Our GDPR Plan: Everything You Need to Know [UPDATED]

14 min

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will change the way businesses handle your data. Download our GDPR Guide and read on to learn more how we’ve been working to implement it.

What is GDPR?

GDPR is Europe’s new privacy law. Adopted in 2016, it replaces the outdated Data Protection Directive – marking the biggest change in data protection in 20 years.

In that time, technology has evolved rapidly. So too has the amount and type of data that now exists. GDPR aims to address that challenge, by harmonizing data privacy laws across Europe, making it easier to do business across borders – and giving you more control over your personal data.

That means more rights for you to guard your data – and new rules for the businesses that process it.

How we keep your data safe

Data security has always been our top priority here at GetResponse. When designing, deploying and maintaining our network, services and applications, we strive to offer solutions that meet the industry’s strictest privacy regulations. So you can be confident we take security seriously – and keep your data safe.

That’s why we adopted a GDPR Compliance Implementation plan in March of last year – more than a year before the new law becomes applicable.

Our GDPR plan

Last March we put our plan into action, and it’s nearly complete! The first step was to create a dedicated team to oversee the work that needed to be done, under the supervision of our Legal Team and our Information Security Officer, who will also be appointed our Data Protection Officer (DPO) when GDPR is enacted in May.

Here’s what we’ve been working on:

  • Adopt an overall strategy for complying with GDPR
  • Identify and audit our personal data processing practices
  • Create a new privacy website where we’ll post data regulation updates, announcements, and resources
  • Create a dedicated email address for data privacy enquiries
  • Tweak our services to uphold all new rights of data subjects
  • Change our internal and external procedures, and privacy documents
  • Appoint a Data Protection Officer
  • Adherence to an approved code of conduct or certification
  • Final check

Two steps of our implementation plan are ongoing and have always been a part of GetResponse data security:

  • Train staff
  • Test and check our compliance

We run regular training and compliance sessions to make sure our information security team is always up-to-date on any new or changing regulations and best practices for data security.

GDPR Guide

To top it off, we’ve been working hard on a step-by-step guide for our customers to learn more about GDPR and how to prepare your GetResponse account to make sure you are compliant. It’s nearly complete and we’ll be sure to update this space when it is ready for download.

Edit: Our GDPR Guide is now complete and ready for you to download. Feel free to read through it and get yourself familiar with key points of the regulation and what it means to you.

Also, below is an excerpt from the guide so you’ll know what to expect from it.

Does GDPR affect me?

GDPR may apply if you’re a data controller or data processor:

  • based in the EU, even if you process data outside the EU.
  • based outside the EU, but process personal data of EU residents. This applies if you sell goods or services (or offer them for free), or monitor people’s behavior within the EU.

How do you know if you offer goods or services to people in the EU?

  • You use a language or currency common in one or more EU countries, to help people who live there take up your offer.
  • You mention customers or users who are in the EU.
  • You clearly target your offer to people in the EU.

In this case, you’ll need to comply with GDPR.

On the other hand, you probably won’t need to comply if you simply have a website, email address, or other contact details that can be accessed in the EU – and the language is common to your country (and not to any EU member state).

How does GDPR affect me?

It’s worth keeping in mind that before GDPR, you still had to meet regulations when processing personal data.

GDPR simply means data controllers must make a greater effort to process personal data within the law. They also have to make it clear how data will be processed – and ask for consent. And if there’s a personal data breach, they need to notify the supervisory authorities and data subjects as soon as possible.

Unlike past laws, GDPR also refers directly to data processors – and outlines how they must now comply.

If you have a GetResponse account, you’re the controller of your contacts’ personal data. That’s because you decide why and how their information will be used. And that means you’re responsible and liable under GDPR.

[UPDATE MAY 2018] Introducing dynamic Data Processing Agreement

To meet your needs for GDPR compliance, we’ve added a new feature to our account settings. In the Data Processing Agreement (DPA) tab you can download a copy of the DPA you have to agree to when signing up with GetResponse. It also gives you the possibility to generate a personalized contract with us. To do that, you need to click the “Generate a personalized DPA” button and fill in the form with your details. You also have to confirm that you are authorized to execute the DPA on behalf of your company. Then, we’ll generate a copy of your contract that you’ll be able to download at any time. Simple as that!

GDPR Tab in My Account:

GetResponse GDPR My Account Settings.

Personalize your contract form:

Personalizing your Data Processing Agreement in GetResponse

Downloading a personalized DPA:

Downloading your personalized Data Processing Agreement (DPA) in GetResponse

Knowing how important and often complex GDPR compliance can be, we’ve developed a new feature that’s going to help you collect and manage consent from your email subscribers.

Consent Fields let you create consent fields that you can populate on your signup forms, landing pages, and webinar registration forms.

It’s quick and easy. And people can now review your opt-in and data processing policies and give their consent when they’re signing up.

Managing your Consent Fields in GetResponse

What are the benefits of this solution? 

There are several, but the most significant ones are:

  • You’re getting a single dashboard to create and manage all your consent information
  • You can search for and segment contacts in your account based on the Consent field they’ve provided upon signup
  • You can filter your contacts in the marketing automation workflows based on their consent status

And most importantly, it makes being transparent about your consent policies, and compliant with the new regulation a lot easier.

How are they different from regular custom fields?

If you’ve been using GetResponse custom fields, consent fields may seem similar at first.

The key difference is that once created, the content of your content field cannot be changed.

And if you try editing it, it’s going to create a new version of the field.

Finding contacts based on the consent type they've provided inside of GetResponse

This way, you’ll be able to identify your contacts and the exact version of the consent they’ve provided.

How can I start using them?

To create and edit your consents, just click on the Manage account link in the top right corner of your dashboard.

You can then start using the Consent Fields when creating your web forms, landing pages, and webinars.

Adding a consent field to your landing page created inside of GetResponse

You’ll also find them in search contacts and your individual contacts’ details page. That’s where you’ll be able to segment your audience or gain proof of the consent they’ve given you.

Finding consent status

…and if you’re using Marketing Automation, we’ve added a new filter called Consent status that lets you target subscribers based on their consent status 🙂

To learn more, just check out our Help Center.

[UPDATE SEPTEMBER 2018] How to stay GDPR compliant using GetResponse Webinar Recap

You asked, we answered! We hosted a webinar back in August, “How to stay GDPR compliant using GetResponse” and we’ve got a recap of your most pressing questions, and our answers here. Couldn’t make the live event? No worries – you can watch the recording anytime.

How to stay GDPR compliant using GetResponse

A: It’s easy to create and manage your Consent fields in your account through the “Consent fields” section in your account. Check out our FAQ that explains how to do it step-by-step.

A: Please note that GDPR establishes the requirement of an explicit consent, meaning a data subject (your contact) has to actively opt in. According to GDPR, consent is “Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

So, if your contact hasn’t checked the Consent field applied to request their consent, they didn’t give their consent and you can’t process their personal data for the purposes that require such consent (e.g. sending them marketing emails.)

Q: How do you introduce this field on the List Builder Apps?

A: We’re happy to announce that Consent fields are now available in the List Builder Apps and you can add your desired field(s) in the form settings:

Q: When is GDPR mandatory?

A: GDPR is mandatory and applies if you are a data controller or data processor:

  1. based in the EU, even if you process data outside the EU, or
  2. based outside the EU, but process personal data of EU residents. This applies if you sell goods or services (or offer them for free), or monitor people’s behavior within the EU.

Please note that offering goods or services to people in the EU may take place in any of the following cases:

  • you use a language or currency common in one or more EU countries, to help people who live there take up your offer,
  • you mention customers or users who are in the EU,
  • you clearly target your offer to people in the EU.

A: You’ll need to write your own text for the Consent field description area. There’s no “one size fits all” and your consent text that your potential contacts review when signing up should be specific to your own data processing plans.

To send marketing emails to your contacts, you need to get their consent first. GDPR doesn’t require you to automatically refresh all consents given by your contacts up to now. You can continue to rely on any existing consent as long as it’s in line with the GDPR requirements – both with respect to the consent request, and the obligation to have it duly documented.

So, in any case it’s a good practice to review the consent request you have used before and make sure you can prove your contacts expressed their consent. If your existing consents don’t meet the GDPR’s standards or are poorly documented, you need to seek fresh, GDPR-compliant consent or stop processing.

Q: If we live outside the EU (e.g. in Canada), we still need to apply these new regulations, do we?

A: Even if you’re based outside the European Union, GDPR will apply to your data processing operations if you process personal data of EU residents. This applies if you sell goods or services (or offer them for free), or monitor people’s behavior within the EU.

Offering goods or services to people in the EU would take place especially in any of the following cases:

  • you use a language or currency common in one or more EU countries, to help people who live there take up your offer,
  • you mention customers or users who are in the EU,
  • you clearly target your offer to people in the EU.

Q: Are all the new GDPR features available across all GetResponse subscription options?

A: Yes, Consent fields are available for all account types.

A: GDPR (including its consent requirements) applies if the data controller is located or operates in the European Union, regardless of where the data processing takes place – in the European Union or not.

In other words, as long as you (as the data controller or processor) are established in one of the European Union member states, you have to follow all GDPR requirements, even if you process personal data outside European Union or personal data of data subjects from outside European Union (e.g. in the U.S.).

Q: How does it work if I am collecting email addresses as a vendor at an event?.

A: You can collect email addresses as a vendor at an event and use them to send the participants your newsletter, as long as you make it clear for what purposes you’re collecting their data before they give you their email addresses.

So no matter if you collect the addresses on paper forms, enable your participants to express their consent electronically, collect their business cards, or even collect oral confirmation of their consent to process their email addresses for the purpose of sending your newsletter, please remember to provide comprehensive information about your identity, the scope of the collected data and the purpose for which you’re going to process it.

Also, always inform the participants (again, before they give consent) that they can withdraw their consent at any time and make it as easy for them as it was to give consent.

Last but not least, you need to be able to demonstrate you have appropriate consents, so – depending on the way you collected them – keep good records that the data subjects gave you their consents. It should be easy with paper forms or electronic means – you keep a copy of the signed paper form, or an electronic ID and the data submitted online together with a timestamp. It might be more challenging to keep the proof of consent if you collect them orally.

Related reading:

43 ways to build your email list
Email campaigns best practices

A: To send marketing emails to your contacts, first you need to get and maintain their consent. Please note that also in accordance with GetResponse Terms of Service “you may use the GetResponse service to send emails only to those recipients who have given you permission to add them to your mailing list and have not subsequently withdrawn such permission.”

If  you have contacts that didn’t have the possibility to opt in using the new Consent fields (e.g. they subscribed to your campaigns before you implemented the GDPR consent field to your subscription forms), you can still send them marketing emails using GetResponse as long as they gave you their express consent in another way. Their consent has to fulfil the GDPR requirements and you have to be able to demonstrate that they gave it to you.

Q: If someone wants to unsubscribe, how do I take them off my list?

A: Your contacts can unsubscribe from your list(s) in any message you send them. An unsubscribe link is automatically added to each message footer. You can learn more about this in our helpful FAQ all about how a contact can unsubscribe themselves. You can also remove contacts from your list yourself if they ask you directly.

Q: Where can I find more GDPR information inside GetResponse?

A: Besides the information in this post, we’ve worked on a few resources for you to learn more about GDPR and how it may affect you and your GetResponse account: an in-depth guide and FAQ section.

Questions or comments? Let us know in the comments section below how you are feeling about GDPR. You can also email our privacy experts directly with any questions.