GDPR: Frequently Asked Questions

Katarina KarmazinovaGeneral

GDPR: Frequently Asked Questions

Although many companies already started to inspect and map their data, or tackled some of the challenges brought by GDPR, there are still many questions that remain unanswered.

With those ugly fines in mind, non-compliance is not an option. Exponea is preparing its clients for May and solves GDPR queries one by one, making you look at the bright side.

Most of Exponea’s clients come from e-commerce, predominantly from the fashion industry, but any business on the digital marketplace can find an analogue in the frequently asked questions we gathered for you here.

Will we need new consent from all existing customers?

In general Yes.

Unless you were already collecting a GDPR compliant consent.

What does it mean? If you had gained it with a standard business practice (e.g. such as pre-ticked box, non-trivial wording, aggregation of consent) you will most likely need a new consent to cover all the intended operations with your customer data.

However, if you’re unable to gain new consents and your already collected consents are of good quality (e.g. understandable, confirmed by further action), you can at least use them to send non-personalized emails with non-curated content. Exponea enables you to do so very simply.

Do we need to do a double opt-in?

Most likely not. Double opt-in is neither regulated  nor specified by GDPR, but by existing local regulations concerning advertising. Its role, however, serves as a basis for the legitimacy of the database and the demonstration of the customer consent.

Do we need to name some of the channels that we will address in the future?

Generally yes, but here you have to define the concept of a channel because there is no such term in GDPR. This definition must be clear and concrete for the user.

When getting a consent, it is the purpose for the consent we need to define, rather than the communication channel we use.

We have to ask the user if we can send a newsletter – if he says yes, it is ok to send it via different channels such as SMS, post or email.

Think about it like this: you can have many marketing channels used for one or different purposes. It’s a matter of definition.

Now, as each purpose requires a consent, it brings us back to the consent: what does define a correct consent, which is also the best consent?

It is one clearly defined consent that gets you all. You can ask the users to help you improve your omni-channel communication with their consent – and include all the channels in the answer.

How will I be able to transfer consents to Exponea? What if I am collecting them via multiple channels and from different sources?

The data API, which we released at the end of February, is a response to the many questions referring to data exchange. In addition to API, it is still possible to track custom event “consent” through JS SDK to Exponea, directly from the web.

You can then set up consents and parameters of consent within Exponea. Data API allows you to have centralized flow of data to Exponea from various systems, with the ability to switch read/write permissions for different data types.

It also serves the purpose of easily complying to a customer request, whether it is data download, anonymization or portability.

Do we need to give our customers the ability to opt out from individual communication channels? How and where?

Yes, you should give the customer as granular options as possible without flooding them with too many choices creating a decision paralysis.

Opting out should be easy – the same way as it was to opt in.

You can create a single consent page located on your website and link to from every communication channel.

To sum it up, the customer should be able to get to that setting in a simple way.

Follow Exponea E-book to check if you have your data tidy, and you will have the best solutions in place when the time comes.

Read GDPR e-book

Third parties: How to solve enumeration? For example, in case of RTB house which combines banner placements from hundreds of individual websites?

In your company’s privacy policy, it is necessary to provide information to the affected customers specifying why is their data being collected and which third parties is it shared with.

However, again, from your users you only need consent for each purpose of the data processing. You don’t need a consent for each added third party explicitly.

Your users give their consent to different types of communication on your marketing channels, which you have to define in your privacy policy, because GDPR does not know the term “channel”.

It is important to always inform the users about where does their data go, or whether it is used outside of the EU. It is just about transparency. The user has the right to erase the data or correct it.  

E.g. You use one marketing automation tool as a third party and you want to change it for another, or add a new automation tool. You should inform the users about this in your privacy policy by changing the information there, but once you have the consent from the user to send them an email, you can go ahead without asking them for a new consent – the purpose of his email in your hands namely did not change.

On what grounds can we use “legitimate interest”?

A legitimate interest is only for a specific circumstances related to the customer – for example, a transactional email is something related to delivery.

The definition of a legitimate interest is not black and white, and you have to consider the specific situations where the customer’s interest is “probably” justified and when it is definitely not.

If we send an email saying – “Your order is on the way” – it is related to the customer’s legitimate interest of getting their purchased order.

Here the business interest is more inclined to the customer – it is basically in the customer’s interest to get their ordered item.

However, it is in your legitimate interest to offer the customer new items or send them a voucher (even if you want to offer them a discount).

In the registration process, the customer has the opportunity to sign up through his Facebook profile – do we still need a special permission to send marketing information?

Yes, you do. By signing in only with Facebook, your customers will not give you a transparent consent.

 

Do we have to report it somewhere?

Here we are talking about transactional communication that falls within the area of ​​legitimate interest. You need to register your order information. However, the creation of an order does not give you consent to any data processing other than the transaction.

GDPR more than ready

Exponea makes the best effort to hold your hand through the adaptation process keeping you informed.

By knowing the rules and finding parallels in the solutions of your marketing peers’, you will certainly benefit from the best practices instead of hurting your business stumbling through the seemingly scary change of play.

If you did not find all the answers, there is a good summary of rather basic rules (such as Who does GDPR apply to?) here.

Exponea will keep you in the loop:

Download GDPR e-book