This FAQ is intended to provide information and address questions which you (as a communicator) may have on Poppulo’s compliance with the EU data protection regulation, GDPR. While this FAQ deals with some legal concepts and impacts, it should not be considered legal advice, nor a recommendation of any particular legal understanding. Please consult your own organization’s data protection officer (or compliance team) for interpretation of this information, including advice on how this information applies to your own organization’s GDPR compliance.
What is the GDPR?
The GDPR (or General Data Protection Regulation, formally Regulation (EU) 2016/679), is a European (EU) regulation which unifies and strengthens the data protection rights of people in the EU. Replacing Directive 95/46/EC, it became enforceable on 25 May 2018. There are a number of additional expectations that will apply to organizations that process the personal data of people in the EU, including EU-based employees or customers.
For more on the GDPR, you are encouraged to speak to your own data protection or compliance team. Or refer to the website of the supervisory authority responsible for ensuring GDPR-compliance in your primary operating country. For example, the Data Protection Commissioner in Ireland (DPC), the Information Commissioner's Office in the UK (ICO), the Commission Nationale de l'Informatique et des Libertés in France (CNIL), etc.
In short: GDPR is a new European data privacy directive, which came into effect in May 2018, and will likely impact your decisions on processing personal data such as email addresses.
Is Poppulo GDPR compliant?
Poppulo is compliant with European data privacy regulations (including the GDPR EU/2016/679 of 2018). Poppulo undertook a compliance-readiness program, to ensure our compliance with the coming GDPR regulations, and to assist our customers with their own compliance-readiness programs.
In short: Yes, Poppulo is compliant with the new EU General Data Privacy Regulation.
What aspects of GDPR apply to Poppulo and Poppulo’s customers?
In essence, the entire GDPR regulation applies to Poppulo, and to organizations using Poppulo. There are however some areas of the regulation that may require specific consideration. Including:
-
Purpose - GDPR expects that personal data “may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes”. You should therefore pay extra attention to what employee data is being stored - and why. You should not store data that is not necessary or justifiable for that purpose, or use it for other purposes.
-
Transparency - Because personal data should be “processed lawfully, fairly and in a transparent manner”, you should consider reviewing any notices shown to users in their data capture forms. And/or in the footer of communications.
-
Access - Organizations previously had a right to charge data subjects for the costs involved in processing an access request from a data subject. Under GDPR, that right (to charge for example a €6 fee in Ireland or a £10 fee in the UK) has changed. While data controllers retain a right to refuse a data access request, the reasons for valid refusal are limited. Data controllers should therefore be prepared for a potential increase in inquiries from data subjects.
-
Consent - GDPR requires that consent be freely-given, specific, informed, unambiguous and given via a clear affirmative action. Single opt-in methods, pre-ticked checkboxes, or “implied consent” do not meet these expectations. Consideration should therefore be given to any areas where these types of models are in use. Data controllers should also review what “records of consent” are retained.
Other GDPR principles are also applicable (including those relating to retention, accountability, profiling, and breach notification), and you should consider how their compliance-readiness program might overlap with these areas.
In short: While a number of GDPR tenets are more applicable to employee communications and email use-cases, all key GDPR principles (purpose/transparency/consent/etc) are relevant.
How will I, as a marketer (using Newsweaver Customer Connect to communicate with external stakeholders), ensure GDPR compliance?
We recommend that users of Newsweaver Customer Connect speak to your own data protection officer. Seek their input on how your continued use of the system will align with your organization’s GDPR compliance. In general terms however, we recommend that customers consider:
-
Consent review - Reviewing what data-capture forms you are using, eliminating any “pre-ticked” checkboxes, changing sign-up forms to double opt-in, and ensuring any text you have included is clear and transparent about the purpose for which the data is being captured. Also, the type of communications/processing to which the employee is providing consent.
-
Data review - Review the data held in your account, and the purpose for which it is held. (For example, if you have “rows” in your data set for older/past customers, you should consider the purpose for which you are retaining these. Or, if you have “columns” in your People records, covering fields which you are not really using, you should consider the purpose for which you are retaining these.) This will assist with compliance with the “purpose” principles of GDPR.
-
Process review - As you no longer have a right to charge data subjects (to cover the cost of a data access request), you might want to consider how you will handle a possible increase in data access requests. At the very least you should consider how you would respond to a query asking for confirmation of how consent was obtained. Especially if that consent was obtained outside of Poppulo’s systems - with which we would not be able to assist.
Your own data protection officer will likely have other recommendations and expectations.
In short: You should discuss the implications of GDPR (to your email marketing program) with your own data protection officer. You should enable double-opt (to ensure clarity of consent for any data you capture going forward).
How will I, as a communicator (using Poppulo Pro/Enterprise to communicate with internal stakeholders), need to prepare for GDPR?
We recommend that users of Poppulo’s internal communications platform (including Poppulo Email, formerly Internal Connect) speak to your own data protection officer. Seek their input on how to ensure your continued use of the system will align with your organization’s GDPR compliance. In general terms however, we recommend that customers consider:
-
Awareness - A core principle of GDPR is that data subjects be informed of the existence and purpose of data processing operations. It might therefore be worth considering informing employees of the data used to send employee communications, and the purpose of that data. For example, by adding text or a link to the footer of employee newsletter communications which informs the recipient. This could be: “This communication was sent using Poppulo. The data stored in Poppulo includes that needed to send the email (your email address), personalize the email greeting (your first name), personalize the email content (your business function), etc”.
-
Purpose review - By extension to the above, if there is no business purpose for storing certain data types, it may be worth considering removing certain data fields. For example, if you are not currently using employee last name data (for personalization), or employee country data (for language or content localization), it might be worthwhile removing these types of fields.
-
Consent check - While contracts of employment typically contain standard consent clauses regarding employee data, GDPR expects consent to be more specific to the indicated purpose. Internal communicators should therefore consider using sign-up forms for certain types of communications (like optional topics or communications that are not job-critical), or audiences (like contractors or franchisees or even full-time employees). In particular if communicating with external stakeholders, communicators should consider enabling double opt-in methods on any sign-up or update-profile forms.
-
Anonymity checks - GDPR exempts some types of anonymized or pseudonymized data from the more stringent controls expected under the regulation. It is therefore worth considering abstracting certain data types (like using a code or abbreviation instead of an actual value in certain data fields). Or anonymizing certain survey types. Or enabling the reporting anonymization restriction within your Poppulo account.
Your own data protection officer will likely have other recommendations and expectations.
In short: You should discuss the implications of GDPR (to your internal communications program) with your own data protection officer . And, in the first instance, consider whether notices (on the purpose of the program, and the data used to support the program) should be displayed in your IC channels.
How did Poppulo prepare for GDPR?
In addition to the governance, compliance and process reviews that any GDPR-compliant organization needed to undertake, Poppulo has taken a number of specific steps, including several which are specific to our industry and the services we provide. These include:
-
Governance changes - Poppulo has formalized the role of Data Protection Officer within the organization. The Poppulo Data Protection Officer is responsible for Poppulo’s GDPR compliance (to ensure Poppulo’s compliance with GDPR, and to assist our customers with their compliance)
-
Data privacy & process audits - Overseen by the Data Protection Officer (DPO), Poppulo’s GDPR-readiness program included contributions from a cross-functional project team. This project team, in the first instance, was responsible for completing an information audit (or the personal information stored by Poppulo on our customers, and by Poppulo on our customers’ behalf).
-
Data security changes - A number of policy changes and technical control changes took place. This includes changes to Poppulo’s policies for encryption of data (including PII) while at rest.
-
Product changes - A number of changes to the Poppulo product stack. Including changes to the the single/double opt-in functionality of the Poppulo sign-up features.
-
Process changes - Changes to processes and procedures included updates to the Poppulo Support practices - specifically as they relate to servicing subject data access requests and subject data deletion requests.
In short: Poppulo’s preparation for GDPR had the highest-level of executive sponsorship, was driven through the Data Protection Officer, and had input from a cross-functional project team. Readiness activities included: data security and encryption updates, data audits and reviews, access request procedure changes, and a number of planned product updates.
Does Poppulo transfer or process personal data outside of the EEA?
During account creation and onboarding we ask customers where they want data to be stored and processed. Unless your organisation is a US-based entity, and you therefore expressly requested that we store your data in our US-hosted environments (Chicago, IL and Boston, MA), then your data is stored and processed in our default EEA-hosted environments (London, UK and Cork, IE).
Poppulo is registered as a data processor in the UK (ICO Reg# Z9513693) and in Ireland (DPC Reg# 5638/A) in respect of the processing that occurs in these EEA-based environments.
In short: Unless you expressly asked us to do otherwise, no, Poppulo does not transfer or process personal data outside of the EEA.
What about Brexit? Will Poppulo need to move the UK data center location?
The data center market in the UK is the largest in Europe, and third-largest globally. Hence, Poppulo, the data center industry in the UK, and the many thousands of companies with a data center presence in the UK, are closely monitoring developments.
To date, there is no indication that Brexit will have an immediate impact on GDPR compliance. When the UK leaves the EU, any UK-based companies (including data center or hosting companies) wishing to do business in the EU, will need to maintain compliance with GDPR. As indeed will businesses in the US, Asia and elsewhere.
While Poppulo will of course continue to monitor events, and have contingency plans in place if required, of the several position-statements issued by the UK government on Brexit and GDPR, each indicates a position that GDPR will be respected and applied within the UK, probably under the UK Data Protection Bill.
In the very unlikely event of a short-notice change or incident in this regard (for example if the UK were to fail the European Commission’s “adequacy decision” process, or the Data Protection Bill were not to be passed), Poppulo would treat this as with any Business Continuity or Disaster Recovery event. And would quickly transfer servicing and operations to our live Disaster Recovery site in Ireland.
In short: Brexit does not currently have GDPR implications. If that changes, we will be able to adjust accordingly, and quickly.
What about profiling? Doesn’t GDPR preclude profiling of employee audiences?
While GDPR defines the concept of profiling, and expects additional controls to be in place for any automated profiling activities, it does not preclude profiling in an internal communications context.
Specifically, GDPR includes a definition of profiling which covers the automated processing of personal data to analyze (for example) a subject’s performance at work, preferences, or behavior. However, as profiling, within the internal communications context, is used primarily for targeting employee communications, it does not meet GDPR’s expectations for legal or similarly significant effects on the data subject. (ie. a ‘profile’ of ‘UK managers’, that is used to send emails to UK managers, doesn’t qualify as ‘profiling’ in the GDPR sense, as it doesn’t have a significant effect on the subject and is not an entirely automated or machine-driven process).
In any event, if the definition of profiling were extended to the internal communications context (in an exceptional or unusual case), the burden involved would simply require additional safeguards to be in place. Including the same transparency measures as expected for personal data, structured measures to correct inaccuracies, and security measures proportionate to the data involved. All of which can be readily demonstrated.
As with other aspects of GDPR, it's worth talking to your Data Protection Officer and HR team about their processes in this area. (In particular if profile data captured in the internal communications context is intended to be used in a HR or similar context, which may have implications under GDPR).
In short: You could discuss with your DPO and HR colleagues for validation, but the GDPR definition of ‘profiling’ is perhaps not as applicable to the IC context as it might be in other (or HR) contexts.
What if I have other questions?
If there are any further questions, please contact:
-
(if a new customer) your Poppulo Sales Representative, or sales@poppulo.com.
-
(if an existing customer) your Poppulo Customer Success Manager, or support.
-
(otherwise) the Poppulo Data Protection Officer, at privacy@poppulo.com.
This FAQ is intended to provide information and address questions which you (as a communicator) may have on Poppulo’s compliance with the EU data protection regulation, GDPR. While this FAQ deals with some legal concepts and impacts, it should not be considered legal advice, nor a recommendation of any particular legal understanding. Please consult your own organization’s data protection officer (or compliance team) for interpretation of this information, including advice on how this information applies to your own organization’s GDPR compliance.
