The General Data Protection Regulation (GDPR) will mandate stricter rules around the storage and use of personal data – including someone’s email address. To be able to communicate with citizens who opt to receive certain comms from your organisation (e.g. topic-specific email or SMS bulletins), you must ensure your sign-up processes are fit for purpose and secure GDPR-standard consent from subscribers.
A recent webinar outlined the steps public sector communicators should take to prepare for the GDPR. Here is a summary of how you must handle new subscribers to ensure your email communications don’t breach the law.
[This is our GDPR webinar recap blog 2 of 3. Please note Granicus’ comments on the GDPR are for informational purposes only and do not constitute legal advice. Please consult your data protection advisor or a lawyer for guidance on your obligations.]
1) Get unequivocal consent from subscribers and keep a record of it
• You need to give people a real choice. Invite them to opt in to receive updates on specific topics. Specificity about the purpose of the use of their data is key.
• Consent must be actively gained from the subscriber. Pre-ticked boxes, silence or no reply from a subscriber means that no consent was given, and they should not be mailed.
2) Update your privacy policy and make it relevant
• Be clear about what data you are collecting, why, and how it will be used.
• Name organisations and third parties that will be processing the data.
• You must continually review and update your policies.
• Keep a record – you need to know which privacy policy was in place when each subscriber opted in.
3) Put in place measures to verify identity
• Who is signing up? Is it really them?
• Switch on ‘double opt-in’ which means you’ll send a subscriber an email asking them to confirm the choices they are making. This is good practice, used in Germany, although it is not essential.
4) Only collect the necessary information for specific purposes
• For example, capture a subscriber’s postcode as they sign up for waste collection reminders but don’t ask for their gender – it’s irrelevant.
• Any information you collect must be accounted for in your privacy policy.
• Provide multiple topic options so people can choose what they want to receive – this will also be beneficial to you in being able to evidence consent.
• You must have a record of someone’s consent (e.g. the timestamp and source information attached to each new subscriber in the GovDelivery Communications Cloud is sufficient proof for people who opt themselves in via your web properties).
• Don’t hold info for longer than necessary. How long are you going to keep this info for? Include this detail in your privacy policy.
• Delete info when you no longer need it, think about how long you need to keep it for evidence and accountability.
5) Only communicate what’s been consented to and don’t push the boundaries
• Unless you can rely on a separate legal basis or legitimate interest reason to contact someone, only communicate what is necessary and within the parameters of the purposes originally consented to.
• Be careful with newsletters that contain several topics; it is not best practice to send everyone newsletters containing ‘all stuff’ – subscribers must have opted in to specific topic updates.
• You can offer a ‘general newsletter’ topic but make sure you state what that will include and that it is in addition to your granular topics. You’ll need to offer both options.
• All communication must contain opt out options (unsubscribe links) – make them clear. People who opt out via links in bulletins delivered via the GovDelivery Communications Cloud will be taken care of automatically, but if you receive a request externally, you need to act on opt outs quickly – make sure you know how to do this. Give subscribers an easy way to:
– Unsubscribe from this communication
– Unsubscribe from all your communications