GDPR and the impact to New Zealand Businesses

GDPR does not apply to me I am a New Zealand business. This is where you could be wrong. If you offer goods or services to citizens of the EU or if you hold data of EU citizens then GDPR applies to you. So are you ready for the introduction of GDPR on the 25th May?

What is GDPR, in a nutshell it is ensuring that the data of EU citizens is protected, data breaches are communicated and personal data is accessible by the person it belongs to.

In the context of GDPR, personal data relates to a natural person or data subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social websites, medical data or a computer IP address. If you hold data of data subjects under the age of 16, parental consent will be required to process the personal data for online services.

As an organisation you may be deemed as either a data processor or a data controller. A controller is the entity that determines the purpose, conditions and means for processing personal data, where the processor is an entity which processes personal data on behalf of the contoller. A simple example would be that you have a CRM system (data controller) that manages the personal data and you use a 3rd party marketing platform to send out emails (data processor).

If the above does fit you and you are not ready then the costs for non compliance and penalties are quite steep up to 4% of annual global turnover or $20 million Euros.

What are the key points that I need to be aware of?

  1. Breach Notifications – you must notify customers within 72 hours of a breach of personal data
  2. Right to Access – EU citizens can request whether or not you are using their data, for what purpose and can request a full copy of the personal data on file, free of charge to be supplied electronically.
  3. Right to be Forgotten – Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
  4. Data Portability – provides the right for a data subject to receive the personal data concerning them, which they had previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
  5. Privacy by Design – this is good practice for any implementation where personal data is being captured, but is now becoming a legal requirement. Basically it means that you must plan by design the inclusion of data protection systems rather than adding at a later date. In addition, you must hold and process only the data that is absolutely necessary for the completion of the process, as well as limiting the access to personal data to those needing to act out the processing.
  6. Data Protection Officers – you may need to appoint a Data protection officer if you meet the following prerequisites – you are a public authority, you are an organisation that engages in large scale systematic monitoring, or an organisation that engage in large scale processing of sensitive personal data.

So what is the impact and how do I prepare?

If you look at the key changes above their are a couple that catch my eye that says ‘umm how would I do that?” these would be the right to access and the right to be forgotten.

Both of these have a major impact on how you have currently designed and built your system. The right to be forgotten may have a knock on impact to related records and systems that requires a person record to exist for the record to be valid. Plus if you got a request to share the personal details that you have on a person, how would you process that? Can you print the details, can you isolate the specific fields required for the request?

This is where Privacy by Design is a key factor to consider when developing new systems, or reviewing existing systems, as you will need to now think of how will I do that if I was requested to do so. You need to think about downstream systems, data warehouses, integration pints, ERP systems, online channels, anywhere where personal data is stored.

A question I would ask of an organisation, is that are you currently capturing the citizenship of a person you are dealing with, can you identify the potentially impacted records in your system? A scenario that would not be to uncommon would be that you are selling goods in New Zealand to people residing or travelling in New Zealand who are EU citizens, if that person moves back to the EU then they could request their personal data or request to be forgotten, so the impact of GDPR is far reaching, especially with New Zealand being a tourist rich country.

Food for thought I am sure, make sure you are ready, and can comply, as I am sure there will be people who will test organisations once the 25th May hits us.

If you need assistance in getting ready for GDPR, get in contact.

Using ClickDimensions, how can I capture who forwards the email?

Problem: People can forward my email to anyone and as such the links are related to the person who forwarded it and not the person who received the email. So how can I capture the forward?

Unfortunately there is no easy way of doing this automatically, but what you can do and other customers do is add a button on your email, which states click here to forward this email. What this link can do is take a user to simple form that has a forward email box and a submit button. On entering the email and submitting the form we can then send an email to that new person with all the links correctly configured.

So what do I need to do to get this working, keeping it simple to start with

  1. First of all do you need to create an email template for the email that a customer may forward
  2. You then need to create a web content form, and add a single field “Email” to it
  3. On the actions tab, select send email and select the email template created in step 1
  4. Click on the embed button, and copy the link to the web form and paste it somewhere you can access later
  5. Save and publish the new form
  6. Navigate to the email template that you created in step 1 and edit
  7. You now what to add to your template a link or button (image) on to your email instructing the user to click here to forward the email. So the link you what to embed to the image is the link you copied in step 4. It is key that you do not use the insert web content feature and select the web content form as this will embed it with data on the person you sent the email to and thus prepopulating the email when the user clicks the button. So by using the link you copied no additional attributes will be copied to it, meaning it will be blank when a user lands on the form.
  8. Once updated the email template, you can save it
  9. You are now ready to send out your communication using the email template. Anyone who clicks the link to forward will have a new email generated out of CRM / ClickDimensions and you will be able to track the additional conversions and clicks.

With the model above it does mean that you need to clone the forward form for each email that you send out with the forward button on it as it is specific to a email template.

Another way that you could make it more generic is passing in a hidden variable to the form and using a workflow to evaluate this variable and send the correct email to the new person

To do this way, you will need a little bit of JavaScript knowledge as follows:

  1. Create a hidden field named Forward Email (you could use campaign code or anything that will identify the email to send)
  2. Follow the steps in this post to populate the hidden field from a URL string, note in the example it populates 4 fields you will only need to populate one –
  3. Remove the form action to send the email and save and publish the form
  4. In the email template update the forward URL to include the additional text variable to be populated into the form
  5. Create a workflow that is triggered on the Form Field record
  6. The logic of the workflow should look something like this:
    1. Run on create
    2. Check to see if the Posted Form equals your Forward Form and that the posted field equals the new hidden field created in step 1, if it does continue otherwise stop the workflow
    3. Now you need to evaluate the hidden field, with an IF statement per Forward email, and the action if matches is to send a ClickDimensions email to the contact/lead with the email template selected
    4. You will need to add a new IF statement for each forward email option
  7. So once you have this created for each new forward email you need only update the workflow and not clone the form each time.

Hope this helps.