General Data Protection Regulation and The Newsletter Plugin

The General Data Protection Regulation (GDPR) was adopted 27 April 2016 and will enter into application on 25 May 2018: it is a new set of laws that governs both how you communicate, interact with and store prospect and customer data for any of the European member states citizens. It also introduces some substantial changes to the way we are used to treat personal data until now. 

We already received many questions from our users regarding this topic, that can be summed up in: “Is Newsletter going to be fully compliant with GDPR?“. Long story short: yes it is and in this article we’ll try to cover all the crucial aspects of using our plugin within the new regulation. A quick note before starting: while GDPR  uses the term “subject data”, for clarity we’ll use here “subscriber data” instead.

Data processing agreement

Newsletter plugin stores subscriber’s data in your WordPress blog database and does not transfer any data to this site or to any services of our company. So you don’t need a DPA with us. Read more about data processing agreement.

What is subscriber data? 

Quite all the concepts expressed inside the GDPR run around the notion of “personal data“. The definition the new regulation gives is pretty strict: “Any information that could be used, on its own or in conjunction with other data, to identify an individual.”
In Newsletter, we store many information about the subscribers: from the email address to name and surname and IPs. Of course, this is not forbidden per se, but you’ll have to tell your users exactly what you keep track of and why are you doing that. The word to take home here is transparency, starting from the first step: consent.

How Newsletter treats consent

One of the most important aspects of the new regulation is how consent is given by the user and how to keep proof of it. To keep it simple, you have to be completely sure of what your subscribers give consent to during the subscription process.

In Newsletter, you are able to adjust your subscription form according to what kind of information you want to collect from your prospects: you can reach for these options from the “List Building” menu.

Two key aspects here: the double opt-in and the privacy checkbox.

The double opt-in, other than a good practice, is required by the law in many countries to confirm the will of the subscriber by having him to give consent two times before the actual service starts: you can read more in this article.

The privacy checkbox option, that you can find under “List building” > “Subscription form fields, buttons, label” menu, lets you add a mandatory checkbox that prevents form submit if your subscriber didn’t read your “Privacy policy” page and therefore all your data treatment disclaimers (which you should create, in any case).

The consent is any affirmative act a subscriber does while sending you its data, if clearly and correctly informed. The privacy checkbox is not strictly required but it’s required to have a link to your privacy policy page. You can use the privacy field configuration to add that notice as well.

Read more about consent on Getting consent with Newsletter plugin and “Re-ask confirmation to your contacts“. Special case: getting consent for imported subscribers.

Proof of consent

To keep proof of users consent is mandatory with the new GDPR rules. In Newsletter, when a user changes his profile, activating specific list, he could be giving you a specific consent, for example to send marketing email. Newsletter provides a logging feature which records every change the subscriber performs on his profile and what he changed with a timestamp.

Which data Newsletter stores

Besides name and email address, our plugin can collect other data if extra profile fields have been created. More importantly, Newsletter collects Ip addresses at the moment of the subscription and whenever a user performs an action on newsletters, if tracking is active. Ip’s are used for various features, from tracking to geolocalization.

How long does Newsletter keep subscribers data?

One of the requirements of the GDPR is that you make your subscribers aware of how long you are going to keep their data on your servers and to clearly state it in your T&C page. The reason behind this is to avoid keeping obsolete data or contact information, which reliability you cannot be sure of.
Inside Newsletter, you can deal with these requirements in two ways:

  • you can delete all subscribers with a status that makes them unreachable: bounced, unsubscribed, not confirmed and so on.
  • you can delete all subscribers who didn’t interact with you in a specified interval of time.

Performing these actions periodically helps you keeping your list clean and avoid losing valuable subscribers. You can find these options under Subscribers > Maintenance menu inside Newsletter.

Read more about deleting obsolete subscribers and how to massively manage your subscriber database.

Data export and portability

GDPR also requires to offer your users the ability to ask for a copy of their files for portability reasons. The downloaded data export file should be in a machine-readable format (not human readable). Newsletter by default collects only names and email addresses but if you took advantage of the extra profile fields, that data should be exported as well.

To simplify this process, we created a new special tag:

{profile_export_url}

You can use it in your profile editing page to create a link that generates a JSON export of the subscriber data. Read more on this article.

Data modification and integration right

Since Newsletter subscribers are able to access their own profile editing panel where they can change every detail whenever they feel like to, there’s nothing special to do about this, except for making this option as clear as possible.

Data removal

At this moment, Newsletter subscribers don’t have the ability to delete their own data: however we’re considering to add this option. You can delete the whole subscription from the administration panels. As of now, this will permanently delete the subscriber along with his data but we’re working on a full anonymization to prevent lost data to affect statistics or historical aggregate data.

Are you using an external delivery service? 

Most of the external Smtp providers are already GDPR compliant but it’s your duty to check carefully: you’re transferring name and email address to those providers every time you send an email to a subscriber. You should also state in your policy that you’re using external services. Usually they provide a DPA for their services, just get it from them.

What about your hosting provider? 

Your providers stores physically your data on their servers including your subscribers data, hence they need to be GDPR compliant. Usually they provide a DPA for their services, just get it from them.