Marketing automation solutions have come along way in the past five years. Once used for mass emailing, now expanded to include an array of interactivity features such as blogs, landing pages and pop-ups, all to enrich the process of inbound marketing. But as the GDPR (General Data Protection Regulation) enforcement data looms nigh, how ready are the likes of MailChimp? and what do you need to know as their data controller?
The GDPR relationship between you and MailChimp
The first thing to understand and be clear about is the relationship between you and your marketing automation platform, in terms of the GDPR. There are two data protection designations under the GDPR which have been carried forward from its predecessor, the DPD (Data Protection Directive). An organisation can be both or either a data controller and/or data processor based on the nature of its activities.
To put it simply, a data controller defines the conditions for processing, such as what to collect, how to process personal data and how long to retain it for. A data processor simply acts upon the processing instructions of the data controller. To compare this with the theme of this blog post, a data controller instructs a marketing automation platform to collect personal data from a landing page, store it and then send those data subjects further marketing communications. The marketing automation may carry out these actions but only on the instruction of the data controller.
At a further basic level, you are not exempt from the responsibility of MailChimp processing personal data, as your relationship with them defines you as an participating and accountable party.
GDPR and Marketing Automation solutions
To some extent, marketing automation platforms exonerate themselves of much responsibility by being the data processing party. They act upon your instruction and provide you with features and settings which comply with the GDPR, so there is not much more they need to change. One area in which marketing automation solutions have had to look introspectively at is that of cross-border transfers. MailChimp and other solutions tend to be US based and therefore any personal data which you store on their systems is likely to be present in those regions too. MailChimp in particular has made sure to change its terms and conditions to reflect this and seek certification under the Privacy Shield programme.
You should also consider the following:
- While marketing automation platforms provides you with personal data capture forms, you will need to ensure you are informing data subjects of your intentions, legal basis, retention periods and rights on those forms yourself. The same applies for consent; marketing automation platforms will allow you to design forms in any way you wish, however it is up to you to make sure they comply.
- Ensure you are providing a mechanism for unsubscribing or opting out. Again, marketing automation provide the features, such as automated printing of unsubscribe links on marketing emails and management of no-send lists. However, you must enable these and ensure they are being followed.
[You may also like "GDPR: Seek re-consent or burn your contacts database, really?"]
- Where there is a requirement to seek consent, are you storing this and are you using consent appropriately? Marketing automation solutions will not stop you abusing your legal basis for processing personal data and this is a responsibility you must take on yourself.
- Have you highlighted your use of a marketing automation platform in your privacy policy? There is nothing wrong with using a marketing automation platform, however you are expected to be transparent with data subjects about the data processing which takes place. For example, marketing automation platforms are likely to capture items of personal data which you hadn't considered, such as IP address, location and timestamp.
- Review any add-ins or plugins which you may use with your marketing automation platform. Plugins for online webinars and other features can be extremely useful for inbound marketing and interactivity but how are these tools processing personal data? Consider whether in breach of the GDPR, what would your legal basis for processing be and have you been clear with data subjects about the solutions you use?
- How can you comply with data subject access requests? Marketing automation solutions will allow you to modify personal data, remove data subjects from processing workflows and even remove or export their personal data. Yet this will likely not do for you; have you made sure to including marketing automation solution personal data as part of your plan to execute data subject rights?
- Some marketing automation platforms will re-use personal data for their own advertising, analytics and re-processing purposes, especially if the solution is free. The terms and conditions of marketing automation platforms are likely to reflect this and possibly there are settings to turn this off. If not, you will need to account for this in your privacy policy and inform data subjects.
[You may also be interested to read "The GDPR Lifecycle: Plan your Strategy from Discovery to Protection"]
You can run but you can't hide
Marketing automation solutions are amazing toolkits for lead generation, contact databases and creating a powerful marketing presence in the marketplace. But they are not solutions which can be hidden behind in the face of data protection regulations. The responsibility still lies squarely with you to ensure that the way you have the solution set up and configured to comply with the articles of the GDPR.
As a data controller, you must define the behaviour of the data controller towards personal data processing based on your requirements. As sophisticated and smart as a marketing automation solution is, its data protection intelligence is only as deep as its owner.
