We know that in today’s increasingly privacy-sensitive world that you want to do good to the users on your website, and you want to ensure that RightMessage is remaining compliant. Here’s our overview of GDPR + RightMessage.
The General Data Protection Regulations (GDPR) replace and unify data protection laws from throughout Europe and relate to the protection of, dealing with, processing of and handling of personal data.
The GDPR applies to all EU organisations, from sole traders to corporates, that process personal data, as well as organisations that process personal data that relates to individuals within the EU.
If you retain or process any such personal data, then you must ensure that you meet the relevant conditions of the new General Data Protection Regulations (GDPR).
Personal data is data that relates to a living individual and allows that individual to be identified from such data (data subject). Under the GDPR the definition of personal data is more detailed than previous definitions and includes online identifiers such as an IP address.
Where a visitor to your website may be identifiable to you, when using RightMessage, and thus GDPR will apply.
Both, depending on the context.
When you’re using information about your customers or potential customers to better personalize the experience they have on your website: your visitors are the Data Subjects, you are the Controller, and RightMessage is the Processor.
In the context of RightMessage holding data about you as a customer of ours, or as a visitor to our own web site, you are the Data Subject and we are the Controller.
Nope. Personalization and GDPR are perfectly compatible, as long as you go about it the right way – we would recommend that you consider the Privacy Notice on your own website, to ensure compliance with GDPR and to ensure that your visitors are aware of how their personal data will be processed through RightMessage. Keep reading for more detail!
If I’m personalizing to top-of-funnel / anonymous visitors, do I need to do anything to be GDPR compliant? If the data being used cannot be used to identify a living individual (for example where it is anonymized) then no measures need to be taken in relation to GDPR and thus no consent is required.
Yes, in this instance the data being used is personal data as it identifies a living individual, thus you will need to give the individual the following information (at the time that their personal data is collected):-
Consent may be required but this will depend on the lawful basis for processing the data. Consent is one of the lawful basis of processing data and the others are:-
As for what RightMessage servers store about your visitors to facilitate personalization: nothing. Your visitor’s browser will ask RightMessage for the data, the RightMessage servers will fetch that contact’s data from your email marketing tool, and will then return it straight to the visitor’s browser without storing it. None of your visitor’s personally identifiable information is stored on RightMessage servers.
Some personal data is more sensitive and so requires more protection, including (amongst others) information relation to health, race, religion, politics, sexual orientation, etc.
Where this sensitive information (known as special category data) is processed you must identify one of the reasons listed above as a lawful basis for processing the data (including consent or that it is necessary for performance of a contract) AND an additional reason (included in Article 9 of the GDPR) unless the individual has given their explicit consent for you to process their personal data in that way.
The EU-US Privacy Shield protects the rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.
This ensures that US companies cooperate and ensure the protection of personal data of EU individuals.
RightMessage is striving for GDPR compliance and as such will be reflecting the requirements of the EU-US Privacy Shield.
Any time that a Data Controller uses a Data Processor, and therefore passes over personal data, the Data Controller must be confident that the Data Processor (such as RightMessage) take measures to ensure that they are GDPR compliant in order that the Data Controller meets with Article 28 of the GDPR:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
The terms of the processing must be set out in a written contract and this should include the following information:
We’ll be updating our Terms of Service to include sufficient measures for most businesses we’ve spoken with, but we can also supply this to you to sign separately on request.
We’re in the process of updating our Privacy Notice, and Terms of Service, to be fully compliant and to explain to you how we’re handling that compliance.
A Privacy Notice is individual to your business and as such you shouldn’t just use another business’ Privacy Notice for your own use.
Consult a solicitor specialising in Data Protection law who will be able to give you advice that is relevant to your business and your industry. There is no ‘one size fits all’ for GDPR and so you must ensure that the steps taken to become GDPR compliant are appropriate for your business.
Inform your clients and customers of what personal data you collect, how it is collected and how it is used as well as their rights in relation to that personal data. This will be covered in your Privacy Notice.
If you have any specific questions in relation to how GDPR effects your use of RightMessage, that has not been answered above, or in relation to GDPR and your own business please contact us – firstname.lastname@example.org