The General Data Protection Regulation or the Data Protection Act 2018 (UK)

Lead Intuition is a British company and as as such, compliance with GDPR is as important to us as it is to our customers and partners.  The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018.

Set out below is general information about GDPR and what we Lead Intuition and our marketing automation partner ActiveDEMAND has done to achieve and maintain compliance.

What is GDPR?

The GDPR (General Data Protection Regulation) is a European privacy law approved by the European Commission in 2016 and otherwise known in the United Kingdom as the Data Protection Act 2018.

A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU including the United Kingdom, irrespective of Brexit. The GDPR is an attempt to strengthen, harmonise, and modernise EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organisations may obtain, use, store, and eliminate personal data.

The GDPR was adopted in April 2016 and was officially enforced beginning on May 25, 2018.

Who does it apply to?

The GDPR applies to any organisation processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organisation anywhere in the world, and all organisations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies to all industries and sectors.

What is considered Personal Data?

As per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Personal data will now include not only National Insurance data, names, physical addresses, email addresses, but also data such as IP addresses, behavioural data, location data, bio-metric data, financial information, and much more.

What does Process Personal Data mean?

In the context of GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Basically, if you are collecting, managing, using or storing any personal data of EU/UK citizens, you are processing personal data within the meaning prescribed by the GDPR.

What are the GDPR implications for marketers?

Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:

  • Contact details for the data controller
  • Purpose of the data: This should be as specific (“purpose limitation”) and minimised (“data minimisation”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
  • Retention period: This should be as short as possible (“storage limitation”).
  • Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented, or the processing is in the organisation’s “legitimate interests.” This means that marketers have to be very clear in their engagements as to what personal data is being collected, how it is being used, and give the audience the opportunity to get more information, and the ability to be forgotten.

Does the GDPR say anything about cross-border data transfers?

Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organisations can rely on to perform cross-border data transfers. One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organisation where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy decision.

How does this relate to ActiveDEMAND?

ActiveDEMAND is excited about the GDPR and the strong data privacy and security principles that it emphasises, many of which ActiveDEMAND has instituted long before the GDPR was enacted. ActiveDEMAND, as a Canadian company, has had to help marketers comply with some of the toughest privacy legislation in the world. ActiveDEMAND believes that the GDPR is an important milestone for the EU and the rest of the world in the data privacy landscape.

For GDPR, ActiveDEMAND reviewed and updated where necessary all of their internal processes, procedures, data systems, and documentation. This included, among other things:

  • Updated their Data Processing Agreement to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to ActiveDEMAND and permit ActiveDEMAND to continue to lawfully receive and process that data;
  • Updated their third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data;
  • Analysed all of their current features and templates to determine whether any improvements or additions can be made to make them more efficient for those users subject to the GDPR;
  • Right to be forgotten: You may terminate your ActiveDEMAND account at any time, in which case they will permanently delete your account and all data associated with it.
  • Right to rectification: You may access and update your ActiveDEMAND account settings at any time to correct or complete your account information. You may also contact ActiveDEMAND at any time to access, correct, amend or delete information that they hold about you.

ActiveDEMAND is a personalisation platform. The core use of ActiveDEMAND is the collection of and interpreting of behavioural data for the purpose of shortening buyer journeys. As such this entails the processing of personal data under the GDPR. It is important that users of ActiveDEMAND use the many tools provided by ActiveDEMAND to help your audience understand what you are doing, why you are doing it, and how they can opt-in, opt-out, be forgotten, and see what data you have collected. This article (below) will give you some guidance on what is available in ActiveDEMAND to help you comply with GDPR.

It is important to note, you should never collect sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin using any marketing platform including ActiveDEMAND.

ActiveDEMAND is a marketing automation and reporting platform, which may include associated consulting and technical support services. Use of the platform by subscribers in the European Economic Area (EEA) entails the processing of personal data under the GDPR.

ActiveDEMAND is provided by the Canadian company, JumpDEMAND, Inc.  In the United Kingdom, Lead Intuition Ltd is the official reseller of ActiveDEMAND.

JumpDEMAND, Inc. offers its subscribers in the EEA two agreements to cover GDPR compliance, in addition to their existing agreement:

  1. model clause agreement based on the European Commission’s standard contractual clauses (processors). The GDPR recognises this as a legitimate way to transfer personal data from the EEA to any country outside the EEA.
  2. A GDPR addendum containing legal terms and details of how personal data are processed in ActiveDEMAND. The GDPR requires these terms and details to be included in contracts between controllers and processors.

What does this mean? In broad terms, it means that if you are subscriber in an EU member state, Norway, Iceland or Liechtenstein, you can continue to transfer your lawfully processed personal data to JumpDEMAND, Inc. under the GDPR, who will process those data on your behalf.



How is ActiveDEMAND helping me comply with the GDPR?

ActiveDEMAND has always given marketers the tools to help with privacy and data handling. Here are a few examples

Opt-In Communications

ActiveDEMAND has a simple process for obtaining and recording (and tracking) consent. ActiveDEMAND has Opt-In form elements, dynamic opt-in email fields, dynamic opt-in landing pages that give the marketer the ability to easily provide the opportunity to Opt-In to marketing communications. All Opt-Ins are captured, recorded, and managed on a the ActiveDEMAND prospect timeline thus it is easy to report on when a prospect has opted in and how. ActiveDEMAND as well provides a simple one-click guard for enforcing the Opt-In communications (i.e. globally locking outbound communication to only those who have opted in).

Right to object (opt-out)

ActiveDEMAND has always had a simple system for tracking opt-outs. With ActiveDEMAND it is technically impossible to send an email to someone who has opted out. As well, ActiveDEMAND does not allow outbound communications to people without providing the ability to opt-out (unsubscribe).

Right to be forgotten

With ActiveDEMAND, deleting a contact will permanently delete all data related to that individual. As well, ActiveDEMAND provides a simple ‘Forget Me’ form element that can be presented to a prospect.

Right of access

All of the data collected on a contact is easily accessible within the platform. ActiveDEMAND provides a simple form element that makes it easy for marketers to automate or semi-automate the process of complying with a ‘right of access’ request.  ActiveDEMAND has an extensive privacy policy that describes what data ActiveDEMAND collects.

Right of portability

All of ActiveDEMAND’s data can be exported. This includes contact lists, metadata, and the conversions captured within the database.


Educating Your Audience About Options

In accordance with GDPR, it is important that marketers communicate with their audience what is being tracked, and what options they have to avoid the tracking. With ActiveDEMAND being a powerful marketing system with a lot of tracking systems, educating your audience is a critical step. Having a privacy and cookie policy is the first step. To help you draft a solid tracking and cookie policy, ActiveDEMAND has drafted a list of what is being tracked and the prospect’s options to avoid the tracking. If you are a UK business and would like to know more about Tracking or our compliance to GDPR, please contact Lead Intuition.

Support When You Need It

UK Based Support and  Service

Lead Intuition offers UK based Integration, Consulting, Training and Support for ActiveDEMAND's awesome marketing platform.  Hands on support when you need it and telephone, online page and video tutorials to get you started - all there to help you maximise your marketing impact


Like what you see?

Call us today or schedule a call here.

Copyright 2017-2020  Lead Intuition all rights reserved | Registered in England Company No 10861904

Privacy Policy