account is enforced by law and hence is allowed.
4. Vital interest
If collecting personal data is in the vital interest of the user, it’s a valid ground. For instance, getting information about a person’s previous health records will be vital for giving health advice or medical prescriptions.
5. Legitimate interest
Legitimate interests of the users can be one of the reasons for businesses to collect personal information. The definition of legitimate interest is a bit vague and open for interpretation. Processing data for fraud detection, direct marketing considering user’s interests, internal compliance requirements such as payroll are few of the examples of legitimate interests.
6. Public task
If processing of data is necessary for the performance of a task carried out in the public interest or the business entity has legal rights to do so, it’s a lawful basis of processing information. This basis can be used by government entities or local authorities to process personal data.
Reference - https://blog.focal-point.com/9-examples-of-lawful-basis-for-processing-under-the-gdpr
Right to Data processing
Data processing encompasses any activity or operation performed on the personal information which includes data collection, transfer, access, modification, storage, usage etc. You should ensure all the data operations follow secure protocols and the data retention policies are outlined clearly.
Additionally, users should be able to access, modify, export and delete their own data. If there is an identifier for the users, the tool you are using should provide you with either an interface or a set of APIs to perform these operations.
How should a web push notification tool comply?
Web push notifications require explicit consent from the website visitors by design. All browsers that support web push notifications provide an opt-in for users to subscribe to notifications.
For communication meant for all users, this consent would suffice. For instance, if you want to announce a flash sale or inform users about a new category launched on your e-commerce store, you need not take any additional consent from your subscribers.
Broadcast messages / Announcements
For targeted communication, where you need to communicate to a particular audience basis their attributes such as location, gender or send personalized notifications basis their website activity, you should take explicit consent from the users.
Personalized Messages
The kind of data that you capture can fall into two broad categories - user attributes, website activity.
Here is a suggested subscription flow for three scenarios
- Capture no personal data template
- Capture location data / other attributes template
- Capture location and web activity data
Convert more of your website traffic into sales with iZooto Web Push Notifications. Start your FREE trial Now.
Capture No Personal Data template
a) Subscription process
b) Unsubscription process
Capture Location Data Template
a)Subscription process
b)Unsubscription process
c) Resubscription process for existing subscribers
Capture Location and Web activity Data
a) Subscription process
b) Unsubscription process
c) Resubscription process for existing subscribers
Apart from this, you should -
- Appoint a Data Protection Officer who will be responsible for assessing the impact of data protection regulations, implementing the required changes, educating employees within the organization.
- Update your privacy policy to reflect the new privacy measures undertaken.
- Engage in Data Processing Addendum (DPA) with all the 3rd party tools you are using.
The underlying objective here is to provide the end-users with a better experience, treat their personal data carefully and establish trust in their minds about your business. While changing your existing processes or creating new ones, adding new 3rd party tools, you should incorporate ‘Privacy by Design’.
Learn more about push notifications.
