Adabra Marketing Automation & GDPR
General Data Protection Regulation
Let's examine Adabra & Marketing Automation according to the new regulation
The GDPR (General Data Protection System) is the new general regulation on data protection (UE/679/2016) adopted the 27th of April 2016 and that has the objective to strengthen and unify the personal data protection, as well as the free circulation of such data and that repeals the directive 95/46/EC, opening a new era for the privacy.
The official version of the regulation is available here:
What Adabra did in order to comply with the new regulation
Since its foundation Adabra has always used great attention to the privacy regulation and all its following modifications. Working in the field of data profiling and segmentation, it has always been crucial to be compliant (most of the times a step ahead) with the applicable laws.
It has been in fact quite easy to comply with GDPR as most of the requirements of the new law were already present in the backbone of our systems.
But let’s check together the details of the new functionalities offered by our platform and where it has been updated according to the new regulation:
Right To Be Forgotten
The GDPR gives to the users, of whom the data are processed, a new set of possibilities. One of the most important is the “Right To Be Forgotten”, the possibility for the users to ask that all the data present on the Adabra platform, even if collected with their approval, will be erased.
The law is applicable to all the data stored both in digital or physical version, as well as all the backup of such data.
In order for this right to be effective, Adabra has confirmed a “Rigth To Be Forgotten” button (Opt Out), adjusting alse the standard duration of the data storage.
Right to Data Portability
The GDPR introduces the right to transfer the data, allowing to our clients and their customers to request in a structured format, readable from a digital device and in a commonly used format their data and to required that they’ll be transferred, e.g. to another company in case their contracts would be transferred.
The right of data portability is applicable to the data:
– based on marketing consensus
– done automatically
The right to require the data transfer to another owner is applicable only if the transfer is technologically feasible, being necessary, for example, that the two involved systems, sender and receiver, are compatible.
Our Adabra platform is already compliant on this requirement as well, and therefore our clients can easily transfer all their contacts present in the system in the way they prefer: using files or via API.
The GDPR allows to acquire a valid consensus, both for the users data treatment and for profiling, even based on users behavior that will continue browsing the website, provided that he’s been allowed to disable the cookies, to modify the browser settings, to not allow the use of similar technologies (e.g. fingerprintings).
It is therefore enough that the clients can prove that the cookies note has been provided (via pop-up).
On the Adabra platform will also be possible to de-activate the monitoring of a specific user, whether his consensus should expire or in case he’ll exercise the right of opposition or data erase. This user could be monitored in future only if he’ll provide a new consensus.
Anonymous Data Monitoring
If the users tracking is based on anonymous data, that will not to identify them, even indirectly, the GDPR is not applicable and the clients will not have to collect any consensus from the users.
Do I Have To Change My Forms?
Data Source Definition
The Adabra platform will allow, according to the new GDPR requirements, to identify and reveal where the data has been acquired (“data source”).
We act as we always did, being completely clear and transparent to our clients. In order to use Adabra is necessary to sign an license agreement that allows the data treatment by Ad Spray S.r.l., as required by the General Service Conditions (GSC), that we updated with all the GDPR requirements.
For our actual clients as well, the requirements of the GDPR will be in force starting from the 25th of May 2018.
Adabra cares about users privacy and decided to keep its servers and all the backup data inside the EU territory.
It’s a fact!
The different servers used by Adabra are placed in Italy and made geographically redundant inside the EU countries. Furthermore our suppliers are compliant with the regulation ISO-27001 (Data storage) and even in the case that third party platform integration are present and that those data will be outside the EU, we verified that those grants a correct level of data protection, adhering to the EU-US Privacy Shield.
Documents available to the client
Adabra implemented a data protection policy and internal IT procedures that are fully documented and available to the client.
What Happens To My Current Customers Database?
The law is not retro-active, that meaning that all the behavioral profiles legally collected before the GDPR enforcement will still be possible. Any additional activities of processing and definition of the profiles of the users will have to be – starting from now – be authorized based on the new GDPR requirements.
Data deleting will be necessary only if specifically required by the user.
How To Acquire A Valid And Verifiable Consensus By The User
The consensus is validly given if it is “explicit”, that is to say: expressed. The GDPR excluded that any implicit or tacit consensus will be valid (silence is not equal to consensus) or that this can be collected with a previously selected options.
Furthermore is has to be free (that is to say non forced or conditioned), given in a specific form (and, therefore, non expressed referring to a policy generally identified, so the different consensus will have to be splitted one from the other), informed (that is to say, preceded by a specific information).
The Most Important Changes Introduced By The GDPR
Hereunder are the most important changes introduced by the GDPR
Your personal data (and the ones of your clients) will have to be stored inside the european territory. If such data will be stored outside the EU, according to GDPR, Adabra will check if the countries where such data are stored will grant an adeguate level of personal data protection (adeguate decision by the European Commission), or if proper contractual warranties are granted (model clauses; binding corporate rules).
Right To Be Forgotten
Your users will have the right to be forgotten and, based on their request, you will have to delate their data from your database.
Right To Data Portability
Your clients will have the right to request that their data will be given back or transferred to a different company in a structured format, of common use and readable by an electronic device.
The consensus to treat personal data must be required in the ways established by an information sheet properly written.
Data Protection Warranty
You’ll have to consider the data protection since the engineering (privacy by design) of your IT solutions and of your systems.
The administrative penalties for the infringement of the regulation will increase – up to 20mln Euro or 4% of the turnover, if superior.
The new rules on responsibility are functional to ensure that the owner will grant all the proper safety organizational and technological measures, and that he’ll be able to demonstrate that the data processing are made according to the GDPR rules.
Siete obbligati a mantenere traccia dei dati processati
Safety Violation Notification
You must notify to the relevant Authorities any incident related to a data breech of privacy violation, integrity and availability of the data. Such notification must be done within 72 hours!
What Shall I Do In Order To Be Compliant With The New Regulation?
You must prepare all the necessary documentation, that includes:
A brief document (known as DPS) where you explain all the main cautions you apply in order to protect the data you menage.
Safety Breech Notification Procedure
You must document and apply a procedure to notify to the proper Authorities, and eventually to you users, any data or safety breech.
Management Of The Right Of Access Procedure
You must document and apply a procedure on the right to access to the data by the users.
Data Process Register
You must document and apply a register that will describe how the data are processed.
Evaluation of the privacy implications in case the data processing will present high risks for the freedom and rights of the users.
Data Protection Officer Appointment
You must appoint a Data when your main activities are realted to data processing that are, by nature, related to the monitoring of people on large scale.
How Is An Audit Made? Which Documents Should I Prepare?
In case the Audit has the objective specific checks in order to evaluate the conformity of the organization to the GDPR regulation, it will be necessary to prove that:
(i) the data have been collected based on regular consensus or other legal options,
(ii) whom that will manage the data have received proper instructions to do so (written authorization by the owner);
(iii) you have a data breaches register (data breaches);
(iv) any breach has been notified to the relevant authority within 72 hours from such event.
The audit will be forerun by a written notification and it will consist of a auditor visit that will verify how the data are managed (included the safety level adopted) and the instruments used, as well as all the documents that describes such procedure.
Adabra has implemented proper safety measures compliant with GDPR, included: the adoption of a procedure of access and users management; the creation of the register of the personal data treatment; the monitoring and adoption of action policies in case of safety breach; the adoption of a register of personal data breach; the use of backup policies; the adoption of cryptographyc policies of the personal data sent to clients.