This FAQ is intended to provide information and address questions which you (as a marketer) may have on Newsweaver’s compliance with the EU data protection regulation, GDPR. While this FAQ deals with some legal concepts and impacts, it should not be considered legal advice, nor a recommendation of any particular legal understanding. Please consult your own organization’s data protection officer (or compliance team) for interpretation of this information, including advice on how this information applies to your own organization’s compliance with GDPR.

 

What is the GDPR?

The GDPR (or General Data Protection Regulation, formally Regulation (EU) 2016/679, is a European (EU) regulation which unifies and strengthens the data protection rights of people in the EU. It replaces the current European data protection framework (formally Directive 95/46/EC), and became enforceable on 25 May 2018. With GDPR, a number of additional expectations apply to organizations that process the personal data of people in the EU, including EU-based employees or customers.

For more on the GDPR, you are encouraged to speak to your own data protection or compliance team. Or refer to the website of the supervisory authority responsible for ensuring GDPR-compliance in your primary operating country. For example, the Data Protection Commissioner in Ireland (DPC), the Information Commissioner’s Office in the UK (ICO), the Commission Nationale de l’Informatique et des Libertés in France (CNIL), etc.

In short: GDPR is a new European data privacy directive, which came into force on May 2018, and will likely impact your decisions on processing personal data such as email addresses.

 

Is Newsweaver GDPR compliant?

Newsweaver (ESearch DAC t/a Newsweaver and t/a Poppulo) is compliant with the previous European data privacy regulations (including the Data Privacy Directive 95/46/EC of 1995). Newsweaver is, for example, registered as a data processor with the Information Commissioner’s Office in the UK (Reg# Z9513693) and the Data Protection Commissioner in Ireland (Reg# 5638/A).

Newsweaver is similarly compliant with the European data privacy regulations (including the GDPR EU/2016/679 of 2018). Newsweaver undertook a compliance-readiness program, to ensure our compliance with GDPR regulations, and to assist our customers with their own compliance-readiness programs.

In short: Yes, Newsweaver is compliant with the new EU General Data Privacy Regulation.

 

What aspects of GDPR apply to Newsweaver and Newsweaver’s customers?

The entire GDPR regulation applies to Newsweaver, and to organizations using Newsweaver. There are however some areas of the regulation that may require specific consideration. Including:

  • BasisArticle 6 of the GDPR describes a number of valid legal basis for processing personal data. These include ‘consent’, ‘contractual obligation’, ‘legal obligation’, etc. Consent is typically the most common basis relied-upon for processing personal data and email addresses for marketing purposes. If relying upon consent, GDPR requires that consent be freely-given, specific, informed, unambiguous and given via a clear affirmative action. Single opt-in methods, pre-ticked checkboxes, or “implied consent” do not meet these expectations. Consideration should therefore be given to any areas where these types of models are in use. Data controllers should also review what “records of consent” are retained.
  • Purpose – GDPR expects that personal data “may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes”. Customers should therefore pay extra attention to what subscriber data is being stored – and why. You should not store subscriber data that is not necessary or justifiable for that purpose, or use it for other purposes.
  • Transparency – Because personal data should be “processed lawfully, fairly and in a transparent manner”, customers should consider reviewing any notices shown to users in their data capture forms. And/or in the footer of communications.
  • Access – Organizations previously had a right to charge data subjects for the costs involved in processing an access request from a data subject. Under GDPR, that right has changed. While data controllers retain a right to refuse a data access request, the reasons for valid refusal are limited. Data controllers should therefore start planning for a potential increase in inquiries from data subjects.

 

Other GDPR principles are also applicable (including those relating to retention, accountability, profiling, and breach notification), and customers should consider how their compliance-readiness program might overlap with these areas.

In short: While a number of GDPR tenets are more applicable to marketing communications and email use-cases, all key GDPR principles (purpose/transparency/consent/etc) are relevant.

 

How will I, as a marketer (using Newsweaver to communicate with external stakeholders), comply with GDPR?

We recommend that users of Newsweaver Customer Connect speak to your own data protection officer. Seek their input on how to ensure your continued use of the system will align with your organization’s GDPR-compliance processes. In general terms however, we recommend that customers consider:

  • Basis review – If ‘consent’ is the basis that you are relying-upon for processing, please review what data-capture forms you are using, eliminating any “pre-ticked” checkboxes, changing sign-up forms to double opt-in as soon as possible, and ensuring any text you have included is clear and transparent about the purpose for which the data is being captured. Also, the type of communications/processing to which the subscriber is providing consent.
  • Data review – Undertaking a review of what data is held in your account, and the purpose for which it is held. (For example, if you have “rows” in your subscriber data set for older/past customers, you should consider the purpose for which you are retaining these. Or, if you have “columns” in your subscriber records, covering fields which you are not really using, you should consider the purpose for which you are retaining these.) This will assist with compliance with the “purpose” principles of GDPR.
  • Process review – As you will no longer have a right to charge data subjects (to cover the cost of a data access request), you might want to consider how you will handle a possible increase in data access requests. At the very least you should consider how you would respond to a query asking for confirmation of how consent was obtained. Especially if that consent was obtained outside of Newsweaver’s systems – with which we would not be able to assist.

 

Your own data protection officer will likely have other recommendations and expectations. Additional information is available on our knowledge base.

In short: You should discuss the implications of GDPR (to your email marketing program) with your own data protection officer. And, in the first instance, ideally review the data and consents currently held (to ensure clarity of consent for the data you have today). You should also enable double-opt (to ensure clarity of consent for any data you capture in future).

 

How did Newsweaver prepare for GDPR?

In addition to the governance, compliance and process reviews that any GDPR-compliant organization will need to undertake, Newsweaver has taken number of specific steps, including several which are specific to our industry and the services we provide. These include:

  • Governance changes – Newsweaver has formalized the role of Data Protection Officer within the organization. The Newsweaver Data Protection Officer is responsible for Newsweaver’s GDPR readiness program (to ensure Newsweaver’s compliance with GDPR, and to assist our customers with their compliance)
  • Data privacy & process audits – Overseen by the Data Protection Officer (DPO), Newsweaver’s GDPR-readiness program included contributions from a cross-functional project team. This project team was, in the first instance, responsible for completing an information audit (or the personal information stored by Newsweaver on our customers, and by Newsweaver on our customers’ behalf).
  • Data security changes – A number of policy changes and technical control changes were made. This includes, for example, changes to Newsweaver’s policies for encryption of data (including personal data) while at rest.
  • Product changes – A number of changes were made to Newsweaver’s product stack. Including, for example, changes to the the single/double opt-in functionality of the Newsweaver subscriber sign-up features.
  • Process changes – Changes to processes and procedures include updates to the Newsweaver Support practices – specifically as they relate to servicing subject data access requests and subject data deletion requests.

 

In short: Newsweaver’s preparation for GDPR had the highest-level of executive sponsorship, was driven through the Data Protection Officer, and had input from a cross-functional project team. Readiness activities included: data security and encryption updates, data audits and reviews, access request procedure changes, and a number of planned product updates.

 

Does Newsweaver transfer or process personal data outside of the EEA?

During account creation and onboarding we ask customers where they want data to be stored and processed. Unless your organisation is a US-based entity, and you therefore expressly requested that we store your data in our US-hosted environments (Chicago, IL and Boston, MA), then your data is stored and processed in our default EEA-hosted environments (London, UK and Cork, IE).

Newsweaver is registered as a data processor in the UK (ICO Reg# Z9513693) and in Ireland (DPC Reg# 5638/A) in respect of the processing that occurs in these EEA-based environments.

In short: Unless you expressly asked us to do otherwise, no, Newsweaver does not transfer or process personal data outside of the EEA.

 

This FAQ is intended to provide information and address questions which you (as a marketer) may have on Newsweaver’s compliance with the EU data protection regulation, GDPR. While this FAQ deals with some legal concepts and impacts, it should not be considered legal advice, nor a recommendation of any particular legal understanding. Please consult your own organization’s data protection officer (or compliance team) for interpretation of this information, including advice on how this information applies to your own organization’s compliance with GDPR.

This website uses cookies to ensure you have the best experience. Learn more