General Data Protection Regulation
Granicus has long been an industry leader when it comes to data protection. We are already signed up to the EU Privacy Shield agreement and hold current ISO 270001 certification plus FedRAMP status in the US. Our data protection credentials are second to none and that is why we have been keen to stay at the forefront when it comes to the new General Data Protection Regulation (GDPR) changes that will come into force on 25 May 2018.
This page serves to help you, our customers, understand what Granicus is doing to prepare for the General Data Protection Regulation and what you can do to ensure your citizen engagement work using our GovDelivery Communications Cloud is compliant too.
The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. The GDPR regulates, among other things, how individuals and organisations may obtain, use, store, and eliminate personal data (information that could be used on its own or in conjunction with other data to identify an individual). It is applicable to any organisation processing personal data of EU citizens regardless of its location or where those processes take place.
The GDPR is designed to bring data protection into the 21st century, and while it retains much of the existing data protection directives, there are some important changes to note, including:
- Expansion of scope (i.e. territorial scope outlined above, and the extension of EU data protection law requirements to data “processors” – Granicus, not just “controllers” – your organisation)
- Expansion of individuals’ rights
- Expansion of definitions of personal and sensitive data
- Stricter consent requirements (see below)
- Stricter processing requirements (see below)
Note that if you are already following best practices per the requirements of the existing data protection directive, it’s likely you will find preparing for the GDPR relatively simple. There is currently a lot of hype around the new regulation – check out this myth-busting blog.
As you can imagine, we are investing significant time and resource to make sure our products remain fully compliant with data protection laws moving forward. Our GovDelivery Communications Cloud platform already fully complies with current data protection regulations, and we are making additional changes to ensure this remains the case once the GDPR is enacted, including:
- Honouring the “right to erasure” also known as the “right to be forgotten” while retaining clients’ ability to interrogate message and engagement data
In addition to product changes, we’re also reviewing our internal processes, procedures and responsibilities to ensure that they meet all GDPR requirements.
Because we only work with government and the public sector we naturally need to be fully compliant and ensure our systems work correctly in compliance with the GDPR regulations. Your legal team can rest assured that we are actively working on this and we will communicate more information as and when it becomes available.
If you require any further information on GDPR, please do not hesitate to get in touch. Contact your account manager or email Granicus.
We recommend you/someone on behalf of your communications team contacts the information officer at your organisation to fully understand what your organisation is doing to prepare for the regulation and how your team can assist that work. Communications teams are likely to be involved on three different fronts:
- Audit your team’s operations and “get your own house in order”
- Engage staff in a constructive campaign to support culture change and reduce fear
- Engage the public, build citizens’ trust, and check you’re providing what they want and need (note, this is an excellent opportunity to reengage subscribers and deepen your connection with them)
In terms of using the GovDelivery Communications Cloud to manage digital communications, our customers benefit from a number of important templated processes (such as the process for citizens to subscribe or unsubscribe from email and SMS updates and edit their account preferences). Because these processes have been designed to conform to data protection and subscription management best practices, many of the GDPR requirements that organisations are now scrambling to comply with (for example, stricter consent rules) are already embedded in our customers’ everyday practices. The processes you adopt by using the GovDelivery Communications Cloud mean you are already well on the way to full compliance.
However given that the responsibility to comply with GDPR lies with both the data controller (your organisation) and data processor (Granicus), you too must check your comms practices stand up to the requirements:
Review and update your privacy policies
GDPR includes a longer and more detailed list of information that must be provided in a privacy notice than the current directive does. Please see the Information Commissioner’s Office’s guidance on privacy policies here. In summary, individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller (your organisation)
- Purpose of the data: This should be as specific (“purpose limitation”) and minimised (“data minimisation”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements below), or the processing is in the organisation’s “legitimate interest”.
Check you have consent from all subscribers
Under GDPR, you need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. It must also be as easy to withdraw consent (unsubscribe) as it is to give it (subscribe).
Because of the granularity offered as part of our user-friendly and clear subscription process within the GovDelivery Communications Cloud (i.e. subscribers select from topic-based specific options), you can be sure your mailing lists are accurate and only comprise people who have explicitly given their consent to receive your comms. Providing you have followed best practices for all subscriber acquisition methods, you should already have full consent from all your subscribers to send them information according to their subscriber preferences. For example, when uploading subscribers to your topic mailing lists from other databases, you must ensure all those people have given their consent to receive the updates and you have proof of that consent on record.
You may have acquired some of the consents years ago prior to adopting the GovDelivery Communications Cloud to deliver your citizen comms. For example, let’s say your Events team had a list of 2,000 email addresses for people who had asked to receive news about local events. At the time of their opting-in, your organisation sent this news weekly via Outlook. You’ve since migrated that data to the GovDelivery Communications Cloud, uploading these email addresses to your email bulletin mailing list (topic) for local events. This is absolutely fine, as long as you haven’t extended the use of their email address beyond the original purpose permitted, and you have proof of their original consent.
If you are unsure of the source of some subscribers or do not have an audit trail of their original consent to receive certain comms, do send them a re-engagement email (or campaign series) to reconfirm their choices before May 2018. If you’d like help to deliver an impactful campaign, please get in touch with your account manager or email Granicus.
Timestamps and subscriber origin information:
One of the benefits of using the GovDelivery Communications Cloud is the unequivocal audit trail of subscribers’ activity. In each subscriber’s record you’ll find a timestamp (“Subscription Created”) and source information (“Origin”) detailing how and when they came to subscribe to your services:
- “Direct” means a subscriber signed themselves up to your updates via your website / another sign-up button online
- “Overlay” means they subscribed themselves via your web overlay data capture form
- “Local Network” means they subscribed themselves but came via the GovDelivery Network (i.e. after subscribing to another organisation’s updates, they accepted the invitation to subscribe to your updates which were being cross-promoted)
- “Upload” means they were added to the topic mailing list via an upload. You should have a record of the terms of that upload and if there is ambiguity about the subscribers’ original consent, do go back and check with them. It could be a great opportunity for you to engage them in new subscriptions too. Let us know if you need help to launch a re-engagement campaign.
Choice for citizens is the cornerstone of our service. With our platform, subscribers can easily edit their subscriber preferences, meaning they can unsubscribe at topic-level rather than from your organisation’s communications altogether. Other platforms do not offer the same level of personalisation and granularity, and if a citizen hits “unsubscribe”, they could be unsubscribed from all comms making it impossible for organisations to engage that person on other legitimate grounds.
With correct usage of our GovDelivery Communications Cloud, you can be sure you’re already meeting the stricter requirements around consent:
- Consent must be specific to distinct purposes
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data
- Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent
Our clear step-process for attracting and recruiting new subscribers to your organisation’s ensures you obtain their consent.