General Data Protection Regulation

Granicus has long been an industry leader when it comes to data protection. We are already signed up to the EU Privacy Shield agreement and hold current ISO 270001 certification plus FedRAMP status in the US. Our data protection credentials are second to none and that is why we have been keen to stay at the forefront when it comes to the new General Data Protection Regulation (GDPR) changes that came into force on 25 May 2018.


This page serves to help you, our customers, understand Granicus’ commitment to complying with the General Data Protection Regulation and what you can do to ensure your citizen engagement work using our GovDelivery Communications Cloud is compliant too.

What is the GDPR?

The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. The GDPR came into effect on 25 May 2018 and regulates, among other things, how individuals and organisations may obtain, use, store, and eliminate personal data (information that could be used on its own or in conjunction with other data to identify an individual). It is applicable to any organisation processing personal data of EU citizens regardless of its location or where those processes take place.

The GDPR is designed to bring data protection into the 21st century, and while it retains much of the previous data protection directives, there are some important changes to note, including:

  1. Expansion of scope (i.e. territorial scope outlined above, and the extension of EU data protection law requirements to data “processors” – Granicus, not just “controllers” – your organisation)
  2. Expansion of individuals’ rights
  3. Expansion of definitions of personal and sensitive data
  4. Stricter consent requirements (see below)
  5. Stricter processing requirements (see below)

There has been a lot of hype around the new regulation – check out this myth-busting blog.

How has Granicus prepared for the regulation?

Over the past year, Granicus has been diligently working to ensure all our systems are GDPR-compliant. We’ve updated our privacy policy and have also been working with our customers in the public sector to help them get ready for the new law that came into force on 25 May 2018. If you’re using our GovDelivery Communications Cloud, rest assured we have:

  • Improved the sign-up process for citizens subscribing to your services – creating even clearer links to privacy policy and opt-in statements
  • Honoured the “right to erasure” also known as the “right to be forgotten” while retaining your ability to interrogate message and engagement data

In addition to product changes, we’ve also reviewed our internal processes, procedures and responsibilities to ensure that they meet all GDPR requirements.

If you require any further information on Granicus and the GDPR, please do not hesitate to get in touch. Contact your account manager or email Granicus.

How can you be fully compliant too?

Your organisation should already be compliant with the new law which is now in effect, but do check with your data protection officer and legal team to fully understand your organisation’s position and discuss how communications could support your roadmap to achieving and maintaining full GDPR compliance. Communications teams are likely to be involved on three different fronts:

  1. Audit your team’s operations and “get your own house in order”
  2. Engage staff in a constructive campaign to support culture change and reduce fear
  3. Engage the public, build citizens’ trust, and continually check you’re providing what they want and need, according to their subscriber preferences (the communications they have given explicit consent to receive from your organisation).

In terms of using the GovDelivery Communications Cloud to manage digital communications, our customers benefit from a number of important templated processes (such as the process for citizens to subscribe or unsubscribe from email and SMS updates and edit their account preferences). These processes have been designed and developed to conform to data protection and subscription management best practices, making it easier for our clients’ communications to comply with the law.

The responsibility to comply with GDPR lies with both the data controller (your organisation) and data processor (Granicus), therefore you must check your comms practices stand up to the requirements:

Review and update your privacy policies

At the time of capturing subscribers’ data, you must ensure you provide anyone subscribing to your comms a comprehensive, clear and transparent privacy policy explaining how you process their personal data. You must use plain English.

GDPR includes a longer and more detailed list of information that must be provided in a privacy notice than the previous data protection directive did. Please see the Information Commissioner’s Office’s guidance on privacy policies here. In summary, individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:

  • Contact details for the data controller (your organisation)
  • Purpose of the data: This should be as specific (“purpose limitation”) and minimised (“data minimisation”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
  • Retention period: This should be as short as possible (“storage limitation”).
  • Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements below), or the processing is in the organisation’s “legitimate interest”.

Check you have consent from subscribers (when consent is needed)

Under GDPR, you need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. It must also be as easy to withdraw consent (unsubscribe) as it is to give it (subscribe).

Because of the granularity offered as part of our user-friendly and clear subscription process within the GovDelivery Communications Cloud (i.e. subscribers select from topic-based specific options), you can be sure your mailing lists are accurate and only comprise people who have explicitly given their consent to receive your comms. We also offer the option to activate a “double opt-in” measure.

Providing you have followed best practices for all subscriber acquisition methods, you should already have full consent from all your subscribers to send them information according to their subscriber preferences. For example, when uploading subscribers to your topic mailing lists from other databases, you should ensure all those people have given their consent to receive the updates and you have proof of that consent on record. If not, work with your data protection officer to decide whether or not you need to remove them for your mailing list.

You may have acquired some of the consents years ago prior to adopting the GovDelivery Communications Cloud to deliver your citizen comms. For example, let’s say your Events team had a list of 2,000 email addresses for people who had asked to receive news about local events. At the time of their opting-in, your organisation sent this news weekly via Outlook. You’ve since migrated that data to the GovDelivery Communications Cloud, uploading these email addresses to your email bulletin mailing list (topic) for local events. While we’re not providing legal advice (you should consult your data protection officer and legal team), we understand that this is absolutely fine, as long as you haven’t extended the use of their email address beyond the original purpose permitted, and you have proof of their original consent, and you give people the opportunity to unsubscribe.

If you are unsure of the source of some subscribers or do not have an audit trail of their original consent to receive certain comms, your organisation may decide that in order to comply with the law you must delete these subscribers from your account. Please submit data removal requests to help@granicus.com; our Support team will aim to complete the removal within 3-5 working days.

Timestamps and subscriber origin information:

One of the benefits of using the GovDelivery Communications Cloud is the unequivocal audit trail of subscribers’ activity. In each subscriber’s record you’ll find a timestamp (“Subscription Created”) and source information (“Origin”) detailing how and when they came to subscribe to your services:

  • Direct” means a subscriber signed themselves up to your updates via your website / another sign-up button online
  • Overlay” means they subscribed themselves via your web overlay data capture form
  • Local Network” means they subscribed themselves but came via the GovDelivery Network (i.e. after subscribing to another organisation’s updates, they accepted the invitation to subscribe to your updates which were being cross-promoted)
  • Upload” means they were added to the topic mailing list via an upload. You should have a record of the terms of that upload and proof of consent if you’re using “consent” as the basis for the communication.

Choice for citizens is the cornerstone of our service. With our GovDelivery Communications Cloud platform, subscribers can easily edit their subscriber preferences. They can unsubscribe at a topic-level rather than from your organisation’s communications altogether. Other platforms do not offer the same level of personalisation and granularity, and if a citizen hits “unsubscribe”, they could be unsubscribed from all comms making it impossible for organisations to engage that person on other legitimate grounds.

With correct usage of our GovDelivery Communications Cloud, you can be sure you’re already meeting the stricter requirements around consent:

  • Consent must be specific to distinct purposes.
  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt in to the storage, use and management of their personal data.
  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.

Our clear step-process for attracting and recruiting new subscribers to your organisation’s ensures you obtain their consent.

decoration in background

Got questions about your account and the GDPR?

We’re here for you.

Just drop us a line >