Instant Magazine and GDPR Compliance
By Dennis Looijenga
No matter what type of business you have or where in the world you’re located, you’ve probably heard a lot about the EU’s new data privacy law, the GDPR. In this blog post, we’ll touch on the basics of the GDPR and bring you up to speed on what we’re doing to ensure compliance, both for Instant Magazine itself and for those who use our tool.
Disclaimer: We wrote this blog to provide general information, it isn’t intended to provide legal advice. To understand the full impact of the GDPR on your company please consult an independent legal and/or privacy professional.
The General Data Protection Regulation (GDPR) is a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses but also to any business that controls or processes data of EU citizens. It will come into force on the 25th of May, 2018.
At Instant Magazine, we’re hard at work ensuring all of our own business practices are GDPR-compliant. But even more important to us is helping you, our users, understand what the GDPR means for your business.
GDPR terms in a practical example
There are a number of important terms related to the GDPR that you’ll see a lot: the controller, the processor, the data subject and personal data.
Let's explain these terms with a practical example:
Meet Annabel, an EU citizen. Let’s say Annabel’s data has been recorded in your CRM. In this case, Annabel is a “data subject” and your company is the “controller” of her “personal data” (any information that could be used to identify Annabel). If you acquired Annabel’s contact information via Instant Magazine (e.g. through a form), then Instant Magazine acts as the “processor” of Annabel’s data on behalf of your company.
With the introduction of the GDPR, data subjects like Annabel are given an expanded set of rights, and controllers and processors are required to adhere to an expanded set of regulations. If you’d like to know more about the new rights and regulations, you can read the GDPR in full here: https://gdpr-info.eu/.
We’re developing a number of new features to help you comply with new GDPR regulations. Most of these features will go live before the 25th of May, 2018. Check out our product roadmap to stay up-to-date. Here’s a rundown of the new features:
IP address anonymization
Under the GDPR, an IP address is considered personal data because it can be used to identify a person. If you’ve connected your publication(s) to Google Analytics, you may want to anonymize IP addresses so they will not be recorded in Analytics. This new feature allows you to do so.
In order to analyze the performance of our platform we also include our own UA code in every published publication. IP addresses are anonymized per default for this property.
When this features goes live, you’ll find it under Publication Settings > Marketing > Anonymize IP.
We’re introducing a brand new Cookie Consent feature in the Drag & Drop editor. This feature allows you to obtain cookie consent from those who visit your publication. We’re leaving the cookie wall feature in the original editor as is.
Keep in mind that this new feature might evolve based on the upcoming EU ePrivacy Regulations.
In the original editor, you’ll find the existing feature under Publication Settings > Basic > Cookie wall.
When this new feature goes live in the Drag & Drop editor, you’ll find it under Publication Settings > Basics > Cookie consent.
Deleting form submissions
The GDPR empowers individuals to exercise their right to be forgotten, meaning that you’ll need to delete their data without undue delay if they ask you to do so. If you collect personal data using Instant Magazine (e.g. through a form), this new feature allows you to delete form submissions and all the included data from your account (and our servers) completely.
When this feature goes live, you’ll find it under Dashboard > Account > Stored data.
Existing product features
We’d also like to touch on some existing product features that are either already compliant or where conflicts could potentially arise.
Personalization and Google Analytics
Be aware that if you’re using personalization tokens that include personal data like names or email addresses, and have also connected Google Analytics to your publication(s), these tokens will appear as parameters in the URL and therefore will also be recorded in Google Analytics.
Collecting this data in Google Analytics breaks Google’s Terms of Service. You can ensure personal data is not recorded in Analytics by adding appropriate variables to the ‘Exclude URL Query Parameters’ field in your Google Analytics’ view settings.
The exact changes you need to make are dependent on your Google Analytics setup. Read more about how this works here: https://support.google.com/analytics/answer/1010249?hl=en. You are responsible for the data you collect with Google Analytics, so be sure to look into this issue.
If you use Instant Magazine to generate leads using forms or social login, be sure to follow these best practices with regards to collecting personal data so that you adhere to the GDPR.
- Request as little data as possible
The GDPR states that organizations shouldn’t process or retain extraneous personal data. This means that all data collected should be intended for a specific purpose, used only for that purpose, and retained for only as long as it meets that purpose. For the purpose of lead generation, you’ll typically need names and contact information at the very least, but you must decide what other information, if any, is necessary.
- Provide clear and transparent information
- Always obtain consent before using the data you've collected to contact leads
Our forms allow you to add checkboxes that are unchecked per default. Use this to get explicit consent from your visitors. This applies both to forms within publications and the access control form that allows you to gate publications for lead generation purposes.
Be aware that if you use social login to gate your publications, it’s not yet possible to ask for explicit consent from visitors to contact them in the future.
In addition to product updates, we’ve also updated and expanded our legal documentation.
Data Processing Agreement
We've created a Data Processing Agreement which defines how we process data. It covers the nature and purpose of processing, the duration for which data is kept, the types of personal data that is stored, and the obligations and rights involved — both of our customers as controllers and of Instant Magazine as the processor.
We believe the new regulations will lead to better experiences for everybody. At its most basic level, the GDPR requires companies to provide consumers with clear and transparent information about how their personal data will be stored and used, while also granting them quick and easy access to this data. All of this will lead to better relationships between organization and consumers, built on a solid foundation of trust.
If you have any additional questions about our product updates, feel free to contact our support team via the Help Center or by emailing them at: firstname.lastname@example.org. If you have questions related to our legal documentation, please contact email@example.com.
Dennis is a product marketer at Instant Magazine and the voice of our customer when it comes to the development of our platform. He works on our market positioning, product messaging and crystallizes the value of our tool.