About Fresh Relevance and GDPR
- Fresh Relevance complies with the GDPR and we are registered with the ICO in London. All data for our EU and UK clients is stored in the EU and only in the EU, unless you as our client tell us to copy it elsewhere.
- Data Controller: this is you. You control the personal data about your Data Subjects (shoppers and customers). You are responsible for keeping them informed, asking for permission if necessary, and handling their requests – though we will help of course.
- Data Processors: you have several of these, including Fresh Relevance. Our servers are hosted in Ireland by Amazon Web Services EU (Ireland), so AWS is your data processor, as are the other services that you use, such as your eCommerce system and your ESP.
How to add Fresh Relevance from a GDPR Perspective
- These instructions assume that you are already GDPR compliant and are adding Fresh Relevance too. If you are not sure, then read the ICO Guide to check.
- We and all your Data Processors must provide contracts which are compliant with Article 28 of the GDPR text. For example, “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject … a contract or other legal act under Union or Member State law.” NB: not under US Law.
- Fresh Relevance will have an Article 28-compliant Data Processing Addendum before the end of April. We started late because we expected ICO to produce examples that companies could just copy, which would have saved a ton of money, but they didn’t. Take a copy of this contract when it’s ready.
- Document what personal data you hold in a Data Protection Impact Assessment (DPIA). If there’s no high impact to data subjects then it’s simple, because you can stop at question 5. The DPIA for Fresh Relevance is in Appendix 2 at this link: https://www.freshrelevance.com/images/uploads/blog/How_To_Prepare_for_the_GDPR.pdf
- Fresh Relevance does several types of marketing. Marketing such as personalization and triggered emails can be done as a legitimate interest, so you don’t need to ask for consent – just say what you’re doing on your privacy page. Our own Legitimate Interest Assessment is Appendix 3 at this link: https://www.freshrelevance.com/images/uploads/blog/How_To_Prepare_for_the_GDPR.pdf
- Other types marketing, notably bulk emails (e.g. your newsletter) needs separate consent because they are intrusive. The GDPR rule-of-thuumb is that a form submit automatically grants one type of consent. But if you have a form that’s doing two or more things (e.g. creating an account AND signing up for a newsletter) then each additional thing needs its own checkbox or pair of radio buttons. For example:
Please send me your newsletter with offers and new products
No thanks - I'd rather not know what I'm missing
- On your privacy page, say concisely, clearly and plainly what Fresh Relevance will do. This is our current version, as a starting point.
This website stores information about your account, your orders, and products which interest you. It is used to manage your account and process your orders.
Personal data may be used to send triggered emails, such as cart abandonment and purchase confirmation emails. And to personalize marketing, for example, to suggest products related to your previous purchases. It may also be used to send you special offers and product news by email if you agree to that.
- On your privacy page, add a statement about cookies to replace your cookie popup.
- On your privacy page, say how data subjects can contact you to use their new GDPR individual’s rights. For example by sending you an email – but NB you need a way to be sure that the people who contact you are who they claim to be, so you don’t give out information to hackers or stalkers. We describe these rights and how we help you here.
- Your previous email permissions become invalid on 25 May 2018, unless they were collected in a way that’s consistent with the GDPR. For example, did you tell people how their data would be used? We think you can maybe continue to send emails for a few months as a “legitimate interest”. But you really need to get people to re-register properly, so consider signing up for the Fresh Relevance “Permission Pass”.
Question: Re GDPR Consent. Can marketers carry on using historic consent, or do they need to get new GDPR-compliant consent from everyone?
Answer 1: If you can show that historic consent was up to GDPR standards, then you can keep on using it.
Answer 2: Separately, marketers - especially B2B marketers - can also contact individuals if there's a "legitimate interest". This requires doing a "Legitimate Interests Assessment" (LIA) - basically listing and balancing the *positive* interests of the brand and the individual (e.g. the brand and the individual's company may both make more money) against the *negative* interests of the individual (e.g. they don't want to be spammed and waste time). If an individual previously gave consent and has never complained/unsubscribed - even if consent was not up to GDPR standards - this is additional evidence for the LIA that they don't mind being contacted, so you are more likely to be able to contact them as a "legitimate interest" after 25 May.
You need to keep a permanent record of LIAs and other GDPR-related decisions