The GDPR (General Data Protection Regulation) that comes into force on 25th May 2018 will help protect EU residents against cybercrime and data breaches by ensuring the data protection policies of all firms in the EU are of a high quality. If you would like to know more, our page on GDPR and Website Marketing gives a more in-depth view.
What are the GDPR Responsibilities for Infusionsoft Users?
To comply with GDPR, each entity first has to decide whether it is a data controller or data processor. A data controller will be the driving force behind which personal information is kept and why, whereas a data processor stores and processes that information for the controller.
As an Infusionsoft customer you are likely to be a data controller, and Infusionsoft will be your data processor. As a controller you have to make sure you have a reason for each and every piece of data that you are holding on an individual. Although it will depend on the size of your company, smaller firms who typically only use personal data to market their own business will not have to necessarily appoint a specific DPO (Data Protection Officer), a representative in the EU, or register with the ICO (or the governing body responsible for GDPR in your resident country).
The main reason for this regulation is to tighten up the internal processes within a company, so that if you can show that you have thought about these regulations and have taken steps to protect the data you hold, that should be sufficient. This just means that you need to make sure you know why you are holding sensitive data on an individual, that you have a valid reason with respect to GDPR, and can protect it adequately from being stolen.
What Infusionsoft Users Need to Do
As you will be collecting sensitive information, you need to make sure that the person the data relates to has consented to its use. The easiest way to ensure this is to have a double opt-in on your email list forms, as this proves that consent has indeed been given. If you haven’t been gaining consent for your email lists up until now, you might need to ask the individuals on your list for consent specifically for GDPR so that you can keep a record of this. However, there are other reasons for holding data that do not rely on consent which may save you obtaining consent retrospectively.
Article 6 of the GDPR allows you to keep data on an individual if you need it specifically to complete a contract, for example, if you sell goods online you might need an address to know where to send your products. The storage of this address will come under this clause and you won’t need to obtain additional consent for its use.
There is also a clause that allows you to keep data if it is in the ‘legitimate interest’ of your company, but this is more loosely defined and you might fall foul of the regulations if the governing body in your country disagrees with your definition. For instance, if you have the email address of a customer because you have previously sold them a particular item, using this address to let them know that you have similar products that they might be interested in could fall under the realm of ‘legitimate interest’. As the rules have not been tested yet, and the regulatory bodies have not categorically clarified this clause, no-one can say exactly if that will be allowed. Therefore, it makes sense if you are simply marketing to your previous customers or keeping them updated on news or offers, then it is best to make sure you have a record of their consent regardless.
Additional Resources
For more information about GDPR, take a look at our post on how Infusionsoft are complying with the regulations.
If you give away a lead magnet as a way of persuading people to part with their email address, we also have a post about GDPR and Lead Magnets which explains how this process works, as well as one on GDPR and Facebook.
How We Can Help
And We Do This is an Infusionsoft Certified Partner and we can point you in the right direction for help and advice for achieving GDPR compliance. Get in touch to find out more.