GDPR legislation goes into effect in May, and most marketers will have to improve customer data privacy or face steep fines. In this presentation, Thomas Fontvielle from Signal Spam will will share do's and don’ts for data privacy practices and reveal how these new regulations will affect deliverability.
PRESENTER
Thomas Fontvielle, Secretary General, Signal Spam
3. • A non for profit organisation
• A public/private partnership
Law enforcement, ISP, E-mail security vendors, Reputation Providers, ESP, Marketers &
Brands, Web Hosting companies, Data Protection Authority
• The National French Spam & Phishing Reporting Center
• A FBL, spamtraps and aggregated data on IP level
program for senders
• A Real-Time Phishing Blacklist for trusted members
SIGNAL SPAM
4. • Internet users register to Signal Spam and
download a plugin for their messaging environment
• End users report anything they consider to be a
spam
• Signal Spam qualifies the report and extracts
relevant information
• Signal Spam sends data to its members best suited
to take relevant action against a specific spam
END USERS REPORTS
5. AUTORITÉ DE PROTECTION
DES DONNÉES
HÉBERGEURS WEB
ROUTEURS
EXPÉDITEURS DE MESSAGES
POLICE
GENDARMERIE
FAI
FOURNISSEURS D’ACCÈS INTERNET
ET SERVICE DE MESSAGERIES
SÉCURITÉ
ANNONCEURS
6. Identify Cyber-Criminals
Inform the Data Protection Authority of law breaches
Identify and clean compromised devices
Unsubscribe Internet Users from ESP and marketers lists
Improve best practices, promote Signal Spam’s code of ethics, raise
technical standards
Improve messaging protective tools
Reports allow to:
8. • European Regulation : 2016/679, April 2016
‣ Published May the 4th 2016
‣ Application delay : 2 years —> May the 24th 2018
• Direct application
‣ No transposition
‣ All member states
‣ Repeals directive 95/46/CE from October the 24th 1995
• GDPR makes provisions for fines of up to 20
millions € for violations
GENERAL INFORMATION
9. Rules commonly admitted From May 25th 2018
Consent
• Required
• Existing customer relationship
• Required
• Weighing up of interests
• Existing customer relationship
Requirements for
Consent
• Voluntary
• Explicit
• Transparent
• Voluntary
• Active, explicit
• Informed
• Written form not explicitly required though highly
recommended
• Prohibition of coupling
Ability to give consent • Not always defined • From 16 years of age
Obligation of proof
• Not always defined, double opt-in
encouraged
• Burden of proof for the user of the declaration of
consent
Possibility to revoke
• Mandatory, though the way to do
it is not always defined
• Must be included in every e-mail
Legal Notice required? • Not always defined • Must be included in every e-mail
Sanctions • Different within EU countries
• Fines up to 20 000 000 € or 4% of the total annual
turnover of the company, whichever is higher
WHAT GRPD WILL CHANGE IN THE FIELD OF EMAIL
MARKETING
10. PRIVACY
Reducing Data Privacy By Design Reducing Data Accountability Security
Data Process Register PIA DPO Breach Notification Secure People
Rights
Principles
Obligations
General Notions
11. Only collect strictly
relevant data
Reduce number of
files containing data
Ban free fields
Set up purge
measures once the
purpose is achieved
How to minimise data
12. Profiling is
regulated
art 22 GDPR
When personal data enables
decision based on automated
processing
People can oppose
Requires
PIA
(Privacy Impact Assessment)
Specific
information
Profiling Requirements
13. « Any freely given, specific, informed and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him or
her »
• Unambiguous
• Freely Given
• Separate from other declarations
• Informed
• Capacity to provide consent
• Burden of proof
Declaration of Consent For E-Mail Marketing
14. Quality of Data
Lawfullness of Data Processing
Sustainability
Reducing Data
Data Process Register Specific information to
prospects
Secure People
Rights
DPO
A facilitator to
exercice people
rights
Data conservation Data Update
Opt-In
Portability Modification &
Suppression
Opposition &
Opt-out
About Your Databases …
15. • Identity and contact details of the Data Processor
• Identity and contact details of the DPO
• To what end the data is collected and the legal basis
for it ( for instance : legitimate interest, consent, etc.)
• Third parties
• Duration for data conservation / date of deletion
• Mention of applicable rights for the data owner giving
consent - art. 15/20 (opt-out, etc.)
• Mention of any automated process resulting in
decision making
Focus on Consent
16. CRITICAL DATA
• Article 9 about « critical data »
‣ Political, religious, philosophical opinions
‣ Race, sexuality, health…
• Principle : critical data processing is
forbidden
• Exceptions
‣ Health / Public / Research interests
‣ Processing by a NGO
‣ When the data was made public by its owner
18. LEGAL FRAMEWORK DOESN’T MATTER SO MUCH !
• Spam is all about perception
• Auto-regulation mechanisms in France (IP, domains,
and lists reputation) and Germany (whitelisting)
• Best practices & code of ethics
23. • No false-positives at 0.6% of reports on a
campaign
• Blacklisting at 1% or 2 000 reports
• Campaigns/Domains fragmentation is dangerous
• Learning to work with ISPs and their messaging
security editors
• Watch out for bad customers
DELIVERABILITY ISSUES
24. • Full ARF reports
• IP level aggregated data from ISPs
• Spamtrap data on Orange recycled addresses
SUBSCRIBING TO FBL AND REPUTATION DATA
Ask for data sample on your IP setup
(thomas.fontvielle@signal-spam.net)