The General Data Protection Regulation takes effect on May 25, 2018. Here’s what you need to know.
Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) is a regulation designed to increase protections around the processing of personal data of data subjects in the European Union.
When does the GDPR take effect?
The GDPR takes effect on May 25, 2018.
Who does the GDPR apply to?
The GDPR applies to any organization in the European Union that is processing personal data. It also applies to any organization that processes the personal data of EU data subjects, regardless of whether the organization has a presence in the European Union or whether the processing is conducted within the European Union.
If you collect, store, manage, or analyze personal data of any type, including email addresses, it is likely that the GDPR affects your organization.
What changes are happening with the GDPR?
Note: This section covers many of the changes of the GDPR, but it is not intended to be exhaustive. We highly recommend seeking independent counsel to determine how GDPR affects your business.
The GDPR lays out a range of requirements related to consent, individual rights, and data processing. The below overview is a non-exhaustive summary of the most significant requirements of the GDPR.
Consent, initially defined in Article 4, is addressed throughout the text of the GDPR. In general, the GDPR institutes much higher standards of consent when compared to the Data Protection Directive.
Consent under the GDPR needs to be both informed and explicit. Organizations have an obligation to present information about processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12). Where data processing is based on consent, organizations will need explicit consent from individuals—and they need to be able to prove that individuals have given consent (Article 7).
When organizations collect personal data, they are required to divulge certain information in accordance with Article 13.
Articles 12-23 present the individual rights covered by the GDPR. In general, the GDPR expands individual rights as they relate to personal data.
Right of access
Covered by Article 15, the right of access is the right of individuals to request information about how their data is being used as well as a copy of the data itself.
Right to rectification
According to Article 16, individuals are allowed to contact a Controller to correct inaccurate personal data.
Right to be forgotten
According to Article 17, individuals can request that their data be erased under certain specific circumstances. These circumstances include, but are not limited to:
- When the data no longer needs to be processed for the original reason it was collected
- When the individual withdraws consent
- When the data was processed unlawfully
Right to restriction of processing
According to Article 18, individuals have the right to restrict how their data is processed in certain circumstances.
Right to data portability
According to Article 20, individuals have a right to receive their personal data for the purpose of using it somewhere else.
Right to object
Article 21 states that people have the right to object to the processing of their data in certain circumstances, "unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."
The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.
Controllers and Processors
A Controller is the organization that determines how personal data will be used. A Processor is the organization that processes personal data on behalf and on the instructions of the Controller. The specific responsibilities of each party are laid out in Articles 24-43.
In most cases, ActiveCampaign is a Processor and users of ActiveCampaign are Controllers. Note that it is possible for a single organization to be both a Processor and Controller.
Data processing agreements
Article 28 states that Controllers must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.
Data protection officers
According to Article 37, many organizations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.
Transfer of personal data to third countries or international organizations
Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organizations. The GDPR does not require that personal data of EU citizens remain exclusively in the EU, but it does have some requirements for such transfers.
In terms of hosting data in EU servers and/or data transfers from the EU to the U.S. under GDPR, we expect that you will be able to continue to rely on our EU-U.S. PRIVACY SHIELD certification in order to transfer any lawfully obtained personal data to ActiveCampaign using our Services.
You can find more details on our Privacy Shield Certification at https://www.privacyshield.gov/participant?id=a2zt0000000GnH6AAK
Tips to prepare for the GDPR using ActiveCampaign
Get ready to collect GDPR-friendly consent
GDPR must be both informed and explicit. We created a guide to GDPR-friendly consent to help you understand the requirements and prepare accordingly. Learn more about explicit consent, and find suggestions for using ActiveCampaign to collect consent from new contacts, ask existing contacts to re-consent, and record and track proof of consent.
Learn how to set up opt-in confirmation
Enabling double opt-in is a best practice that may help you comply with the affirmative consent requirements of the GDPR. When double opt-in is enabled, contacts will need to confirm their email address before receiving further communications.
You can learn how to enable double opt-in in this help center document.
Familiarize yourself with how to edit and delete contacts
Under the GDPR, contacts have the right to request correction or deletion of their data. Familiarizing yourself with how to edit and delete contact information may help you comply with such requests once the GDPR takes effect.
Familiarize yourself with how to export contact data
The right to data portability and right of access enable contacts to request their personal data. Exporting contact data can help you comply with these requests.
You can learn how to export contact data in this help center document.
Learn how to add personal data usage statements to your opt-in forms
The GDPR requires that you tell people how you will be using their personal data when you collect it. This is part of the new affirmative consent requirements.
Although the exact statements you need to include depend on how you use the data, you can include any statements you like by using an HTML block in your ActiveCampaign forms.
Additionally, you can use custom fields to add an additional check box that indicates explicit consent. Learn how to add custom fields in this help center document.
Obtain proof of consent from existing contacts
The GDPR requires you to be able to demonstrate proof of explicit, affirmative consent from data subjects. Significantly, the regulation also applies to contacts from whom you have already collected personal data.
If you are not currently able to demonstrate proof of affirmative consent for your contacts, you may need to reach out to existing contacts to obtain consent before the GDPR takes effect.
Delete contacts and lists you no longer need
The GDPR is intended to protect the privacy of data subjects, which includes minimizing the risk that data can be misused. It may make sense to delete unsubscribed contacts and lists you no longer use, to reduce risk.
Consult a legal professional
The contents of this page are informational, and do not constitute legal advice. To fully understand the effects of the GDPR on your organization, we strongly recommend you seek counsel from a qualified legal professional.
What ActiveCampaign is doing to prepare
With GDPR taking effect May 25, 2018, we want to assure our users that we will be fully compliant with the regulation.
To better facilitate compliance, we will be implementing both product and non-product-related updates before the GDPR commences. Not only will these updates ensure our compliance, but they will also make it easier for all of our customers to comply. Below is the list of relevant updates we will be making:
- (In progress) Improve contact deletion capabilities to comply with right to be forgotten requests.
Improve site tracking so it can complement your website’s compliance needs.
- Learn more about site tracking and the GDPR.
- (In progress) Address cookie compliance for www.activecampaign.com via site functionality.
- (In progress) Integrate the 'Accepts Marketing' field from Shopify and BigCommerce to better manage marketing consent.
- (Complete) To help with your GDPR preparation, we have an updated Data Processing Agreement available for you to use for your compliance needs. You can request to use our DPA through this form.
- (In progress) Create new education & training content that relates to how users can use ActiveCampaign to best comply with the tenets of the GDPR.
Note: In accordance with GDPR, as our customer, you can exercise your data subject rights through this form.
While the purpose of these updates is to help our customers stay GDPR compliant without sacrificing usability of the platform, we suggest that customers consult an attorney if they have any questions about how the GDPR will impact their business.
Going forward, we will develop the product with the GDPR in mind—this means an emphasis on flexibility in regards to data. We will announce GDPR-related changes on a rolling basis, so check back here or on the GDPR Overview tab for updates.