COLOUR ME SOCIAL GDPR COMPLIANCE STATEMENT
This statement sets out the operating procedures Colour Me Social undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.
1. What is GDPR?
From 25th May 2018, the GDPR brings all EU member states under a common regulatory framework.
Colour Me Social takes GDPR compliance seriously, and we have extensively reviewed how and where we store any personal information and that any 3rd party software provider that we partner with is fully GDPR compliant.
This extensive review enables us to assure clients that GDPR best practices are strictly observed wherever possible, at all times.
2. Colour Me Social’s relationship with you
Colour Me Social is a service provider when you engage our services, we work for you, and if and when we create data, we create data exclusively for you.
To put this in the language of GDPR and the ICO:
You are the data controller – data belongs to you and is not shared with any other client, company or third party. No messaging is sent without your oversight.
We are the data processor – we work for you.
3. Does your marketing activity qualify?
Colour Me Social’s services are designed and offered solely to help businesses promote to other businesses and their target audience via social media channels. I.e. B2B and B2C marketing.
Before launching new client activity, Colour Me Social conducts an in-depth assessment to establish if the product or service, combined with the proposed targeting, meets the criteria for GDPR compliant business to business (b2b or b2c) marketing.
Prior to conducting the assessment, suitability can usually be determined by the following two questions:
3.1 If B2B, will the product or service being offered benefit the businesses you are targeting, and not the individual?
The product or service that you are offering needs to be of benefit to the target business, and when talking to any individual, relevant to their business role only. It can help to consider the following examples:
If you are targeting companies that sell widgets, to offer marketing services designed to increase their sales of widgets, then there is a clear, sole benefit to the company.
If you are looking to contact business owners in order to help them invest their hard-earned wealth, despite the links to their professional role, this is aimed at the individual, not the company.
3.2 Are the services being provided equally beneficial to whoever may be contacted about them?
If question one can be answered positively then a further test of the business nature of your offering is to consider the target individuals that you would like to introduce it to. The only consideration here should be job specific – typically department and seniority. Your offer should be equally relevant to whoever fills these role(s) at any given time, and in no way targeting any given individual.
B2C marketing is conducted via GDPR compliant social platforms, newsletter communication and secure landing pages and websites. All B2C marketing includes the correct use of GDPR compliant opt-ins and opt-outs.
4. Colour Me Social and Personally Identifiable Information (PII)
At the core of the Colour Me Social process is the sharing of content through social media. Whilst the details of this can vary, it involves no personal information at all.
However, so that we can set-up client and get their account ‘live’ we do typically generate Personally Identifiable Information (PII).
The Personally Identifiable Information (PII) data held is kept to an absolute minimum:
Business email address – emails are only stored that are on the target company domain(s). For example, if targeting a company whose website is widgets.com, emails will be @widgets.com. No personal email addresses are stored, ever.
Social profile URLs.
All social profile usernames and passwords can be connected directly by the client to our GDPR compliant Social media portal and where Colour Me Social does require access directly to a client’s social accounts the information is either stored using encrypted software or it is securely stored on secure cloud servers. We ask for written consent (does the client fully understand why we require some personal information and what we will use it for?) at set-up.
5. Legitimate Interests
GDPR sets out a number of permissible circumstances (or categories) under which PII can be stored and processed, the most appropriate category in the case of Colour Me Social is Legitimate Interests.
This link explains the Legitimate Interests basis for storing and processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
6. LIA Failures
If Colour Me Social determines that your planned social media activity does not meet the criteria for Legitimate Interests within the scope of GDPR then we cannot support the activity within any regions subject to GDPR.
7. Rights of Individuals
Opting Out & Exclusion Lists
All recipients are able to opt out easily to prevent further email communication being received.
All replies to prospecting emails are logged and those prospects are added to your campaign exclusion list within 24 hours.
Colour Me Social allows import of existing exclusion lists in advance of campaign activity. Exclusions can be submitted in the form of individual email addresses or full domains and will prevent communications being issued to those email addresses or domains listed.
Subject Access Requests
All individuals have the right to request a copy of all data you hold on them. To support this you can email any SAR requests to [email protected] and we will return this data within 72 hours.
Right to be Forgotten
All individuals have the right to have their data removed (to be ‘forgotten’) which is a request that can be carried out easily by your Colour Me Social account manager. Your data belongs to you and you can choose to delete some or all of it at any time.
A conflict does arise in removing or forgetting an email address whilst at the same time keeping this address on an exclusion list to prevent future mailing. Where we have removed data, we will move the email address to a separate exclusion list, encrypted using a one-way hashing algorithm (SHA1), ensuring we are able to prevent any future messages being sent to the customer whilst continuing to honour their right to be forgotten.
8. PECR and sending of B2B messages
Whilst GDPR controls the storage and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic Communications Regulations (PECR). This is very clear as to the requirements of business communication:
“You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.”
9. Data Storage & Data Security
We do not hold the ISO 270001 accreditation, however, we recognise the standards and operate a similar or better approach in most cases. We are working to achieve this accreditation
11. Non-UK regulations
Colour Me Social is a UK based company and operates under UK law. Where the service is used to target countries outside of the UK we are unable to provide guidance or take responsibility for any additional or differing laws that may be in place.
12. Client responsibility
Whilst Colour Me Social continues to take extensive measures to ensure best practice with respect to GDPR and PECR across all client activity, clients should take note that responsibility for compliance vests (in different forms) with all parties.
Colour Me Social cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such, it is important that you, as the client, have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.