The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. The GDPR came into effect on 25 May 2018 and regulates, among other things, how individuals and organisations may obtain, use, store, and eliminate personal data (information that could be used on its own or in conjunction with other data to identify an individual). It is applicable to any organisation processing personal data of EU citizens regardless of its location or where those processes take place.
The GDPR is designed to bring data protection into the 21st century, and while it retains much of the previous data protection directives, there are some important changes to note, including:
There has been a lot of hype around the new regulation – check out this myth-busting blog.
In addition to product changes, we’ve also reviewed our internal processes, procedures and responsibilities to ensure that they meet all GDPR requirements.
If you require any further information on Granicus and the GDPR, please do not hesitate to get in touch. Contact your account manager or email Granicus.
Your organisation should already be compliant with the new law which is now in effect, but do check with your data protection officer and legal team to fully understand your organisation’s position and discuss how communications could support your roadmap to achieving and maintaining full GDPR compliance. Communications teams are likely to be involved on three different fronts:
In terms of using the govDelivery to manage digital communications, our customers benefit from a number of important templated processes (such as the process for citizens to subscribe or unsubscribe from email and SMS updates and edit their account preferences). These processes have been designed and developed to conform to data protection and subscription management best practices, making it easier for our clients’ communications to comply with the law.
The responsibility to comply with GDPR lies with both the data controller (your organisation) and data processor (Granicus), therefore you must check your comms practices stand up to the following requirements.
GDPR includes a longer and more detailed list of information that must be provided in a privacy notice than the previous data protection directive did. Please see the Information Commissioner’s Office’s guidance on privacy policies. In summary, individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
Under GDPR, you need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. It must also be as easy to withdraw consent (unsubscribe) as it is to give it (subscribe).
Because of the granularity offered as part of our user-friendly and clear subscription process within govDelivery (i.e. subscribers select from topic-based specific options), you can be sure your mailing lists are accurate and only comprise people who have explicitly given their consent to receive your comms. We also offer the option to activate a “double opt-in” measure.
Providing you have followed best practices for all subscriber acquisition methods, you should already have full consent from all your subscribers to send them information according to their subscriber preferences. For example, when uploading subscribers to your topic mailing lists from other databases, you should ensure all those people have given their consent to receive the updates and you have proof of that consent on record. If not, work with your data protection officer to decide whether or not you need to remove them for your mailing list.
You may have acquired some of the consents years ago prior to adopting govDelivery to deliver your citizen comms. For example, let’s say your Events team had a list of 2,000 email addresses for people who had asked to receive news about local events. At the time of their opting-in, your organisation sent this news weekly via Outlook. You’ve since migrated that data to the govDelivery, uploading these email addresses to your email bulletin mailing list (topic) for local events. While we’re not providing legal advice (you should consult your data protection officer and legal team), we understand that this is absolutely fine, as long as you haven’t extended the use of their email address beyond the original purpose permitted, and you have proof of their original consent, and you give people the opportunity to unsubscribe.
If you are unsure of the source of some subscribers or do not have an audit trail of their original consent to receive certain comms, your organisation may decide that in order to comply with the law you must delete these subscribers from your account. Please submit data removal requests to firstname.lastname@example.org; our Support team will aim to complete the removal within 3-5 working days.
One of the benefits of using govDelivery is the unequivocal audit trail of subscribers’ activity. In each subscriber’s record you’ll find a timestamp (“Subscription Created”) and source information (“Origin”) detailing how and when they came to subscribe to your services:
Choice for citizens is the cornerstone of our service. With govDelivery platform, subscribers can easily edit their subscriber preferences. They can unsubscribe at a topic-level rather than from your organisation’s communications altogether. Other platforms do not offer the same level of personalisation and granularity, and if a citizen hits “unsubscribe”, they could be unsubscribed from all comms making it impossible for organisations to engage that person on other legitimate grounds.
With correct usage of govDelivery, you can be sure you’re already meeting the stricter requirements around consent:
Our clear step-process for attracting and recruiting new subscribers to your organisation ensures you obtain their consent.