Exploring GDPR
1 like573 views
The document discusses the implications of GDPR on email marketing, highlighting the need for explicit consent and data protection practices. It outlines various requirements for data processing, accountability, and the changing landscape of spam management in Europe. Additionally, it emphasizes the importance of compliance, risk management, and the adoption of best practices to enhance email deliverability and prevent spam.
Exploring GDPR
- 1. E-Mail Insider Summit February 2018 E-Mail Marketing and GDPR : a game changer?
- 2. Signal Spam
- 3. • A non for profit organisation • A public/private partnership Law enforcement, ISP, E-mail security vendors, Reputation Providers, ESP, Marketers & Brands, Web Hosting companies, Data Protection Authority • The National French Spam & Phishing Reporting Center • A FBL, spamtraps and aggregated data on IP level program for senders • A Real-Time Phishing Blacklist for trusted members SIGNAL SPAM
- 4. • Internet users register to Signal Spam and download a plugin for their messaging environment • End users report anything they consider to be a spam • Signal Spam qualifies the report and extracts relevant information • Signal Spam sends data to its members best suited to take relevant action against a specific spam END USERS REPORTS
- 5. AUTORITÉ DE PROTECTION DES DONNÉES HÉBERGEURS WEB ROUTEURS EXPÉDITEURS DE MESSAGES POLICE GENDARMERIE FAI FOURNISSEURS D’ACCÈS INTERNET ET SERVICE DE MESSAGERIES SÉCURITÉ ANNONCEURS
- 6. Identify Cyber-Criminals Inform the Data Protection Authority of law breaches Identify and clean compromised devices Unsubscribe Internet Users from ESP and marketers lists Improve best practices, promote Signal Spam’s code of ethics, raise technical standards Improve messaging protective tools Reports allow to:
- 7. What will change with GDPR ?
- 8. • European Regulation : 2016/679, April 2016 ‣ Published May the 4th 2016 ‣ Application delay : 2 years —> May the 24th 2018 • Direct application ‣ No transposition ‣ All member states ‣ Repeals directive 95/46/CE from October the 24th 1995 • GDPR makes provisions for fines of up to 20 millions € for violations GENERAL INFORMATION
- 9. Rules commonly admitted From May 25th 2018 Consent • Required • Existing customer relationship • Required • Weighing up of interests • Existing customer relationship Requirements for Consent • Voluntary • Explicit • Transparent • Voluntary • Active, explicit • Informed • Written form not explicitly required though highly recommended • Prohibition of coupling Ability to give consent • Not always defined • From 16 years of age Obligation of proof • Not always defined, double opt-in encouraged • Burden of proof for the user of the declaration of consent Possibility to revoke • Mandatory, though the way to do it is not always defined • Must be included in every e-mail Legal Notice required? • Not always defined • Must be included in every e-mail Sanctions • Different within EU countries • Fines up to 20 000 000 € or 4% of the total annual turnover of the company, whichever is higher WHAT GRPD WILL CHANGE IN THE FIELD OF EMAIL MARKETING
- 10. PRIVACY Reducing Data Privacy By Design Reducing Data Accountability Security Data Process Register PIA DPO Breach Notification Secure People Rights Principles Obligations General Notions
- 11. Only collect strictly relevant data Reduce number of files containing data Ban free fields Set up purge measures once the purpose is achieved How to minimise data
- 12. Profiling is regulated art 22 GDPR When personal data enables decision based on automated processing People can oppose Requires PIA (Privacy Impact Assessment) Specific information Profiling Requirements
- 13. « Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her » • Unambiguous • Freely Given • Separate from other declarations • Informed • Capacity to provide consent • Burden of proof Declaration of Consent For E-Mail Marketing
- 14. Quality of Data Lawfullness of Data Processing Sustainability Reducing Data Data Process Register Specific information to prospects Secure People Rights DPO A facilitator to exercice people rights Data conservation Data Update Opt-In Portability Modification & Suppression Opposition & Opt-out About Your Databases …
- 15. • Identity and contact details of the Data Processor • Identity and contact details of the DPO • To what end the data is collected and the legal basis for it ( for instance : legitimate interest, consent, etc.) • Third parties • Duration for data conservation / date of deletion • Mention of applicable rights for the data owner giving consent - art. 15/20 (opt-out, etc.) • Mention of any automated process resulting in decision making Focus on Consent
- 16. CRITICAL DATA • Article 9 about « critical data » ‣ Political, religious, philosophical opinions ‣ Race, sexuality, health… • Principle : critical data processing is forbidden • Exceptions ‣ Health / Public / Research interests ‣ Processing by a NGO ‣ When the data was made public by its owner
- 17. General guidelines (with or without GDPR)
- 18. LEGAL FRAMEWORK DOESN’T MATTER SO MUCH ! • Spam is all about perception • Auto-regulation mechanisms in France (IP, domains, and lists reputation) and Germany (whitelisting) • Best practices & code of ethics
- 20. Reputation Reports Spamtraps E-Mail Content IP Identification Domain From Identification Brand/Content Identification
- 22. Other FBL & IP aggregated Stats SNDS Sender Score Return Path Connections Up Connections Up • Image Display • Default links activated • No limit to hourly sendings • Connecti ons Up • Improved Inbox Deliverab ility
- 23. • No false-positives at 0.6% of reports on a campaign • Blacklisting at 1% or 2 000 reports • Campaigns/Domains fragmentation is dangerous • Learning to work with ISPs and their messaging security editors • Watch out for bad customers DELIVERABILITY ISSUES
- 24. • Full ARF reports • IP level aggregated data from ISPs • Spamtrap data on Orange recycled addresses SUBSCRIBING TO FBL AND REPUTATION DATA Ask for data sample on your IP setup (thomas.fontvielle@signal-spam.net)