OPTIZMO™ Stance on GDPR
With GDPR on many marketers’ minds, we have developed a brief overview of our current positioning under the new regulation, as your trusted vendor and partner.
For some time, OPTIZMO has been deeply involved in understanding our role and responsibilities under the new set of rules. After several consultations and evaluations, the consensus of our lawyers, the IAB, and other noted data privacy and protection groups is that OPTIZMO will in fact be categorized as a U.S. based data processor.
This is an important distinction for us, as the service provided to each of our clients may be used in whatever way they choose to deploy it. As always, opt-out links and mailer access keys are distributed only to partners of a clients’ choosing. Processed opt-out data will only be retained for the period during which we are engaged with a client, and it will be used solely for the purposes directed by the client and as required under CAN-SPAM, EU, or any other regionally applicable email compliance laws.
We have undertaken a full gap analysis, remediation phase, and will update our service agreements and other documentation for those clients who require GDPR-specific language.
The good news for OPTIZMO and all of our partners is that we have historically been doing almost all of what is required for GDPR readiness, both procedurally, and in the technologies we utilize around processing activities such as encryption and data movement. The majority of our GDPR initiatives include updating service agreements and documentation, and creating a few key records required under GDPR. We are also certifying under Privacy Shield, which is a fantastic all-around set of standardized criteria for responsible handling of data (not just from the EU), to further cement our position.
Protecting personal data is a shared responsibility between data controllers and their processors. However, the responsibilities of a processor like OPTIZMO vary greatly from those of controllers, which is how most of our clients will be categorized under GDPR. An important first step toward helping our clients is ensuring they are familiar with the requirements of data controllers under GDPR. While our best recommendation will be to consult legal experts of your own, please let us know if we can be of assistance in this area. We will also be posting more GDPR related content to our website and social media feeds for your reference.
As your trusted data processor, OPTIZMO is committed to providing you and all of our partners and clients with as many tools and documents as possible to help support your compliance with GDPR. We will also continue to strengthen our ability to facilitate and support your overall GDPR readiness in the future.
*Nothing in this statement should be taken as legal advice. We encourage you to become familiar with the actual text of the regulation and also obtain legal advice as to how GDPR may impact your business.
GDPR is NOT just for companies in the EU
The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Despite a lot of coverage in various industry publications there remains quite a bit of confusion or a lack of understanding as to how the regulation will impact the digital marketing industry in the EU and also in other countries, like the U.S.
First, let’s dispel a myth – that GDPR only impacts companies in the EU. This is FALSE. GDPR expressly impacts any company that collects data on users who are in the EU. This means, if a company simply has a website with visitors from EU countries, then it needs to understand how it can gather, store, and utilize that data in a manner compliant with GDPR. The GDPR includes provisions for imposing extensive fines on companies that do not comply with the rules.
So, what exactly is GDPR?
GDPR introduces a variety of obligations on data Controllers and Processors in a number of areas. It strengthens the rules for gaining user consent when obtain ‘personal data’ and ‘sensitive personal data’ which must be specific, granular, and auditable. In addition, it further defines how companies may use this data and how that use must be in line with the consent received from the user.
What are the personal data requirements?
The regulation requires that persona data be:
- Processed lawfully, fairly, and transparently in relation to individuals
- Collected for specified, explicit and legitimate purposes and not be processed in a manner incompatible with those purposes
- Adequate, relevant, and limited to what is necessary for the intended purposes
- Accurate and any inaccuracies corrected without delay
- Kept in a format that permits identification of the data subjects for no longer than necessary
- Processed in a manner that ensures appropriate security
Learn more about Personal Data here.
What happens if a company is non-compliant with GDPR?
While exact fine amounts are related to the now severely a company fails to comply, but the regulation allows fines of up to 20 million Euros or 4% of a company’s annual global revenue, whichever is highest. This does not mean that fines of this magnitude will be imposed, but it creates the possibility that they could.
This is just a quick primer on some of the aspects of GDPR. We encourage you to become familiar with the actual text of the regulation and also obtain legal advice as to how GDPR may impact your business.
External links to more information on GDPR
If you want to learn more about GDPR, here are a few links to more in-depth details about the regulation.
- A neatly arranged version of the full text of the regulation.
- The UK’s Information Commissioner’s Office (ICO) has created a very useful site with lots of information on GDPR.
- Specific information on the ‘right of erasure’ – more commonly referred to as the right to be forgotten.
- Information on the official definition of Personal Data under GDPR. Note it is different than the standard US definition.