Help

Security & GDPR

Information on security and how Prezly helps your conform to the GDPR

Consent for cookies

After the 25th of May 2018, all of your sites will show a banner to inform the user that the site is using cookies and storing information on their browsing behavior.

The header will require visitors to agree to use cookies to track their behavior or give them the option to opt-out from those cookies. Refusing cookies will mean that site behavior (visits, downloads, searches, ...) can and will not be tracked and thus not available on that contacts activity stream.

At any stage, a user can revoke the cookie consent at the bottom of every Prezly site.

Subscribing to a site

Prezly sites have a subscribe button where visitors can leave their email addresses and subscribe to company news.

As of the 25th of May 2018, these submissions will require a double opt-in. This means that visitors will need to confirm their initial subscription by clicking a link in their mailbox. That email will also contain brief information on what they are subscribing to and a disclaimer they are giving you their consent.

Creating & updating contacts

When creating or editing contacts inside Prezly we require you to have consent or approval from your contacts to be contacted or receive company news.

At any point, the contact can revoke that consent by making use of the end-user privacy tools.

Existing contacts

Many are wondering whether they can email existing contacts that haven’t explicitly opted-in, after 25th May 2018. The answer is: it depends.

Consent & your existing database

On the face of it, the GDPR is quite clear – you must get the explicit consent of individuals in order to communicate with them. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ 

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

GDPR does not only apply to signups that happened after 25th May 2018, it applies to all existing EU subscribers on your email list.

Legitimate interest & email marketing

Marketing under the GDPR (email campaigns, pitches, Twitter DM's) is regulated exactly like any other data processing activity. This means that you have to show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it often won’t be.

This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent-based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR. Recital 47 of the GDPR actually says that:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

This means that if you want to send an email campaign to a segment or part of your contact database it can be done in reliance on its 'legitimate interests’ – it generally does not need its customers’ consent to this mailing. It will, however, always need to offer them an opt-out (Art 21(2)).

Summary

  • Much direct marketing (both snail mail marketing and e-marketing) is possible today on the basis of opt-out. Opt-in consent can be used, but is seldom legally required;
  • The GDPR does not change this position and, in particular, does not make opt-in consent a mandatory requirement for direct marketing - it acknowledges that marketing can be conducted in reliance on legitimate interests; but
  • The forthcoming e-Privacy Regulation seems likely to continue to allow opt-out-based e-marketing in many cases, though marketing teams should monitor developments here closely.

Do's and don'ts

Needless to say, the impact of the new GDPR legislation will depend on how you run your communication campaigns today. Here are a few general guidelines.

Do:

  • allow people to opt-out and respect that forever
  • segment your audiences into interest groups so you can send the right content to the right people
  • unsubscribe contacts if they have not opened/replied/clicked or engaged in your attempts after numerous attempts
  • make it easy for people to unsubscribe and contact you
  • plan for the withdrawal of consent

Don't:

  • store more information than you need for further personalization/segmentation (send relevant content)
  • purchase (media) lists of business and personal email addresses
  • email everything to everyone to get more attention
  • undo unsubscribes to get more eyeballs on your content
  • sell data you have collected or are gathering
  • keep the data you don't longer use/need

Here is an interesting article with actionable advice on GDPR

Managing data requests

To support you in your efforts to be GDPR compliant, Prezly includes specific features to help you receive and manage data requests.

Site Data Request Form

Each Prezly site has a page containing a form allowing your contacts to submit data requests. These forms are found by navigating to the bottom of the site and clicking on Privacy requests.

Once clicked, you will be directed to the Site Data Request Form.

 

When a person sends a data request, we ask them to confirm their request by sending them a confirmation email. Once they have confirmed the request, you will be alerted via email, and the request will then be visible on their contact profile.

 

Data request confirmation email

 

Your team will be notified

When data requests are submitted and confirmed, we will send your team members an email informing them about the new request.

Data request notification for team members

 

Filter for data requests

From within your Prezly Contacts List, you can find a filter called Data Requests. This enables you to find the contacts with data requests.

View and manage data requests

Existing data requests can be found on your Contacts Activity Feed.

You can manage the status of your data requests by marking them as completed. Data requests will remain at the top of the contacts activity feed until the request has been completed.

Remember, per GDPR you are required to respond to data requests within 30 days. 

I received a data request from an email that isn't in my contacts. What should I do?

Anyone can submit a GDPR request through your site footer, even if they aren't in your CRM, since they fill in the email field for the request themselves:

If you receive a data request from an email address that isn't in your CRM, this may be down to an accident on the user's part – for example, they might mistakenly believe that you have info on them when you do not. There is also the possibility that this is spam.

In any case, we recommend reaching out to the address given within the 30-day GDPR timeframe to confirm that you hold no information related to their email account.