Below you’ll find a quick overview of what GDPR is, who it affects, and what ShortStack has done to make sure our platform is compliant. In fact, ShortStack already follows many of the data protection and security practices required by the GDPR, so there weren't many updates for us to make. We’ll keep this help doc updated as we release more features or make GDPR-related changes.
What is the GDPR?
What has ShortStack done to become compliant?
Updates in Place
Additional (Non-Essential) GDPR-Related Updates Underway
Does the GDPR apply to all businesses?
What can I do to continue using my ShortStack lists for email marketing?
The GDPR is a new set of data protection laws created to replace the current European Union (EU) data protection law. The current law dates back to 1995, so the new law aims to address the changes that have taken place over the last 23 years, with regard to how personal data is obtained and used.
At ShortStack, we know just how important and valuable every individual’s personal data is. Even before the GDPR passed, we practiced a high-level of data security. Because of our longstanding commitment to data security, we only needed to make a few changes in order to be fully compliant.
Read on to learn what we’ve already done, and what we are working on.
The consent portion of the GDPR is the most important portion for ShortStack users who are sending emails with our platform. We have added some tools to help ensure you can allow new subscribers to double opt in, as well as continues using some of the emails you have already collected in your ShortStack lists. These updates include:
- Double Opt-in Confirmation links in emails. Now, you can add a double opt-in confirmation link when sending autoresponders, scheduled emails and follow-up emails. These URLs are used for the "consent" portion of the GDPR regulations.
- Require Double Opt-in to receive emails. Now, you can set your Company Profile so only folks who double opt into your mailing list will receive emails from the lists associated with that profile.
We’ve also completed some updates that will help you stay compliant with the individual rights portion of the GDPR. The features we have added are:
- Customizable "From Email Address" field. When setting up your campaign, you have the option of adding a “From Email Address.” Yes, this is helpful in confirming the email is being sent from you/your company. However, more importantly, using a real email address allows people to respond to your email. It also allows people to reach out to you to inquire about how their data is being used, as well as submit requests to update their data, transfer it or remove it.
- An "Unsubscribe" link in the email footer. Every email you send with ShortStack includes a footer with your company’s address and an Unsubscribe link. The Unsubscribe link allows people who have subscribed to your list to change their mind and unsubscribe at any point.
- A search tool for locating user data. We are creating a search tool to allow you to find an individual within your lists. This will help you with updating the individual’s profile, providing them with the information you have collected about them, and deleting their data entirely.
- A Data Protection Addendum (DPA), which is available by request. We offer a DPA for customers to fill out and send back to us. To request the DPA, please email email@example.com and request the GDPR DPA.
- Performed a platform audit and removed or anonymized non-essential data. We audited all areas of the ShortStack platform to determine what personal information we collect and for what purpose. Where not essential for the execution of the services we provide, we removed or anonymized that data.
- Audited data-deletion process. We audited our data deletion process to ensure all non-essential data is destroyed.
The Double Opt-in Confirmation links are a very important part for the GDPR consent portion. With that out of the way, we also plan the following consent-related updates. These updates aren't required to make our platform compliant, but they will help our users use the platform more effectively:
- Adding Opt-In Checkbox fields to the Form Designer. This checkbox will ensure that only folks who check this box will receive the double opt-in link to opt into your mailing list.
- Double Opt-In indication within lists. We are adding a opt-in indicator to our lists that will allow you to see at a glance which entrants opted into your list. The indicator also comes in handy when you export your databases, as you will be able to see which email addresses meet the double opt-in standard.
It depends. If you are located in the European Union, then, yes. However, even if you aren’t located in the EU, it’s still possible that the GDPR applies to the personal data you collect.
It’s important to understand what is considered "personal data" in relation to the GDPR: Personal data is any data related to an identified individual or data that, when processed along with additional data or alone, could identify a specific individual.
The GDPR applies to you if you perform any of the following actions in regard to the data of EU citizens:
- Collect personal data,
- Organize personal data,
- Transmit personal data,
- View personal data,
- Delete/erase personal data,
- Modify personal data,
- Store personal data, or
- Use personal data in any other way.
Consent and Individual Rights
The two elements of the GDPR most relevant to ShortStack users are:
- obtaining consent to process individuals’ data, and
- individuals’ rights regarding how their data is used.
Consent: Per the GDPR, you are considered a "data controller" when you collect form entries via ShortStack. As a data controller, you must use a legal basis to process individuals' data. In the case of collecting entries for your email marketing list, you should ask individuals for their consent to collect and process their personal data. An individual's consent must be explicit and verifiable.
To obtain "explicit" consent, use a double opt-in method for adding people to your list. Our blog post Are you GDPR-ready? How ShortStack Is Preparing for the May 2018 Deadline covers this in greater detail. How about the "verifiable" part of consent? This is something ShortStack handles. We record when someone opts in to your list.
Individual Rights: The GDPR outlines rights individuals have with regard to how you use the data of EU citizens, and what the individuals whose data you collect can ask you to do with their data. Data controllers should be able to tell folks who submit their data what they're using their personal data for and how it is being stored. Likewise, you must be able to share the data you have about an individual with him or her.
Furthermore, under GDPR, individuals have the "right to be forgotten." This means you need to be able to completely remove an individual's information from your databases/lists. (See how ShortStack is addressing the "right to be forgotten.") In addition, folks must be able to have their data corrected, barred from certain uses or transferred to another organization. All of this must be accomplished in what the GDPR defines as a "timely" manner (unfortunately, they fail to provide an exact definition of what "timely" is, as it can vary by industry).
Great question! Check out our blog post, GDPR Compliance: It’s easier than you think for more in-depth information on making your ShortStack email marketing lists GDPR-compliant.
We'll be updating this help doc as more GDPR-related updates are made. Be sure to check back from time-to-time to stay informed.
If you have any more questions, shoot us an email at firstname.lastname@example.org.