The General Data Protection Regulations (GDPR) that went into effect on May 25, 2018, is intended to “harmonize” an approach to data protection across the European Union as well as provide greater protection and rights to EU citizens. The new regulations will have a broad effect on how organizations doing business in the EU or with EU citizens collect and handle data and potentially significant consequences for noncompliance.

The University of Pennsylvania’s Office of Privacy has been working with outside legal counsel versed in GDPR to provide guidelines for University staff.  An important factor to remember is that official compliance is still a long way off for most organizations, including Penn. According to the Office of Privacy, performing due diligence and a showing a documented intent to move towards GDPR compliance is what is expected in this “Phase 1” of GDPR compliance.

The Office of Privacy recommends the following steps that can be taken to begin complying with new GDPR stipulations:

1. Link to the new University Privacy Policy

The University has worked with outside counsel to develop a new, comprehensive privacy policy that should be linked to from any Penn-domain websites. This privacy policy will be automatically linked to from all websites that are currently on the Wharton CMS.

2. Add an opt-in consent checkbox to online forms

Getting Valid Consent – Under GDRP, consent must be simple and clear. Silence or inactivity will not constitute consent.

Though brought to the forefront with the rollout of GDPR, “opt-in consent” has been a largely ignored cornerstone of other e-privacy laws and is considered a best marketing practice with the benefit of making email lists more deliverable and contacts marketing qualified.

Once “opt-in consent” has been implemented, marketing emails should only be sent to those who are opted in and to legacy contacts that have not opted out.

Emails which are a response to an action taken, such as confirming event registration, change of venue, etc., are considered “transactional” and may be sent to all relevant parties regardless of their opt-in status.

MarComm’s Approach:

  • MarComm is taking a broad approach to “opt-in consent” for the business units that are operating on our platform. If a person opts-in they are opting-in to all connected units and they can manage their specific subscriptions via a shared subscription center.
  • The checkbox option to “opt-in” to marketing emails is only shown to visitors who have not previously opted-in.
  • The date a contact consents to “opt-in” to receive marketing emails is stored in their contact record.

Example Consent Question on Form:

General Marketing Opt-in Consent Question

3. Send a 'Wash' Email

A “wash” email is intended to provide customers or leads in your database with an opportunity to ‘opt-out’ of receiving further correspondence.

This wash email is intended to be sent to contacts that were acquired prior to implementation of opt-in consent. Those contacts who have already opted-in do not need to be sent the wash email.

In sending your wash email to existing contacts, you may develop a communication tailored to your audience that addresses future electronic communications with an introduction of your choice. The important paragraph to include in any such communication is the information below (in italics).  The Privacy Office will be happy to review your proposed wash email.

We at UPenn value our relationship with you. We periodically send you [news, announcements and invitations to events/special offers/program information – a description of whatever is sent] because we believe that you elected to be on our mailing list.  In accordance with changes in the law we wanted to provide you our updated privacy policy. If you would like to be removed from our mailing list and cease receiving [news, announcements and invitations to events/special offers/program information – again same description of whatever is sent] from us, please click [here].

4. Ensure data agreements exist with your vendors

When conducting business with outside vendors, it is the responsibility of the internal business unit to ensure that the vendor is following GDPR-level data collection practices, such as the ones described in this article.  These data collection and storage practices should be outlined in a statement of work or in a licensing agreement.

Protecting Privacy

Ultimately, regulations like GDPR will force business units at the School, and ultimately the University, to work more closely in order to fully comply with the growing regulations around data privacy.

One step that MarComm is taking is to create a Wharton-wide email subscription center for anyone using Wharton’s MarComm supported email platform. MarComm will also be treating the data of all visitors with equal privacy, no matter if they come from Europe, the U.S., or anywhere else in the world.

More Information about GDPR

How do the regulations seek to protect consumers?

Broad jurisdiction. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides.

Strong penalties. Breaches can cost companies up 20 million Euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty.

Simplified and strengthened consent from data subjects. Consent must be given in an easy-to-understand, accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent.

Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.

A reiteration of important consumer rights. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure. Additionally, it will also allow customers to move their data from one service provider to another.

Better systems. In order to comply with the core foundation of “privacy by design,” GDPR requires processes to be built with data protection in mind, rather than treated as an afterthought.

Specific protection for children. Since children are generally more vulnerable and less aware of risks, GDPR includes guidance that includes parental consent for children up to age 16.