The most important change in data privacy regulation in 20 years
Last updated May 24, 2018:
- Setting Active-Consent Checkboxes as ‘Required’ is not GDPR-Compliant
We’ve received new guidance from our legal team that suggests you should NOT make your consent checkbox required. Therefore, you will no longer be able to set our Leadpages active-consent checkbox to required and any Leadpages and/or Leadboxes with a required consent checkbox must be updated. Here’s how to do that.
- [Drip Integration] Starting May 25, active consent data is now automatically passed from Leadpages’ Drag & Drop forms to Drip. No other email service provider has made this update, so it’s another reason to jump on the Drip train.
- [Coming Soon] Consent data from Drag & Drop forms will be collected in a downloadable .CSV file
In addition, consent data will be collected retroactively for all visitors who have converted on your checkbox forms. So, if you’ve been worrying about capturing ‘proof’ of consent, we’ve got you covered!
Update from April 23, 2018: Leadpages now offers an active consent checkbox.
Update from April 13, 2018: There may be cases where you have to acquire/ re-acquire consent from existing contacts. Ask your lawyer for clarification on the topic of re-permissioning, specific to your business.
What you need to know about (the NEW) GDPR
GDPR is designed to hold organizations (like Leadpages & your business) more accountable for keeping personal data secure and outlines new procedures for how you collect data, store, and use data – as well as the rights individuals have to protect, access, and modify your data on them.
Whether you’ve been on the GDPR bandwagon for some time now, or the May 2018 deadline has taken you by surprise – breathe easy and read on. We’re all on this road to compliance together.
This new legislation applies to all people/ organizations/ businesses involved in processing personal data (names, email addresses, tracking, etc.) about individuals within the European Economic Area (EEA) within the context of selling goods and services – regardless of where in the world your business (and data) is based. The EEA states include the EU and Norway, Iceland, and Liechtenstein as well as (for now) the UK.
Practically speaking, if you’re selling to, communicating with, and collecting information from any of these geographies – you’re going to want to tune in.
These new standards are laid out in a 200-page document and set a significantly higher bar for how data is collected, stored, and used. But fear not. While becoming compliant with the new standards does require effort, we’re all in this together and this article is designed to give a plain-English overview of what you need to know, how it affects your business, how you can stay on the right side of the law, and what Leadpages is doing to help.
I’m not based in the EU. Should I care about GDPR?
Regardless of where your business is based or where you process or store your data, GDPR applies to all people/ organizations/ businesses involved in processing data about individuals in the context of selling goods and services to citizens in the European Economic Area (EEA) (this includes EU + Norway, Iceland, and Liechtenstein and the UK) – regardless of whether the organization is based in that same geography. It also applies to all businesses established in the EEA.
Data on all EAA persons is regulated, regardless of where the information is stored.
The law applies to persons in the EEA (as opposed to citizens or residents). That means that if you’re targeting a lead generation campaign to couples on vacation in Italy you are still subject to GDPR.
When does GDPR go into effect?
GDPR becomes fully enforceable on May 25, 2018 (at which point the grace period runs out).
Why comply with GDPR?
- Protect the data security of your contacts and avoid harmful data breaches
- Protect your brand from potentially embarrassing data breaches
- Avoid (super) hefty fines
Getting caught in noncompliance can result in fines up to €20 million (that’s $24.6 million USD) or 4% of Global Annual Turnover (ouch!)
What happens if I fail to comply?
Penalties for noncompliance are pretty painful and quite costly. Violators (individuals and/or organizations) could be fined up to €20 million or 4% of worldwide turnover (revenues). The severity of the fine will depend on the severity of the offence and GDPR lays out a number of tiers. For example, an organization that doesn’t have its data records fully in order could be fined two percent of annual global revenues.
(Multinational organizations are treated as single entities)
How will the data police know I’ve complied?
The question of how exactly GDPR will be enforced is still mostly unknown. Though, experts anticipate that you may be called upon to prove that you have complied.
To proactively prepare for that possibility, you should:
- Obtain (active) consent before collecting data on any person
- Maintain documentation of data processing activities
- Appoint a data protection officer
- Create & use data protection impact assessments
You can also check out the additional recommendations by the Information Commissioner of the United Kingdom.
What is GDPR, really?
GDPR = General Data Protection Regulation of the European Union.
Essentially, it is the most important change in data privacy laws in the last 20 years and specifies how consumer data should be collected, used, and protected & also clarifies what individuals rights are concerning their own personal data.
It builds on the previous EU Data Protection Directive (est. in 1995) and is designed to be relevant for the next twenty years. It was officially adopted by the European Parliament in April 2016 and initiated a 2-year grace period in which companies must become compliant. Therefore, it becomes officially enforceable on May 25, 2018.
Most agree that this new legislation was long overdue as current regulations for the European Economic Area (EEA) date all the way back to 1981. In many ways, the GDPR is designed as a legislative quantum leap forward, to better align with recent advances in technology and to accommodate current business models.
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
What kind of data are we talking about?
GDPR applies to personal data.
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” GDPR Personal Data Definition
Will Leadpages comply with GDPR?
YES! The data protection team at Leadpages has been working for months in order to ensure full compliance.
Leadpages is considered a ‘data processor’ under GDPR regulations and we fully intend to comply with our data protection obligations by the May 25, 2018 deadline. (We also fully intend to help you do the same!)
Does Leadpages compliance mean I don’t have to do anything else?
No. Unfortunately, we’re not a get out of jail free card.
While we wish we could do it all for you, each individual organization regulated by GDPR needs to evaluate its data practices against the new regulations and ensure compliance.
What is Leadpages doing to comply with GDPR?
As a processor, Leadpages must comply with Article 28. Meeting these requirements will include actions such as maintaining records of data processing activity, appointing an official data protection officer, and ensuring continual compliance by regularly reviewing data protection measure.
We will also continue to update this posts as new details become available.
- Data Protection Agreement (DPA) for Customers
GDPR specifies that any Controller that is subject to GDPR will need to have a signed Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.If you’re collecting any personal data (name, email address, etc.) from someone located in the EEA, you’re a controller. The organization/application that stores that data on your behalf (Leadpages, for example) is the processor.Customers of Leadpages who are considered to be Controllers under the terms of GDPR should sign a DPA with Leadpages in advance of the May 25, 2018 compliance deadline.Click Here to Get Started
- Active Consent Check-box:
Inside the drag and drop builder forms, you can now add a consent check/tick box and customize the language for your opt-ins (available in both the Legacy and Drag & Drop Builder). Ideally, you’ll have a field like this in your email service provider that will register this consent. But if you don’t, you’ll be able to demonstrate this consent with the fields added to your Leadpages.
What does the GDPR do?
It gives EEA persons more rights and protections regarding their personal data.
Let’s imagine Jane is an EEA person (oh I don’t know…living in the quaint city of Pamplona, Spain) who your business interacts with and collects data from.
Under the GDPR, as an EEA person, Jane has:
- The right of access: Jane can ask if your organization is processing her data and has a right to receive a prompt answer from you along with the requested information – at little to no cost to Jane. (Section 2 Article 15)
- The right to rectification: Jane can correct or complete her data entries, including data shared with a third party. (Section 2 Article 16)
- The right to be forgotten: Under specific circumstances, Jane can request the removal of her personal data. (Section 2 Article 17)
- The right to restrict processing: Under specific circumstances, Jane can block the processing of her data. (Section 2 Article 18)
- The right to data portability: Jane can request and reuse her personal data for her own purposes anywhere she wants by transferring it across different IT environments (Section 2 Article 20)
- The right to object: Jane can object to the use of her personal data and make a case that the business does not need the data it is processing in order to perform its business function. (Section 4 Article 21)
What does GDPR mean for your marketing:
GDPR applies to ‘data processors’ and ‘data controllers’ – first, you’ll want to figure out which one you are. (We expect most of our customers to be in the data controller category)
- Data controllers: determine the “purposes and means of the processing of personal data”
- Data processors: “process personal data on behalf of the controller”
If you’re collecting any personal data (name, email address, etc.) from someone located in the EEA, you’re a controller. The organization/application that stores that data on your behalf (Leadpages, for example) is the processor.
I’m a ‘data controller.’ What do I need to know about GDPR?
As a data collector (controller), you’ll need to take certain precautions to ensure that the personal data you collect is well protected. That means you’ll want to ensure you have active consent from all EEA persons in your database, you may also need to designate someone to be in charge of data protection (employee or third-party), put together a risk mitigation plan, etc. Article 24 deals with the particulars.
- For Existing Data
There may be cases where you have to acquire/ re-acquire consent from existing contacts. This is known as repermissioning – and it’s best to consult your lawyer to know if you need to repermission your customers for consent to continue using their data.
- For New (Incoming) Data
Ensuring that you acquire new subscribers and leads in a GDPR-compliant way
Ensure consent is always active and always obtained (this affects both online acquisition and in-person events). Keep an audit trail of where that consent came from, what messaging they were responding to when they opted in, and what the time & date of that opt-in was.
I’m a processor. Now what?
If you’re a Leadpages customer, you’re likely a controller. However, there’s always a unicorn or two in the bunch – so for you processors, you’ll want to read Article 28.
How can Leadpages help me comply with GDPR?
Leadpages is a web application that collects subscribers and leads and funnels that information to your marketing tech stack through a series of integrations.
You can use it to effectively manage your web form UX, data capture, customer-facing messaging, and marketing opt-ins.
We’re able to help you:
- Capture (active) opt-ins everywhere and anywhere throughout your web presence
- Standardize your opt-in messaging
- Date/ time stamp on the opt-in data
- Easily see which pages and Leadboxes have been deployed and are currently in use
- Quickly determine which pages are delivering optimal conversion
To comply with new GDPR guidelines, Leadpages customers must:
- Request the explicit (active) consent of every visitor before any data collection takes place.
This could take the form of a click to consent box or double opt-in flow. Your requests must be in straightforward, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
- Have a means for leads to request access and view the data that you have collected on them. (You can process these requests manually)
- Provide leads with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”. (You can process these requests manually)
To achieve all 4 of these requirements, Leadpages is developing new policies and product features and we will update this article with additional details when those features become available.
GDPR is making my head spin. Where can I get help?
Here are some recommended resources that can help you see the light in all this data security lingo:
- [Web] EU General Data Protection Website
- [Web] Guide to the General Data Protection Regulation (GDPR) [United Kingdom Information Commissioner’s Office]
- [Web] Getting ready for the GDPR resources [United Kingdom Information Commissioner’s Office]
- Rules for the protection of personal data inside and outside the EU [European Commission]
If you’re still stuck, you might consider hiring a data protection expert that will support your organization is staying GDPR compliant.
We’re not legal counsel here and can’t guarantee that if you follow these steps, you’ll be compliant. You’ll need a lawyer to determine that.
The Official Leadpages GDPR Statement:
GDPR stands for the General Data Protection Regulation of the European Union, and its goal is to protect the data privacy and security of most EU persons by setting a new data protection standard for businesses and governments. It will be enforced beginning May 25, 2018. Leadpages is fiercely dedicated to serving our users and to protecting their data and the data of their customers. The Leadpages team is working to ensure full compliance by the GDPR deadline.