What You Should Know About the General Data Protection Regulation (GDPR)

Updated May 23, 2018

You have probably heard by now about the General Data Protection Regulation (GDPR), the European Union (EU) privacy law that takes effect on May 25.

GDPR applies to you if you control or process personal data of an EU resident. This is NOT limited to businesses operating in the EU. It applies to businesses worldwide.

If your business has publicly accessible online forms, you could be subject to GDPR because an EU resident may submit personal data through that form.

This document is intended to make you aware of what we’re doing regarding GDPR and to share information that we have found helpful to understand GDPR.

This should not be construed as legal advice. You may want to consult legal counsel to understand your obligations under GDPR.

Compliance with MarketVolt’s Terms of Service should not be construed as compliance with GDPR.

Whose Personal Data is Covered?

GDPR refers to “data subjects” -- the individuals whose data is controlled and processed -- without referring explicitly to “citizens” or “residents.” There are conflicting interpretations of the law. Many interpretations suggest that GDPR applies applies to data collected from any individual in the EU (citizens, residents and visitors) as well as EU citizens living abroad. The law also protects anyone around the globe whose data is processed by a company operating in Europe. While this interpretation may be overly broad, we believe a broader, more careful interpretation is prudent, pending clarification.

What is Personal Data

Here’s the EU’s definition of personal data:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

In plain English, “personal data” means information that can be used to identify a specific person. That might include, among other things:

  • Names
  • Emails Email Addresses
  • Physical Addresses
  • Phone numbers
  • Medical Information
  • Financial Account Numbers
  • Computer IP addresses

….and more.

According to that definition, you are storing personal data (at least the email address) of every recipient in your MarketVolt database.

Individuals’ Rights Under GDPR

Individuals covered under GDPR have several rights that impose obligations on you, the “Data Controller.” They may ask you to:

  • Explain how their personal data is being used.
  • Correct their personal data.
  • Share with them (or give them access to) the personal data you control.
  • Remove completely their personal data (known under GDPR as “Right to Be Forgotten”).

In most cases, the data you control may reside in multiple places -- i.e.on the MarketVolt servers, plus in a spreadsheet or CRM or other data sources. If an individual exercises the “Right to Be Forgotten,” you must delete that individual’s data from all places where it resides.

Steps We’re Taking to Help You Comply and Meet Our Obligations

MarketVolt operates as a “Data Processor” for its clients. That means we must assist you in complying with requests from individuals covered under GDPR. To do this, we are:

  • Updating our Terms of Service, Privacy Policy and other legal documents to more clearly document how we collect, process and store personal data.
  • Improving processes to comply quickly and fully with requests to collect, deliver or delete data.
  • Confirming that all sub-processors, such as the companies that host and backup our databases, are in compliance with GDPR.
  • Updating our policies regarding responses to data breaches.
  • Updating and enhancing features for you to acquire and document consent.
  • Reviewing and revising our security policies to ensure GDPR compliance.
  • Training our staff to assist you with establishing GDPR compliance as it relates to your MarketVolt activities.

Your Steps to Compliance

The law requires businesses to have a “legal basis” to control and process an EU resident’s personal data. There are multiple definitions of “legal basis.” The legal basis most applicable to you, as a MarketVolt customer, is “consent.”

Whenever you collect email addresses, the subscriber must provide specific, unambiguous consent. Also, you must state explicitly how you intend to use the data.

Example: If you have a website form that offers a free report or seminar, you may not add an EU resident to your email list unless that form allows the person to explicitly consent (i.e. by checking a box) to be added to the list. That consent cannot be implied.

Explicit consent is a marketing best practice that we encourage. And MarketVolt’s Terms of Service and other policies already prohibit you from sending SPAM (unsolicited commercial email).

Compliance with MarketVolt’s Terms of Service should not be construed as compliance with GDPR.

Review and Revise Your List-Building Practices

Wherever you collect personal data, you should:

  • Obtain specific consent.
  • Explain how you will use their personal data.

For website forms, subjects grant specific consent if they check a box (pre-checked boxes are not allowed). There may be other ways to achieve consent, but this is the most practical and certain approach.

MarketVolt’s form-builder enables you to add checkboxes to your forms. If you do not already have checkboxes establishing explicit consent, we recommend that you add this to your forms prior to May 25.

You can explain how you will use personal data in descriptive text with your web forms (i.e. “We will use your email address to send you monthly announcements and product promotions.”).

Review and Update Your Terms of Service, Privacy Policy and Other Legal Documents

MarketVolt is reviewing and updating its legal documents to describe more fully how it processes the data it receives from its clients and to ensure that it is complying with GDPR.

We recommend that you do the same.

We also recommend that you link to applicable policies -- including MarketVolt’s -- on your website or other places where you collect personal data.

Is Your Existing Data in Compliance?

GDPR applies retroactively to individuals you added to your database prior to May 25, 2018. Determine who among your recipients qualifies as a “data subject” (EU resident) under GDPR. If you do not have a record of explicit consent from that recipient, you must either remove that recipient from your database or reach out to that recipient to request explicit consent.

If you wish to reach out to a recipient, we have created instructions for how to create a GDPR explicit consent request email.

Questions or Concerns?

If you have any questions or concerns, please contact the MarketVolt support team at helpdesk@marketvolt.com or 314-529-1435

Our support team can answer your questions and address your concerns. But we cannot provide legal advice to you (and nothing in this document should be construed as legal advice). We recommend that you consult an attorney if you have legal questions about your obligations under GDPR.