Disclaimer
The content of this web page is a commentary on the GDPR, as Groupmail interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled.
As a result, this content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.
GROUPMAIL MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION ON THIS WEB PAGE. This CONTENT is provided “as-is.” Information and views expressed in this web page, including URL and other Internet website references, may change without notice.
Q. What is GDPR?
Simply, GDPR looks to strengthen and unify data protection for all individuals within the EU and it also addresses the export of personal data outside the EU.
Businesses will be required to get consent from individuals to hold and use their personally identifiable information (PII), notify customers about data breaches and any transfer of their data.
The GDPR was approved by the EU Parliament last year with the ‘enforcement date’ being May 25th, 2018 – at which time those organisations in non-compliance will face heavy fines.
The penalties being mentioned for non-compliance are extreme; if businesses don’t comply, they face being smashed with fines of up to four percent of annual turnover. Many smaller businesses would struggle to take a hit like that.
You can see further information here: https://www.eugdpr.org/the-regulation.html
Q. What do I need to do to make my list compliant with GDPR?
In relation to GroupMail and GDPR, here are a few areas you will need to focus on:
Data Storage
GroupMail data is stored on your own desktop or server. Therefore, if the data is stored within the EU, then it is in accordance with the requirement to maintain personal identifiable information within the EU.
Consent
Identify the lawful basis for processing data, document it and update your privacy notice to explain it. As a guideline, the basis should meet one of the following criteria:
The subscriber has given consent to the processing of his or her personal data for one or more specific purposes
or
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Security
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Unsubscribe
A subscriber has a right to be forgotten. It is vital to let subscribers know how and where their data will be held, but also ensure you include an unsubscribe link in each email you send. If requested by your subscriber, delete all their personal identifiable information.
Double Opt-in
It is good practice to use Double Opt-in when asking people to sign up to your newsletter or email marketing campaign – where they can be advised why, how and where their data will be held. This can be automated in GroupMail.
Note: This is a just brief introduction and some guidelines of what you will need, see below for further information.
Q. What do we need to do to be GDPR ready? especially with regards to being able to demonstrate consent.
As above, we would recommend using recommend double-opt-in to explain why, how and where the subscriber’s data will be held. You can see the following tutorial to help set this up within GroupMail: Use Double Opt-In within Groupmail Insights to help with GDPR consent
Q. Is the GroupMail compliant with GDPR regulations?
As the GroupMail software and related data is stored on your own desktop or server (rather than in a wider network), it means that’s it’s safe and in compliance with GDPR, once it is stored within the EU.
Any data which we store externally (such as Insights Analytics data) is hosted securely in Microsoft Azure cloud infrastructure in Dublin, Ireland and backups are stored with Amazon AWS Dublin, Ireland – which of course keeps it safe and secure within the EU.
Q. What you’re advising clients to do in order to be compliant?
We advise that you read through this FAQ and we encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.
Q. What exactly are the GDPR Rules and how can we can follow the GDPR Rules from May?
See above
Q. I have GroupMail, but due to changes in EU we have to get people to confirm they want to receive emails. how can I do this with GroupMail?
Yes, please see the following tutorial to see how to set this up within GroupMail: Ask your current Subscribers for consent to help comply with GDPR
Q. Is there a feature in Groupmail that allows recipients to opt-in if I were to send an email before May 25th?
Yes, please take a look at the following tutorial: Ask your current Subscribers for consent to help comply with GDPR
Q. Our mailing lists are a CSV File, and we need to get clients Double Opted In and to store that information. Is there a module for sending out the initial email with a confirmation link they need to click and for that information to be stored?
Yes, please take a look at the following tutorial: Ask your current Subscribers for consent to help comply with GDPR
Q. We are using the opt-in form on our website. Currently there is no possibility for a checkbox where people can accept our privacy policy. This is mandatory in accordance with the new GDPR regulations. Are you planning to include this in the future?
Our understanding is that it is not mandatory to include a checkbox. What is required however is the subscriber has given consent to the processing of his or her personal data for one or more specific purposes.
Again, we would recommend using the double-opt-in feature to help manage this requirement. The confirmation to opt-in can include information on why, how and where their data will be held.
Q. I would like to understand what GroupMail does for me in relation to the new GDPR regulations?
See above
Q. Are you putting anything together to assist clients with GDPR cleansing of mailing lists?
Hopefully this FAQ will help with any questions you may have. You can also contact us with any further questions.
Q. With regards to GroupMail Insights Tracking, how do you store the IP Address of the recipients in your database and how does this affect GDPR?
Yes, Insights tracks the behaviour of individual users and will store personal information such as IP address.
The data is stored using industry best practice within Microsoft Azure Dublin, Ireland and backups are stored with Amazon AWS Dublin, Ireland.
Any personal data that you delete will be deleted from our servers within 90 days.
Q. I use GroupMail linking to an external database and have my client information in it on my PC. Is that ok under GDPR?
This relates to the storage of data within the regulation. If the database is stored within the EU, then it is in accordance with the requirement to maintain personal identifiable information within the EU.
Q. We use GroupMail, is encryption of stored email addresses required, even if on our own computers?
This relates to the security of data within the regulation, and the higher level security of your data, the better.
Q. As a GroupMail client are we required to comply in any way with GDPR?
Yes, if you store personal identifiable information of EU citizens, then you are required to comply with the GDPR regulation.
Q. I’m not in the EU and use GroupMail, does GDPR effect sending emails to EU recipients?
Yes, although you are not based in the EU, if you store personal identifiable information of EU citizens then you are required to comply with GDPR regulation.
Q. GroupMail stores a lot of personal data. Please inform me about your practice how to ensure the compliance with GDPR. Example, GroupMail has no optional password protection. How could we ensure the security etc?
GroupMail contact data is stored on your own desktop or server. Therefore, if the data is stored within the EU, then it is in accordance with the requirement to maintain personal identifiable information within the EU.
Again, the security of your data resides within your organisation. We do not have access to this data.
Q. I’ve read throughout your article about GDPR: https://group-mail.com/email-marketing/email-marketing-and-gdpr. With this important sentence:“…We’re also busy analysing GroupMail to determine whether any improvements or additions can be made to make them more efficient for those users subject to GDPR – this will remove any related stresses or concerns for those companies which use our software…”. Is it possible to give me a state of affairs?
Hopefully this FAQ will help with any questions you may have. You can also contact us with any further questions.
Q. With regards to GDPR, we need to send a form to all our users asking if they accept the new regulations. It is possible with GroupMail and if so how? Also, all those addresses who accept it are still on the list but all those addresses who does not accept it must be deleted from our lists. It is possible to do automatically?
Yes, it sure is. Take a look at this article on how to set this up: Ask your current Subscribers for consent to help comply with GDPR
Q. I use GroupMail and I am not looking for any legal advice about GDPR, can you help please?
We offer guidance on your requirements in relation to GDPR and Email Marketing. However, we always recommend that you receive your own independent legal advice in relation to GDPR compliance.
Q. Does the fact that the GroupMail contact data is stored on site and backed up to external hard drives (rather than over the internet to cloud storage) should satisfy GDPR security requirements.
This relates to the storage of data within the new regulation. Yes, if the data is stored on site within the EU, then it is in accordance with the requirement to maintain personal identifiable information within the EU.
Q. Does un-subscription, which is done via GroupMail Insights, create a remote storage factor and, therefore, a requirement for encryption? (I see that the Insights Unsubscribe Page does not have an SSL cert).
Yes, Insights Subscriber stores the personal identifiable information for a short period of time, until the data is processed by GroupMail on your PC/Server. Once you process the data within GroupMail (using the subscriber add-on), the data is deleted from our server immediately.
The data is temporarily stored using Industry best practice within Microsoft Azure Dublin, Ireland. Backups are stored with Amazon AWS Dublin, Ireland.
At the time, the Insights subscribe and unsubscribe page were not default SSL. However, you can change this by simply adding an “s” to the your link from http:// to https://.
Note: As of April 26th, Insights Subscribe and Unsubscribe pages now default to SSL.
Q. “Legitimate Interest”, I believe you view opt-in as a probable requirement. However, it appears to us that GDPR will permit us to contact anyone who is a commercial property owner or agent or appropriate employee of same under the “Legitimate Interest” provisions. What are your thoughts?
Our understanding that this would not comply with the GDPR regulation, as it does not meet one of the criteria below:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes
or
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Therefore, we would highly recommend you obtain independent legal advice before you would consider proceeding.
Q. We have increased the font of the un-subscribe instructions in our emails to match that of the email body – should we make them even larger? to be GDPR Compliant?
We recommend that the unsubscribe link is clear and obvious to your subscriber in each and every email you send – location of the link, colour and font should all be considered.
Q. We have noticed that the analytics software tracks the behaviour of individual users by using their email addresses to link to the analytics software. This has concerned a member of staff. Where is the data about users’ behaviour stored? It looks like it may be on one of your servers in Ireland. Is this secure, and does it meet GDPR requirements? If we were to delete it on our side, would it remain on the server etc.?
Yes, Insights can track the behaviour of individual users based on their email address, but this can be switched off within GroupMail if you so wish.
Again, data is stored using Industry best practice within Microsoft Azure Dublin, Ireland. Backups are stored with Amazon AWS Dublin, Ireland.
Any personal data that you delete will be deleted from our servers within 90 days.