Affino and GDPR

The General Data Protection Regulation, or GDPR as it is better known is possibly the biggest steamroller to hit media companies, and all marketing aspects of companies in general since the advent of the Internet. It has been created in the advent of mass marketing surveillance and profiling being transacted by most companies, as well as to help combat Spam, over-sharing and selling of individual’s personal data, and key principles such as the ’right to be forgotten’.

 

GDPR Provides for the following rights:

1. The right to be informed how Personal Data is processed
2. The right of access to their Personal Data
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

These mean that individuals now have high level rights concerning their own personal data, and in the absence of a contractual relationship, the ability to ask for you to forget them, not market to them, and provide them with all the personal data you have in a machine-readable format.

 

Most significantly the onus is on companies to keep the personal data on file up to-date so as not to prejudice the individual, and there is a very high level importance kept on making sure you have permission to use the data in whatever ways you are, that it is kept secure and private, and that you have explicit permissioning for profiling. Even placing a cookie on someone that allows them to be identified is considered as personal information, meaning that cookie consent will go to an entirely new level of granular permissioning.

 

When seeking permissioning for marketing, the bar is going to be set very high, with the following key requirements having to be covered:

• Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
• Active opt-in: pre-ticked opt-in boxes are invalid, use unticked opt- in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
• Granular: give granular options to consent separately to different types of processing wherever appropriate.
• Named: name your organisation and any third parties who will be relying on consent, even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
• Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
• Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
• No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller, this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.

The key date is the 25th May 2018 when GDPR will come into effect. What makes this incredibly complicated though is that whilst it is now known how GDPR will apply to B2C companies, the government has yet to publish the legislation for B2B businesses and brands, and are not scheduled to do so until December, which will leave an incredibly short window in 2018 for software companies to update their platforms, companies to re-permission and clean up their data, and in many instances to change their entire business models entirely given that GDPR makes un-lawful much of what makes up marketing industry practice today.

 

At Affino we will be making a number of changes, including updating all our SLA’s and contracts when they are renewed, further insuring ourselves against GDPR related events, changing how we operate our CRM / contacts, and most importantly ensuring that the Affino SaaS Service allows our clients to be operating in a fully compatible and compliant manner with GDPR.

 

Given that we still do not have full legal clarity even at this very late stage, we anticipate rolling out a second phase of GDPR compliance once the full B2B legislation has been published. Note that Affino 7.5 will not be fully GDPR compliant, as it would require us to update the deprecated Classic aspects of Affino, which means that the full GDPR compliance will only be possible in Affino 8.

 

Where companies using Affino accross-the-board will benefit is that Affino has a single customer record for each contact, where all the privacy and personal details are mapped against a single view, where the record can be forgotten to the level it needs to be, archived (and restored) to the CRM, and where a full audit trail of all permissioning will be in place and active against all communication.

 

Here are the key updates we’ll be making for Affino 8’s GDPR compliance:

 

Enhanced Permissioning on Mailing Lists, Free Subscriptions, Forums and Content Subscriptions

 

We will be extending the way users subscribe to mailing lists, free subscriptions, content alerts and forum subscriptions to display very specific notices for what they are signing up for, and then logging the full archive of permissions against each contact record. This includes double confirm on mailing list / free subscriptions, and enhanced tracking of paid subscriptions.

 

Subscription Renewal Automation (aka permission renewal automation)

 

It will be possible to set up automated campaigns for renewing any permissioning, including mailing list subscriptions, free subscriptions and paid for subscriptions. The campaigns will be logged in their entirety, along with all the communications, with one-click un-subscribe from each message, as well as the automated adding of contacts to distinct contact lists for further processing should it be required.

 

Permission Import / Export

 

We’ll be rolling out two new tools to allow you to import any permissions against a contact, as well as export them, and you can import them directly against each mailing list you have in Affino if needed.

 

Permission Audit Trail

 

We will be introducing a new Permission Audit Trail pannel / tab on each contact record where you can see the full permission and archive history for each contact. This will include the specific permission message they agreed to, the date, and a full renewal audit as well as the historical archive / un-archiving history of the contact record.

 

Contact Archiving / Un-archiving / Forgetting and Automated Re-activation

 

It will be possile to archive and forget partial profiling data for each contact record. Contacts can be placed in a secure archive as the record ages or the contact asks to be forgotten whilst having to be partially retained for other legal / statistical reasons. Affino will also be able to auto-restore the record should the contact re-establish communications, register on a brand site or re-sign-up for communication, news or events.

 

Form Entry Attribution

 

It will be possible to assign all form entries to individual contacts so that they can then be forgotten in the future, Affino automatically assigns them to contacts when known, so this is for instances where the entry creators are not known.

 

User Export

 

We’ll be adding in quick links (where the administrator has security clearance) to export single customer records using the User Export, and including the full set of personal information on that user, including interests, subscriptions and addresses where available.

 

User Data Visibility

 

Authenticated users will be able to go in and see all the personal data you keep on them, and will be able to keep it up-to-date. They will be able to manually set their interests, access all their subscriptions and purchases, see and manage their cookie permissions when anonymous users, and contact you in the event of any issues with the data, or if they want more visibility, to have a digital record or indeed be forgotten.

 

Affino Data Centre Locations

 

All data stored in Affino is in Ireland and Belgium, i.e. within the EU and therefore will not face the heightened regulation which comes in to play for data stored outside the EEA.

 

Future

 

We envisage that once the full B2B legislation is published that we will further add automation around archiving contacts, especially non-members, however we are waiting clarification before rolling anything out here as it will likely need to be highly nuanced and robust to match the upcoming legislation.

 

PIA’s, DPO’s and LIA’s

 

All organisations which use Affino will do a certain amount of automated audience profiling. This means that you will need to run Legitimate Interest Assessments, have a Data Protection Officer and run a Privacy Impact Assessment on how you manage your customer data. You will also need to be very clear on the terms under which you are profiling, holding the data, and communicating with your audience for each specific process.

 

25th May 2018 - Red Letter Day

 

It is hard to stress enough that you will need to have everything in place before the 28th May 2018, since on that day you will likely be in the situation that even seeking permission to market to contacts you’ve known for some time will be against the law. The penalties for extreme contraventions, and possibly even relatively minor ones, will be up to €20 million or 4% of your company turnover, whichever is higher.

 

The Benefits of a Single Integrated Solution

 

Companies and other organisations using Affino to fully run their audience / sales / contact / event / marketing / digital / subscription / community / publishing / permissioining CRM will receive powerful benefits from the above as you will know that you can be fully GDPR compliant across the entire organisation and all activities. All the permissiong will be real-time. Forgetting will truly forget the contacts, Data portability will be fully in place. Removing a contact will remove them throughout. Permissioing can seamlessly be sought across all activities and with a global record / audit trail.

 

For organisations using multiple platforms, you can use Affino for the permissioning and then integrate through the Affino API for authentication, subscriptions, security and the interest graph, or simply use the Permission Import and Export to centrally manage them across all activities.

 

We will be providing further updates on the GDPR deployment in Affino, and additional guidance as the legislation is published, so it is worth signing up for alerts using the Content Subscription above.

 

If you have specific questions or feedback then feel free to post in the comments below, as this is just the very top level guidance of what will be a big part of most companies’ focus over the coming months and year.