On May 25th the General Data Protection Regulation (GDPR) will go into effect. GDPR is a new European Union (EU) regulation that will improve the protection of personal data of consumers in the European Economic Area (EEA) and increase the responsibility of companies that collect, store or process personal data.

We take privacy and data security seriously at Wyng and comply with current data protection laws. We have spent the last year preparing for GDPR by improving our platform, operations and processes in order to help our customers meet their obligations under the GDPR.

Below, we’ve pulled together information on the GDPR, requirements under the GDPR, and what we are doing at Wyng to help our customers prepare.

Disclaimer: The information provided here is not legal advice and should not be used to interpret the GDPR regulation or determine its applicability to your business specifically. Companies should assess their own data collection, storage and processing practices (including their use of Wyng), and seek their own legal advice to prepare for, and ensure compliance with, GDPR.

What is the GDPR

In an effort to enhance consumer privacy and the protection of personal data, the EU developed the GDPR, which is an EU privacy law that will regulate how personal data belonging to consumers in the EEA is collected, managed and used by businesses. The GDPR will replace the Data Protection Directive (DPD) which has been in effect in the EU since 1995. The full text of the GDPR is here and key terms are defined here.

Who is Affected by the GDPR?

The territorial scope of the GDPR is defined in Article 3(2).  The GDPR provides the same protections to all consumers in EU member states and European Economic Area (EEA) countries. With respect to Wyng campaigns, GDPR applies to any data collected from consumers in any EEA country, including the UK.

What Data Does the GDPR Cover?

The GDPR protects personal data, which includes any information relating to an individual that can be directly or indirectly identified. Examples include:

• Name
• Address
• Location data
• Online identifiers (e.g., IP address, social media handle, photos)
• Identification numbers

As a User of the Wyng Platform, What Are My Obligations under GDPR?

GDPR regulations apply to brands and agencies using Wyng to collect consumer data -- e.g. consumers submitting a form as part of a campaign landing page, or consumers sharing photos or videos with a brand as part of a social media #hashtag campaign. Brands and agencies that use Wyng in this way are considered “Data Controllers” under GDPR. (As a technology provider, Wyng is considered a “Data Processor” under GDPR. We discuss the obligations of Data Processors later in this article.)

As a Data Controller under GDPR, when you collect personal data from consumers located in the EEA, you are obligated to:

• Let each consumer know how you will use their data. You must communicate to consumers in “clear and plain” legal language that is easily distinguishable from other matters.
• Get consent from consumer. Consent must be “freely given, specific, informed and unambiguous”. Your intended use of the personal data must inform the consent. Moreover, consent must be based on the consumer taking an affirmative action to opt-in. “Silence, pre-ticked boxes or inactivity” do not constitute consent.

More details about Data Controller’s burden of proof and requirements for consent can be found here.

Here are examples of how Wyng can be used to obtain consent in campaigns:

• For campaigns that use forms to collect personal data from consumers in the EEA, a checkbox on the form enables consumers to provide affirmative, opt-in consent.
• For campaigns that target consumers in the US only, a checkbox may be used to confirm each entrant is located in the US at the time of participation.
• For campaigns that encourage consumers to share UGC with a brand through social media, where the brand would like to display or distribute the UGC on other channels, it is best practice for the brand to obtain consent from the consumer. A brand may obtain consent by commenting with a link to a form (which includes the appropriate checkbox) where the consumer can provide positive, opt-in consent. Alternatively, commenting “Thanks for sharing your photo with us! Reply with #iagree to allow us to reuse your photo on our website and in our email marketing,” also gives the consumer an opportunity to provide consent as part of their reply.
• For campaigns that involve consumers sharing UGC with a brand through social media, where the brand keeps a copy of the UGC but does not intend to reuse the UGC, consent may not be needed. This is similar to a consumer emailing a brand’s support address (e.g. support@xyz.com) -- it’s OK to keep a copy of the content and reply to the consumer without consent, but that doesn’t mean the person’s email content or email address can be used for other purposes.

As a Data Controller, you also need to have a data processing addendum agreement in place with any third party that you share data with, where that third party is a Data Processor as defined under GDPR. As a Data Processor, Wyng provides a Data Processing Addendum (DPA) that you can request and sign -- click here to request a copy of our DPA.

Another obligation under GDPR is providing consumers with the power to choose what happens with their personal data. Businesses must be capable of responding to requests from consumers regarding:

• Withdrawing consent
• Deleting personal data
• Objecting to processing personal data
• Exporting personal data outside the EEA
• Accessing personal data and correcting errors
• Intended use of personal data

What Is Wyng Doing to Help My Business Comply with GDPR?

We are committed to helping our customers comply with the GDPR.

As a “Data Processor” under GDPR, the Wyng support and customer success teams are staffed and equipped to handle requests from consumers and our customers related to personal data.

Consumers can contact privacy@wyng.com to inquire what personal data of theirs is stored, correct their personal data, or delete their personal data from our systems. Likewise, Wyng customers can forward requests they receive from consumers to privacy@wyng.com.

Wyng customers can also contact support@wyng.com with requests related to personal data processed by Wyng on behalf of the customer -- for example, to delete all data from one or more campaigns.

In addition, Wyng provides several features and capabilities to help you keep your campaigns compliant:

• Our editable campaign canvas and forms make it as easy to add positive, opt-in consent checkboxes to your forms, and clearly communicate to consumers how you plan to use their data both in the campaign experience, and by linking to your privacy policy.
• The Wyng Platform includes comprehensive privacy and security features and audits to ensure the safe handling of personal consumer data globally, including automatic encryption of data in transit and data at rest, separation of data, OWASP compliance audits, and anti-malware scans.
• Our consumer data, privacy, and cookie policies are compliant with EU Cookie Policy and the EU GDPR.

Finally, as a Data Processor under GDPR, Wyng can only store personal data on behalf of a customer as long as there is an ongoing business relationship between Wyng and its customer. Wyng is obligated to delete personal data stored on behalf of a customer following termination of a business relationship.

In May, we will be updating our Privacy Policy and Terms of Service to include a Data Processing addendum.

Are There any Benefits of the GDPR for my Business?

Yes, GDPR presents real opportunities for businesses and marketers -- here are a few:

1. Improved Data Quality. With the GDPR in effect, savvy brands will reduce their reliance on third-party data, and instead focus on first-party data. Third-party data is often purchased in bulk from data brokers and is often collected with questionable consent and shared without consent.  First-party data is data that brands collect, with consent, directly from consumers engaging with the brand. First-party data -- which includes data collected in digital campaigns, social promotions and activations -- tends to be much higher quality than third-party data. This emphasis on quality over quantity will help businesses and marketers identify more meaningful datasets and insights that will help to drive ROI and overall value.
2. Improved Campaign Experiences. High-quality data enables brands to deliver more authentic, personalized experiences for consumers across marketing and advertising campaigns. Better, more accurate data enables your teams to concept and launch campaigns that will resonate with your target audiences and perform better.
3. Create More Trusting Relationships with your Consumers. The GDPR will also help to create more trusting relationships between you and your consumers. Having access to better data and insights on the experiences that your consumers want from you, will help you to tailor your campaigns that your consumers will want to participate in. Further, the additional level of transparency on how your business plans to use their data will help to assuage any concerns or misgivings about your business and your relationship with them as consumers.

What do I do now?

GDPR goes into effect on May 25th, so there is still more than enough time for you and your teams to get ready. Be sure to follow our blog and keep tabs on our What’s New page to stay up to date with our progress. We are excited about the opportunities that GDPR has for us all to become better partners with our consumers.

Be sure to check out our full Security and Privacy Hub for more information HERE.