ActiveCampaign Forum

GDPR - General Data Protection Regulation compliance


#1

We are only 2 months away from the EU GDPR legislation coming into force on 25th May 2018. Have you any further information about how Active Campaign will be complying with the legislation and what we need to do to inform our contacts and comply ourselves ?

The GDPR article which you previously published appears to have been removed and when I tried to access the document you provided on the Forum I got an ‘Oops you are not authorised’ message.

The charity I work for is trying to ensure we are compliant before the legisilation comes into law in the UK.

Look forward to any advice you can provide - for example will you be relying on the EU-US privacy shield?


#2

This is highly relevant for all European customers. And there has to be a solution on this, or the European customers can’t stay compliant and must cancel.

a quick note: EU-US Privacy Shield is not relevant to GDPR. This kind of standardised agreement/standard clauses are explicitly not sufficient for GDPR compliance.


#3

We would very much appreciate more information about the upcoming updates in ActiveCampaign.
Will there be a portal for managing subscribes- unsubscribes with timeline of consents given? And an option to edit ones prescriptions, personal data, to encode contact info, to delete their info completely, to export their info. Regarding custom fields on forms a special “consent” tick boxes would be appreciated.

We are waiting. Lots of things need to be done.
Please provide us with some answers.


#4

I too am trying to get ready for GDPR compliance. I would like new campaigns to be compliant and was hoping to make them so this week. We are only six weeks away, and if I cannot be sure that ActiveCampaign will make compliance straight-forward, I will have to look elsewhere.


#5

Hello, I am interested in this issue too. Any help would be aappreciated. Regards. Thanks.


#6

Yes, we are facing this as well. Can anyone at AC provide an update on this?

Thanks.


#7

Hi, As much as this is a serious issue (GDPR) please don’t panic. There is a lot of scaremongering going on, which is not needed.
That said, it’s disappointing that we don’t yet have a response to this post from AC.


#8

I posted this query a month ago but we have still not received any reply on how AC will enable us to comply with GDPR. We are now only a month away from this legislation coming into law in Europe and there are potentially very significant fines for any organisations which have not taken steps to comply - up to 4% of the global annual revenue for any organisation found to be non-compliant.

Some of the specific questions I need to know answers for are:

  1. Are there any plans for a European Active Campaign data centre so that the data does not go outside of the European Economic Area ? If not what protection is provided for personal data of EU/UK citizens held in a US data centre?

  2. Is there any automated retention functionality planned to assist in removing records which are no longer needed, or is this down to us to implement automations to do this?

  3. The legislation supports the ability to forget an individual on request. How will this be supported? Is it simply be deletion of the record associated with an email address or will there be a way to mark an ‘individual’ as forgotten? Also does any deletion apply to backups/archives ?

  4. Is any encryption functionality planned for enabling the protection of sensitive personal data?

  5. I assume that the preferences requirements will be achieved through the opt-in functionality associated with lists? Will there be any further help here ? It would be useful to have an article explaining how to use various features to comply.

The charity I work for is still trying to ensure we are compliant before the legislation comes into law in a month’s time and we haven’t yet gone live with our Active Campaign database. At the moment I am uncertain whether it is safe to do so until these questions are answered.

I would be grateful if some answers could be posted.


#9

Happy to see I am not alone as I’ve asked a number of times and even had posts not approved to show up on the facebook group. I"m flogged off with being directed to the page with very little information on it. I"m giving this a week before we move to another company that takes this seriously.


#10

I was able to get quick answers from live chat and via support ticket.

Here is the general info found at:
https://www.activecampaign.com/gdpr-updates/

Data Processing
The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.

Controller and Processors
A Controller is the organization that determines how personal data will be used. A Processor is the organization that processes personal data on behalf and on the instructions of the Controller. The specific responsibilities of each party are laid out in Articles 24-43.

In most cases, ActiveCampaign is a Processor and users of ActiveCampaign are Controllers. Note that it is possible for a single organization to be both a Processor and Controller.

Data processing agreements
Article 28 states that Controller must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.

Data protection officers
According to Article 37, many organizations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.

Transfer of personal data to third countries or international organizations
Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organizations. The GDPR does not require that personal data of EU citizens remain exclusively in the EU, but it does have some requirements for such transfers.

In terms of hosting data in EU servers and/or data transfers from the EU to the U.S. under GDPR, we expect that you will be able to continue to rely on our EU-U.S. PRIVACY SHIELD certification in order to transfer any lawfully obtained personal data to ActiveCampaign using our Services.

You can find more details on our Privacy Shield Certification at https://www.privacyshield.gov/participant?id=a2zt0000000GnH6AAK


#11

There is a form for each template where you can select which fields users can update and edit and or delete their information. It is already in AC. Using custom fields, we are setting up forms that users have to click to accept our gdpr compliant privacy policy which states exactly how their information will be used in plain language (4 different languages) visit https://www.iubenda.com/en for more specific info on gdpr compliant privacy policies.

This check box on each form along with the double-opt in feature fulfils all GDPR requirements for consent. The last thing one needs to do is sign an DPA (Data Processing Addendum) contract with AC to meet the requirements of Article 28 of the GDPR.

So here are the steps:

  1. Get GDPR compliant privacy policy
  2. create a custom checkbox field that is used on all forms that asks the user they need to check the box to agree to the privacy policy (make sure there is a link that goes to your privacy policy) and the box CANNOT be pre-checked.
  3. make sure all your forms are set for double-opt-in, meaning that an email is sent to the subscribers email address with a button that needs to be clicked to confirm their email (this is all standard in AC and just requires turning on the feature)
  4. request a DPA from AC using the support email or your Customer Success Associate, sign it.

That’s it. Your forms and AC account are now GDPR compliant. If you are in the EU or part of the EEA, then there are additional steps you need to take and you will need to do further research. What I have states just applies to AC. I am not a lawyer and none of this should be taken as legal advice. Its just my opinion based on my research into the subject.

Not sure why AC does not seem to be that active on these boards. Maybe someone in the forum should submit an idea to create a new position at AC to monitor and be active in the community board.

Hope that is helpful. Shout out if there are any questions. No promises, but I will reply if I am able. Cheers.


#12

That’s great and really helpful goetheanum, thank you.

However one issue that really needs addressing is recording consent - and Active Campaign have given no indication on how this will be achieved.

There really are currently 21 working days until GDPR is ‘active’. I’m frustrated at the lack of communication.
I too was directed to their GDPR update page, which really does tell the reader very little.


#13

Hi Maria Paviour Company,

You are welcome. I hope it helps. I agree AC should be much more proactive here. I have also looked at Mailchimps solution and there is documentation on how to setup checkboxes for consent, etc. but it too seems lacking.

What I have done is create 2 checkboxes custom fields:

I agree to my personal data being stored and used to receive the newsletter as stated in your Privacy Policy
I agree to receive information and commercial offers.

I then created another custom field called User Consent Date.
I setup a new automation called User Consent with a trigger of any form being submitted. It checks to see if the check box is checked or not. If it is, it automatically puts in the date in the User Consent Date field.

This way, I know exactly which date a user gave consent.

Hope that helps. I am not waiting for AC on this because as you pointed out, we are only 21 days away from GDPR take effect.

All the best,
Jesse


#14

And here is a great overview of building up gdpr compliant subscription forms.


#15

Oo good thinking, thanks Jesse!
That’s a great idea. I’ll put in into practice, as we absolutely require something, and it feels very last minute for implementation as it is.
And thanks for the subscription form link.
Best of luck,
Polly


#16

Hi everyone! Wanted to hop in on this thread to let you know about our latest podcast all about GDPR. Our Director of Education interviews two attorneys to help explain GDPR and give tips to help you have the right conversations with your legal counsel. Listen in here or read the transcript!


#17

@jdeschane - do you know what AC is putting in place for us with regards to site tracking with GDPR as far as consent and then opting out?

[Edit] Found this article on site tracking with GDPR.: https://help.activecampaign.com/hc/en-us/articles/360000872064?input_string=data+processing+agreement


#19

Hi @followyourlight, looks like you found our help doc around Site Tracking and GDPR. I think you’ll find all the information you need on that page. Happy Monday!


#20

Received an email from AC today regarding GDPR, including a clear(er) roadmap:
https://www.activecampaign.com/gdpr-updates/


#21

Hi guys, have you read the latest update from AC team regarding consents: https://www.activecampaign.com/learn/guides/preparing-for-the-gdpr-collecting-consent/

Am I the only one finding it a bit strange that they suggest storing all consents with date of consent given using the “notify” function in automation. Meaning we’ll have to store the notification emails? …this is very messy. Don’t you think?

Is there any other AC user here that has a large number of forms on their website. for example forms for contact, for webinar signups, for video downloads, etc etc… Have you figured out any useful tips how to store consents and manage subscriptions?