Working together: the GDPR and your ESP

We’re almost at the six-month mark on the countdown to the new GDPR (General Data Protection Regulation). If you haven’t already, it’s really important to be evaluating every software provider that you use as part of your marketing and data process, especially your email service provider (ESP).

The sooner that you’re collecting, storing and sending to GDPR compliant data the better. That’s why we wanted to give you a guide on what you should expect from your ESP and the kind of questions you should be asking.

The double opt-in

Using single opt-in allows people to subscribe directly to your email marketing list without first verifying their email address. The risk with this approach is that the quality of data captured can be lower because of spelling mistakes, typos and spambot activity.

Double opt-in is a much better approach and operates using a two-step email address confirmation process. The first step is to capture a person’s details (preference centres, forms, API etc.) and the second step is to automatically email a confirmation link for them to click. Most importantly, it is not until the confirmation link is clicked that their opt-in status is confirmed.

Some of the benefits of the double opt-in approach are:

• Assurance of valid email addresses
• Confirmation of consent to receive emails
• Protection against spambots, email scams and fake subscribers
• Reduced complaint rates
• Higher open and click rates
• Lower bounced email rates

Even though double opt-in is not a requirement of the GDPR, it’s very good practice to get people to confirm their email address before adding them to your email lists.

Does your platform have the option to use double opt-in to make sure your lists are accurate and GDPR compliant?

Subject access requests

Individuals have the right under the Data Protection Act 1998 (and soon to be GDPR) to ask for a copy of the information stored about them and to have any inaccuracies within that information corrected.

Requests must be responded to within 30 days and the individual cannot be charged for making a request, unless they are being made excessively by the same person. Along with the subject’s own data, information about the period of retention and when and how their data was collected should be supplied.

Without easy to use, specific features, this could become a lengthy and inaccurate job. The GDPR requires you to have a plan in place to ensure you will be able to provide your subscribers access to their data in a timely, accurate manner.

Does your ESP have features that will make it easy to execute a subject access request process to share the correct data with specific individuals? 

Right to be forgotten

The ‘Right to Be Forgotten’ generally relates to online search results that are in the public domain, but it does extend to individuals having the right to request that some or all of the data stored about them is removed.

When an individual wants to view all of the information stored about them, they may make a Subject Access Request, as mentioned above. But if an individual asks for some or all of their data to be removed, you’ll want to check that your ESP has a feature that will allow you to make the management of this type of request really easy and efficient.

You’ll also want to make sure that Instead of simply deleting users, it is possible to erase all personally identifiable information and to permanently suppress the related email address.

Does your ESP have the options to keep an encrypted version of a user’s email address for suppression purposes and completely delete all relating personally identifiable information?

Audit trail reporting

An audit trail, sometimes known as an audit log, is a security-relevant chronological record that provides evidence of the sequence of activities that have taken place.

Tracking what your staff are doing when they are logged into your ESP (when they have direct access to customer data) is an important part of responsible data management.

Can your ESP easily provide you with visibility on all user activity to prove sufficient data security?

Account security

As well as a real-time record of user activity, you’ll also want to think about overall account security. Our email platform, Email+ has a customizable security section that allows you to have complete control over your account security, giving your clients and your customers confidence in your software and services.

If you are working with an email account that has multiple users (and multiple passwords and login locations) you want to be able to enforce a variety of password requirements to make these individual accounts as secure as possible. Furthermore, the opportunity to assign a list of trusted IP addresses will also help increase account security.

Does your ESP give you customizable security setting that will ensure you are keeping your customer data as secure as possible, in order to avoid a data breach?

Luckily, our email service provider, Email+ is leading the way when it comes to security, data management and storage. Make sure that your ESP measures up so your email marketing efforts won’t fall short of the upcoming GDPR changes. 

If you are unsure about your current platform, have any concerns or want some advice, give us a call on 01273 208913 or get in touch. You can also sign up to our newsletter to get the latest GDPR and industry updates delivered straight into your inbox.