GDPR Compliance

What's inside

General Data Protection Regulation and The Newsletter Plugin

The General Data Protection Regulation (GDPR) adopted by the European Union entered into force in May 2018. This regulation poses a set of rules for how we communicate and interact with prospects and customers within the European Union and it focuses also on data storage and protection. The GDPR introduced some substantial changes to the previous norms that regulated those matters. 

But don’t worry, this is not rocket science! The Newsletter plugin is fully compliant with GDPR and in this article, we will cover all the essential aspects of it. Just a quick note: while the GDPR uses the term “subject data”, in order not to create confusion we will use “subscriber data” instead. 

Data processing agreement

The Newsletter plugin stores all the subscribers’ data inside YOUR WordPress blog database, and does not transfer any data to any services of our company. Therefore, a Data Processing Agreement (DPA) is not needed. Read more about DPA.

Subscribers data

The majority of the concepts expressed inside the GDPR run around the notion of “personal data”. The definition given by the regulation is pretty strict: “Any information that could be used, on its own or in conjunction with other data, to identify an individual”. In Newsletter we store any information, for example, the name, surname, email address, and IP address. Clearly, this is not forbidden per se, but you have to tell your users exactly what you keep track of, why you are doing that, and for what purpose. 

The keyword here is transparency, and transparency starts with a clear privacy policy and, more importantly, consent.

One of the most important aspects of the new regulation is how consent is given by users and how to keep a proof of it. To keep it simple: you have to make sure of what your subscribers give consent to during the subscription process. 

In Newsletter you are able to adjust your subscription form according to what information you want to collect from your prospects: you can change those options from the “list building” menu. Read more about subscription forms here.

Two key aspects must be considered: the double opt-in and the privacy checkbox.

  • double opt-in is always a good practice and it is required by law in many countries to confirm the will of the subscriber. Basically, to subscribe, users must fill out the form and activate their profile, giving their consent two times before the actual service starts. Read more about it here. 
  • The privacy checkbox option, which you can find under “list building”> “subscription form fields, buttons, labels”, lets you add a mandatory checkbox that blocks the subscription until your prospect subscriber reads your privacy policy page and the data treatment disclaimers (which you should create anyway). 

Consent is any affirmative act a subscriber does while sending you its data if clearly and correctly informed. The privacy checkbox is not strictly required but it’s required to have a link to your privacy policy page. You can use the privacy field configuration to add that notice as well.

Read more about consent on Getting consent with the Newsletter plugin and “Re-ask confirmation to your contacts“. Special case: getting consent for imported subscribers.

When the subscriber submits his/her data (email, name, …) using a subscription form, he/she gives consent to treat the data both by the explicit action of submitting and by checking the privacy checkbox (if present). Without checking that privacy checkbox the data cannot be submitted.

Of course, you should carefully explain how the data is used.

From the GDPR official text:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Hence the fact the subscriber’s data is stored (with the submission timestamp) is proof of the given consent. The plugin does not allow the recording of any kind of data without consent at the subscription time.

A clear affirmative act could be the click on the “subscribe” button, stating it’s clearly explained how the data is processed. Anyway, not everyone agrees on that and some countries require even a mandatory checkbox.

The GDPR requires proof of user consent even when the data is changed. In the Newsletter plugin, when a subscriber changes his profile by activating a specific list, he could be giving specific consent (for example to send marketing emails). The newsletter plugin provides a logging feature that records every change the subscriber performs on his profile, with a timestamp. The logs are visible by entering the subscriber’s editing page and selecting the logs subpage.

Data stored by Newsletter

 Besides name and email address, our plugin can collect other data, if for example extra profile fields have been configured. Moreover, Newsletter collects IP addresses at the moment of subscription and whenever a user performs an action on newsletters if tracking is active. IP addresses are used for various features, from tracking to geo-localization. 

Cookies

The Newsletter plugin may set a single technical cookie named “newsletter” which is used to show the right messages to the subscribers or to unlock content for subscribers when using the Content Lock addon.

Data conservation 

One of the requirements of the GDPR is that you have to clearly inform your subscriber of how long you are going to keep their data on your servers. This info must be stated clearly in your Terms & Conditions page. The reason behind this requirement is to avoid keeping obsolete data or contact information, which you can not verify. 

Newsletter gives you two options for dealing with these requirements:

  • you can delete all subscribers that are not “confirmed subscribers” (bounced, unsubscribed, not confirmed…)
  • You can delete all those subscribers who did not interact with you in a specified interval of time. 

Performing these actions periodically helps you in keeping your lists clean and avoid losing valuable subscribers. Check those options on the page Subscribers > Maintenance, inside the Newsletter dashboard. 

Read more about deleting obsolete subscribers and how to massively manage your subscriber database.

Data export and portability

GDPR also requires you to offer to your users the possibility to ask for a copy of their files for portability reasons. The downloaded data export file should be in a machine-readable format (not human-readable). Newsletter by default collects only names and email addresses, but if you configured the extra profile fields, those data should be exported as well. 

To simplify this process, we created a new special tag: 

{profile_export_url}

You can use it in your profile editing page to create a link that generates a JSON export of the subscriber data. Read more on this article.

Data modification and integration rights

The Newsletter plugin allows subscribers to access their own profile editing panel, where they can change every detail whenever they feel like it. Therefore, there is nothing special to do in this case. Just make sure that users’ profiles are reachable, making this option as clear as possible. 

Data removal

At this moment, Newsletter subscribers do not have the ability to delete their own data: however, we are considering adding this option. You can delete the whole subscription from the administration panels. As of now, this will permanently delete the subscriber along with his data but we’re working on full anonymization to prevent lost data to affect statistics or historical aggregate data.

External delivery services and hosting providers

The majority of external SMTP providers are already GDPR compliant, but it is your duty to check this carefully, as you are transferring names and email addresses to those providers every time you send an email to a subscriber. You should also state in your privacy policy that you are using external services. Usually, all the delivery services provide a Data Protection Agreement (DPA), just get it from them. 

Finally, as regards hosting providers, they store physically your data on their servers, including your subscribers’ data and they need to be GDPR compliant. As with other external services, they usually provide a DPA.