<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

MailChimp and the Curse of the GDPR

Posted: 03 May 2018

GDPR and MailChimp Marketing Automation

Marketing automation solutions have come along way in the past five years. Once used for mass emailing, now expanded to include an array of interactivity features such as blogs, landing pages and pop-ups, all to enrich the process of inbound marketing. But as the GDPR (General Data Protection Regulation) enforcement data looms nigh, how ready are the likes of MailChimp? and what do you need to know as their data controller?

The GDPR relationship between you and MailChimp

The first thing to understand and be clear about is the relationship between you and your marketing automation platform, in terms of the GDPR. There are two data protection designations under the GDPR which have been carried forward from its predecessor, the DPD (Data Protection Directive). An organisation can be both or either a data controller and/or data processor based on the nature of its activities.

To put it simply, a data controller defines the conditions for processing, such as what to collect, how to process personal data and how long to retain it for. A data processor simply acts upon the processing instructions of the data controller. To compare this with the theme of this blog post, a data controller instructs a marketing automation platform to collect personal data from a landing page, store it and then send those data subjects further marketing communications. The marketing automation may carry out these actions but only on the instruction of the data controller.

[You may also be interested to read "Power to the Data Subjects: Lead Acquisition in a Post GDPR World"]

At a further basic level, you are not exempt from the responsibility of MailChimp processing personal data, as your relationship with them defines you as an participating and accountable party.

GDPR and Marketing Automation solutions

To some extent, marketing automation platforms exonerate themselves of much responsibility by being the data processing party. They act upon your instruction and provide you with features and settings which comply with the GDPR, so there is not much more they need to change. One area in which marketing automation solutions have had to look introspectively at is that of cross-border transfers. MailChimp and other solutions tend to be US based and therefore any personal data which you store on their systems is likely to be present in those regions too. MailChimp in particular has made sure to change its terms and conditions to reflect this and seek certification under the Privacy Shield programme.

You should also consider the following:

  • While marketing automation platforms provides you with personal data capture forms, you will need to ensure you are informing data subjects of your intentions, legal basis, retention periods and rights on those forms yourself.  The same applies for consent; marketing automation platforms will allow you to design forms in any way you wish, however it is up to you to make sure they comply.
  • Ensure you are providing a mechanism for unsubscribing or opting out. Again, marketing automation provide the features, such as automated printing of unsubscribe links on marketing emails and management of no-send lists. However, you must enable these and ensure they are being followed.

[You may also like "GDPR: Seek re-consent or burn your contacts database, really?"]

  • Where there is a requirement to seek consent, are you storing this and are you using consent appropriately? Marketing automation solutions will not stop you abusing your legal basis for processing personal data and this is a responsibility you must take on yourself.
  • Have you highlighted your use of a marketing automation platform in your privacy policy? There is nothing wrong with using a marketing automation platform, however you are expected to be transparent with data subjects about the data processing which takes place. For example, marketing automation platforms are likely to capture items of personal data which you hadn't considered, such as IP address, location and timestamp.
  • Review any add-ins or plugins which you may use with your marketing automation platform. Plugins for online webinars and other features can be extremely useful for inbound marketing and interactivity but how are these tools processing personal data? Consider whether in breach of the GDPR, what would your legal basis for processing be and have you been clear with data subjects about the solutions you use?
  • How can you comply with data subject access requests? Marketing automation solutions will allow you to modify personal data, remove data subjects from processing workflows and even remove or export their personal data. Yet this will likely not do for you; have you made sure to including marketing automation solution personal data as part of your plan to execute data subject rights?
  • Some marketing automation platforms will re-use personal data for their own advertising, analytics and re-processing purposes, especially if the solution is free. The terms and conditions of marketing automation platforms are likely to reflect this and possibly there are settings to turn this off. If not, you will need to account for this in your privacy policy and inform data subjects.

[You may also be interested to read "The GDPR Lifecycle: Plan your Strategy from Discovery to Protection"]

You can run but you can't hide

Marketing automation solutions are amazing toolkits for lead generation, contact databases and creating a powerful marketing presence in the marketplace. But they are not solutions which can be hidden behind in the face of data protection regulations. The responsibility still lies squarely with you to ensure that the way you have the solution set up and configured to comply with the articles of the GDPR.

As a data controller, you must define the behaviour of the data controller towards personal data processing based on your requirements. As sophisticated and smart as a marketing automation solution is, its data protection intelligence is only as deep as its owner.

Lead Acquisition Marketing Automation Post GDPR

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by Chris Payne
Senior Technical Consultant, Infinigate UK
View LinkedIn profile

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts