GDPR is here, and LeadFWD is ready. Our platform now features new tools designed to make it easier for you and your team to comply with GDPR. This page reviews what you'll need in order to set up the new features. The functionality detailed is now live for all LeadFWD users. Please remember that LeadFWD cannot and does not guarantee your compliance with GDPR.

GDPR Summary

  1. Basics
  2. Cookies
  3. Legal Basis
  4. Set Legal Basis with Automation
  5. Right to Access and Erase
  6. Enabling Privacy Guard

Basics

Does GDPR affect my organization?

GDPR affects any organization that offers goods or services to EU residents, or processes data on EU residents including monitoring of behavior, regardless of the organization’s location.

What does GDPR apply to?

GDPR impacts personal information about people. Personal information can include, without limitation, name, email address, mailing address, picture of person, social links and IP address. The regulation also has strict rules for sensitive information such as medical history as well as for children’s data. Sensitive personal information under GDPR also includes such data elements as the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, sexual life, and criminal background.

GDPR generally does not apply to company data or any other non-person data e.g Company Revenue.

Roles under GDPR

A ‘data controller’ is a natural or legal person, entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A ‘data processor’ means a natural or legal person, entity, public authority, agency or other body which processes personal data on behalf of the controller.

As a user of our platform, you are the data controller. You determine what information to capture on your own prospects or customers (data subjects), and how the data will be processed. LeadFWD is a data processor as it only processes data on its service that the controller wants to process. If you leverage a CRM in your software stack, then that would be another example of a data processor.

What is data processing?

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

What are the responsibilities of data controllers?

LeadFWD users are the data controllers and are required to have their systems and processes in place to comply with GDPR. LeadFWD is not responsible for customers' obligations as data controllers. The complete text of the GDPR is publicly available here for reference. We encourage you to reach out to your counsel and/or compliance group to ensure your organization complies with GDPR. LeadFWD does not and cannot guarantee full compliance with GDPR in our role as a data processor.

Cookies

Under the GDPR, visitors need to be given notice that you’re using cookies on your website (in a language that they can understand) and need to consent to being tracked by cookies.

In LeadFWD, you can capture a visitor’s consent for cookie tracking. And we’ve just launched the ability to add consent banners to Site Monitor domains.

Meet, Larry. Larry is going to help walk us thru Privacy Guard from the perspective of a Contact record.

Under the GDPR, you’re required to have a legitimate reason, called a lawful basis in the regulation, to use Larry’s data. That reason could be consent (he opted in) with notice (you told him what he was opting into).

Consent is one of those lawful basis, but it’s not the only one. There are six listed in the regulation but the two other key ones for sales and marketing are:

Performance of a contract. For example, if Larry is your customer, you can email him a bill.

Legitimate interest. For example, Larry might be a customer, and you want to email him direct marketing materials about products you sell related to the one he uses. Legitimate interest can be tricky and while it is flexible, it may not apply to your particular use-case. You will want to conduct a thorough review with your compliance officer or legal counsel to make sure your use case qualifies.

More reading: (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/)

In the LeadFWD platform, we’ve broken down lawful basis into two broad categories: legal basis both to Process (e.g. store Larry’s data in LeadFWD and fulfill requests like sending a whitepaper requested through your website) and to Communicate (e.g. send Larry a marketing email or have a sales rep call him). While it may seem obvious, it’s worth stating: it’s possible to have legal basis to process but not to communicate. If that’s the case, under the GDPR, you can’t communicate with Larry.

In reality, you need consent to process and communicate:

In the LeadFWD platform, without the right to process a record cannot be added or stored and without the right to communicate the status of the record will be unsubscribed.

In LeadFWD, you have a new default field to track lawful basis for processing called “Legal Basis”. The Legal Basis field contains pre-defined options that match the lawful basis requirements set by GDPR.

  • Communication and Processing
  • Legitimate Interest
  • Processing only [will also set a data subject to unsubscribed]
  • Existing Customer
  • Performance of a Contract
  • Not Applicable

We’ve also overhauled our subscription setup to make “lawful basis to communicate” easy to track too (including consent). You can now track opt-ins in LeadFWD (rather than just “opt outs”). We’ve added these subscriptions to the contact record (so they’re easy to track/audit). And we’ve made them accessible via forms.

You may need lawful basis to communicate with your contacts. If you don’t have it, consider creating subscription types, updating your existing database using automation to set the legal basis (with a permission pass campaign or another method), and setting up your forms to establish legal basis moving forward.

Not every incoming lead or customer record will originate from a form attached to LeadFWD. You're also likely to have data that already existed long before GDPR entered your view. The good news is that we make it simple to update Legal Basis with the appropriate consent and legal basis using automation.

Remember that you need to ensure that you have an audit trail to validate the Legal Basis that you set for a contact. LeadFWD will not be able to provide or validate a digital trail to support a legal basis that does not originate from our platform (i.e. landing page or form). As the data controller the final responsibility rests with you to be compliant.

inbox25-automation-legal-basis-change.png

You can set the legal basis field property manually or via Automation (shown above). Automation makes it easy for data controllers to set records to Opted-out or Inactive, if they do not have a proper Legal Basis assigned. Automation will also enable you to set Legal Basis for existing customers or data subjects that have given you consent through an alternate channel before or after GDPR comes online.

Right to Access and Erase

Under the GDPR, your contacts can request that you give them a copy of all the personal data you have about them, or delete/modify it.

In LeadFWD, we’ve added a new “Request erase” function that permanently deletes a contact (rather than storing their information, in case they ever re-convert).

Privacy Guard was designed to streamline data subject access requests to make compliance less of a burden. With our GDPR-ready Preference Center, your contacts have direct control to withdraw consent, request that their personal data be deleted or request a copy of their personal data profile. All of which are automated processes that can be quickly moderated by your Data Protection Officer using our Privacy Manager.

Enabling Privacy Guard

Settings > Privacy Guard > Settings

inbox25-privacy-guard-settings.png

In addition to the Legal Basis status field, we have also introduced a date/time field to track the most recent change to your Legal Basis. Both of these fields can also be synchronized with your CRM (SugarCRM, SuiteCRM or Salesforce).

inbox25-sync-lawful-basis-with-crm.png

Privacy Guard for GDPR

Larry's journey with ABC Widget Corp. might start on ABC’s website. GDPR includes certain rules about how ABC Widgets can track Larry’s activity on its website. Specifically, if ABC Widgets is using software that tracks Larry using cookies (like LeadFWD or Google Analytics), under the GDPR, Larry needs to be given notice that ABC Widgets is doing so (in a language that he can understand) and needs to consent to being tracked by cookies. In addition, he needs to be able to opt out of cookie tracking as easily as he opted in.

Check-list to setup your cookie policy:

  1. Link to your GDPR-compliant Privacy Policy
  2. Explicit, plain language that describes how you’re tracking your visitors
  3. Select a cookie policy by Site Monitor domain or by specific landing page.
sitemonitor-inbox25-cookie-settings.png

Cookie policies are configurable by domain and/or specific landing page. This enables you to custom tailor your cookie management based on your intended geographical audience. For example, you could set up your European websites (e.g. abcwidgets.de) to require explicit cookie opt-in, while only showing notice (without requiring consent) on other domains or landing pages that do not target or receive traffic from the E.U.

Our cookie consent options also include customizable banner alert to make your visitors aware of your cookie policy and to also capture consent.

sitemonitor-inbox25-cookie-alerts.png

Cookie consent does not transfer from one Site Monitor domain to another Site Monitor domain. Your visitors will have to consent to cookie tracking from Site Monitor on each unique domain that you have configured with Site Monitor.

landingpages-inbox25-enable-cookie-settings.png

Landing Pages (hosted by LeadFWD) can utilize cookie consent from any Site Monitor domain, since lead generation pages you create are mostly domain agnostic and can be linked from any site or domain you control. However, cookie consent that is obtained from a landing page directly (when cookie consent alerts are enabled on an individual landing page) instead of a Site Monitor domain will only extend to that specific landing page and any others hosted by LeadFWD. Cookie Consent granted by a visitor on a Landing Page does not transfer to a Site Monitor domain.

To add a Cookie Policy to your landing page, simply click Enable Cookie Consent from the Landing Page Builder and then Manage Consent Notice.

Per the GDPR, your data subjects and visitors must have the ability to modify their cookie consent and manage their other communication consent preferences. For cookie management your visitors will have the option of revising their previous cookie settings by clicking on a cookie management badge. Administrators can opt to place this badge in either the bottom left or bottom right corner of their site.

Landing Pages and Forms

Our Consent form field is the foundation to creating GDPR-ready landing page forms. Much like the rest of our GDPR framework, the feature alone does not equate to compliance. It's just another step in a process that you, the data controller, are ultimately responsible for.

inbox25-privacy-guard-field-types.png

When employed, the Consent field will serve to collect consent from your data subjects through two checkbox fields:

When your Legal Basis is ‘Explicit Consent for Communication and Processing’ then both of these fields will be required in order for this data subject to be processed by both LeadFWD and your CRM for outbound communication. If you're working with implicit consent to process (more on this below for Legal Basis #2) then no checkbox for Processing will appear.

inbox25-consent-landing-page-consent-field-canvas-view.png

The consent to communicate checkbox will reveal a list available subscriptions (levels of consent) that your contact can choose. The list will be displayed once the consent to communicate checkbox is ticked.

inbox25-consent-landing-page-consent-live-preview.png

Hosted Forms vs. Embedded Forms

The Consent field list display for Communication Consent > Subscription/Preference options is a dynamic function that is updated in real-time whenever your subscription categories are modified.

However, if you choose to embed the form on your own site page, the otherwise dynamic checkbox list will become static and will contain only the list of subscriptions which existed at the time you saved/exported your form source. Any changes to your subscription categories will require that you re-export and import the updated form source for the list.

inbox25-consent-landing-page-consent-field-inputs.png
  1. Description field
  • This field should be leveraged to set forth your policies for communication and processing. Consent cannot be generic or blanketed and must be specific. Your data subjects must be informed of everything they’re consenting to and ultimately given control to grant and revoke at anytime. A recommended best practice would be to provide a link to your GDPR-compliant Privacy Policy and also the Preference Center, so your data subjects understand they can manage/modify their Consent at any time.

Consent to Communicate checkbox label

  • Customize the language for this checkbox (i.e. I agree to accept communication from [company] and understand that I may withdraw or modify my consent at any time.)

Consent to Process checkbox label

  • Customize the language for this checkbox (i.e. I agree to the processing of my personal data from [company] and understand that I may withdraw my consent at any time.)

Please note: if the contact (email address) has active consent in your marketing platform and subsequently doesn’t check the consent to communicate box when they submit a GDPR enabled form,this is not an equivalent to the contact opting out or withdrawing their consent. There is a different process for withdrawal of their consent that they must follow instead through their personal Preference Center.

The Notice and Consent setting will govern whether or not your landing page and form will be targeting traffic that must be comply with the GDPR requirements. Notice and Consent requires that you specify the Legal Basis that will be enforced with submissions from your form.

inbox25-consent-landing-page-gdpr-notice.png

When this legal basis option is selected, the following requirements must be met:

  1. The Consent field is required to be present on your form.
  2. Language must be added to explicitly communicate to your data subject what they’re consenting to (Communication and Processing of personal data) and explaining how this consent can be revoked. A direct link to your GDPR compliant Privacy Policy is highly recommended.

Right to Communicate (checkbox)

The Preference Center must be enabled, so that we can display the specific subscription options that your data subjects can 'opt-in' to for communication. These options will appear automatically on-tick of the consent box for Communication. Data subjects can grant the right to communicate without selecting a subscription option, but the responsibility will be on you (the data controller) to ensure you’re still explicitly stating what the communication could be (general updates, news, etc.).

If Communication Consent is not ticked/selected, then the record will automatically be added with a status of unsubscribed.

Right to Process (checkbox)

Your data subject must explicitly consent to the Processing of their Personal data by ticking the Consent to Process box.

If this checkbox is not ticked, then the form submission will not be processed, as LeadFWD in the role of data processor cannot process their data without consent.

  1. LeadFWD will automatically set the Legal Basis field to ‘Communication and Processing Consent’ when these options are explicitly accepted by your data subject. The data subjects Timeline report will also specifically note the changes and date/time stamps for future auditing.
  2. If you have enabled the CRM Sync function for Legal Basis, we will also sync these values to your CRM if the data subject is also stored in your CRM (or if they were added as part of the form submission).

When this legal basis option is selected, the following requirements must be met:

  1. The Consent field is required on your form
  2. Language must be added to explicitly communicate to your data subject what they’re consenting to (Explicit consent for Communication and Implicit consent for Processing of personal data) and explaining how this consent can be revoked. A direct link to your GDPR compliant Privacy Policy is recommended.

Right to Communicate (checkbox)

  1. The Preference Center must be enabled so that we can display the specific subscription options that your data subjects can 'opt-in' to for communication. These options will appear automatically on-tick of the consent box for Communication. Data subjects can grant the right to communicate without selecting a subscription option, but the responsibility will be on you (the data controller) to ensure you’re still explicitly stating what the communication could be (general updates, news, etc.).
  2. If Communication Consent is not ticked/selected then the record will automatically be added with a status of unsubscribed.

Right to Process (no checkbox)

  1. Your data subject must be informed that by submitting the form, they are consenting to having their personal data processed. This notice can be easily added to the rich text area that is provided in the Consent field options.

Legitimate interest is by far the most flexible Legal Basis, but it may not be the best or even qualify for your use case. As we mentioned above, meeting the burden of this Legal Basis category really depends on a number of factors and is by no means absolute. It is the absolute responsibility of you (data controller) to seek legal advice from an expert before employing this option, to ensure your use case meets the criteria.

When Legitimate Interest is selected the Consent field is not required and it is the responsibility of the data controller to explicitly communicate how you intend to utilize the subjects personal information on your page/form.

It is possible to include a Consent field even if you select Legitimate Interest as the Legal Basis for your page/form. If your data subject does grant Consent for Communication and Processing, then that Legal Basis will be reflected for the data subject even if the primary notice is Legitimate Interest. If they ignore the Consent checkboxes, we’ll simply set the Legal Basis to Legitimate Interest in their profile.

  1. LeadFWD will automatically set the Legal Basis field to ‘Legitimate interest’ when the form is submitted. The data subjects Timeline report will also specifically note the changes and date/time stamps for future auditing.
  2. If you have enabled the CRM Sync function for Legal Basis, we will also sync these values to your CRM if the data subject is also stored in your CRM (or if they were added as part of the form submission).

There are a few mechanisms that allow for the changing of the Legal Basis for a data subject:

  1. Automation Track with a data field change action.
  2. Manual change to the data field from a data subjects Timeline report.
  3. Data subject can make a change to their Preference Settings directly.
  4. Data subject could convert/submit on a new landing page form.

Common Scenarios

#1. Never email me again.

Scenario: Larry opts to end all future emails via the Preference Center with a current Legal Basis of Communication and Processing.

Response: Larry’s status is changed to Unsubscribed and his Legal Basis is changed to Processing only

Scenario: Larry’s status is changed after a series of failed deliveries, to ‘Bounced’.

Response: Legal basis stays the same, but the data subject will not be sent emails until their email address is updated and their status reverted to Active.

Scenario: Larry’s status is manually set to Inactive via a CRM action or via Automation.

Response: Larry’s Legal Basis stays the same.

Scenario: Larry wants to withdraw both his Communication and Processing consent.

Response: Larry needs to request the Withdrawal and Erase option in their Preference Center. Once Consent to Process personal data is revoked, Larry’s data can no longer be stored in LeadFWD.

#5. Previously unsubscribed Contacts can re-activate under Legitimate Interest.

Scenario: Larry has a status of Unsubscribed and a Legal Basis of Processing only. Then subsequently converts on a form configured with a GDPR notice for a Legal Basis of Legitimate Interest.

Response: Larry’s status is changed from Unsubscribed to Active and his Legal Basis is changed to Legitimate Interest from Processing only.

Scenario: Larry has a status of Unsubscribed and a Legal Basis of Processing only.

Then subsequently converts on a form configured with a GDPR notice for a Legal Basis of Communication and Processing, while also ticking both the Processing Consent and Communication Consent checkboxes.

Response: Larry is changed to an Active status and his Legal Basis is changed to Communication and Processing.

Scenario: Larry has a status of Active with a Legal Basis of Communication and Processing, Existing Customer or Performance of a contract. Then subsequently converts on a form configured with a GDPR notice for a Legal Basis of Legitimate Interest.

Response: Larry remains Active and his Legal Basis is unchanged.

Scenario: Larry is Active with any Legal Basis value. Then subsequently converts on a form configured with a GDPR notice of Legal Basis of Communication and Processing, but only ticks the Processing checkbox.

Response: Larry’s existing Legal Basis will remain unchanged. If Larry previously consented to Communication, then that consent remains. The inaction of not ticking the Communication Consent checkbox, when Consent was already obtained, does not amount to a withdrawal of his previous consent. Any withdrawal must be as explicit as the original consent and those requests can be made via the Preference Center.

Preference Center

The Preference Center empowers contacts to take control of their consent and for you, the marketer, to better segment your data based on what your recipients actually want to receive.

Managing the Preference Center is incredibly simple and once enabled and configured, it applies to every Marketing list or CRM database (via SymSync). Which means every contact will instantly have their own unique Preference Center settings to access and personalize. The Preference Center can be accessed from any email sent via LeadFWD (from the email footer) or you can hyperlink your web site directly (more below).

Create subscriptions

Once you enable the Preference Center you will want to create your subscriptions. A subscription is nothing more than a segment or category of content or communication that you want to present to a contact as an option that they can 'opt-in' to.

inbox25-preferences-add-manage.png

Simply select a name for your subscription, describe the content to your recipients and click save.

Automatically add (+) contacts to a new Subscription

You can choose to automatically subscribe full lists and segments to subscriptions when you create them. This is mostly to satisfy the chicken or the egg scenario, where you're adding the Preference Center after your database is already matured and active. This is especially useful for folks that run external consent campaigns or already have segments created based on consent or preferences.

Right to Access Management

In order to satisfy the GDPR requirements for subject data access requests and to make the process practical and near burden-free, we’ve introduced two options to our Preference Center to accommodate Right to erase and Right to access.

inbox25-manage-preferences-right-to-access-buttons.png

When enabled, these options will permit your data subjects to request either a full transcript of their data profile or request their data be completely purged. There are no additional forms or internal tools to develop to solicit this feedback from your contacts, our Preference Center will handle all of the requests with the click of a button.

Subject data access requests are managed through our new Privacy Manager.

inbox25-privacy-guard-subject-access-right-gdpr.png

Enable for Preference Center by navigating to Settings > Privacy Guard > Privacy Settings

The Preference Center is no longer exclusively accessed via your email footer. You can now link your web site or app directly to the Preference Center interface and your contacts can seamlessly locate and manage their profile.

inbox25-manage-preferences-find-me.png

Locate your unique link by navigating to Settings > Privacy Guard > Privacy Settings

Resubscribing and Reactivating Contacts

The Preference Center can be leveraged as a tool to reactive records that have either unsubscribed previously, bounced due to an invalid email address or that revoked their communication consent. In those scenarios that Preference Center is ready to help them get reactivated and subscribed.

Duplicate Contacts by email address

While we strongly discourage the duplicate records as a general best practice, we understand they do sometimes occur. Our Preference Center is designed to sync communication preferences across all list types (Marketing and CRM database with CRM connector add-on). This always means that Right to erase requests and status changes related to consent will filter to every record (matched by unique email address).

Timeline for Auditing

The Timeline report will capture all changes to legal basis (including timestamp), communication preferences and status in chronological order for every contact.

inbox25-privacy-guard-timelinereport.png

Privacy Manager

Settings > Privacy Guard > Privacy Manager

Under the GDRP your data subjects (Contacts) have the right to erasure and the right to access. In other words, a data subject (Contact) has the right to be permanently deleted from your database, with no questions asked. They also have the right to have access to the personal data you have stored in your database in a machine readable format (i.e. CSV or Excel).

The good news is that we’ve made it easy to meet both of these requirements, just by clicking a couple of checkboxes.

Right to erase

Requests for erasure and access are funneled into the Privacy Manager to be moderated by an Administrator. The actual delete process will not occur until the request is accepted by an Administrator. Even then, if you find a request was in error or if the data subject decides to rescind there is a 10-day ‘undo’ period. After 10 days the data cannot be recovered under any circumstances.

inbox25-privacy-manager.png

To help ensure data continuity within the LeadFWD platform, all completed delete requests will instantly convert marketing data points such as web visits, email opens, etc. into anonymous actions. They will no longer be linked or associated to a specific data subject. They will never again be able to be related or associated back to a data subject. Within the Privacy Manager we will maintain an obfuscated view of the email address for a data subject that was forgotten for future validation and to ensure that record is never accidentally imported or recreated.

Right to erase for SugarCRM, SuiteCRM and Salesforce

Administrators can opt to soft-delete records automatically in their CRM when a data subject requests to be erased/forgotten via LeadFWD. This process is optional and it would apply only to data subjects that are linked to your CRM with the CRM connector add-on. The soft-delete is not immediate and once an erase request is accepted by an Administrator the data subject will immediately be flagged as unsubscribed in LeadFWD and opted-out in your CRM.

After the 10-day grace period (which enables you to undo the erase action) is reached, the LeadFWD copy of the data subject will be purged and their record will be marked as deleted in your CRM.

Right to access

Requests for access are handled automatically by LeadFWD and a transcript CSV will be emailed to your data subject instantly upon request. You can follow these requests and see when the CSV is downloaded via the Privacy Manager as well.

Audit log

The Privacy Manager captures every action taken in response to a data subject access request, including interactions with your CRM.

inbox25-privacy-guard-privacy-manager-audit.png
Did this answer your question?