In the UK and EU, GDPR and data protection / ePrivacy Regulation legislation govern how personal information can be used and stored by organisations.
This article offers guidance on how to use Spektrix to manage compliance with Data Protection regulations in the UK and Ireland. This article is relevant to anyone sending emails which may be received by recipients in the UK and Ireland.
TIP: For information about Anti-Spam Legislation in Canada, read Canadian Anti-Spam Legislation and Spektrix.
What are Data Protection Regulations?
The Privacy and Electronic Communications Regulations (PECR) in the UK and ePrivacy Regulation in Ireland sit alongside the Data Protection Act and GDPR. They give residents of the EU specific privacy rights in relation to electronic communications.
Every organisation is unique and therefore every organisation’s approach to data protection will have different requirements. As the data controller, it is your organisation’s responsibility to design an appropriate approach to data privacy. Spektrix and other data processors can’t make you GDPR compliant without your own processes in place.
There are a few things you can do to ensure that your Spektrix system is set up to support your approach to PECR and GDPR. If you have questions or concerns about your compliance, you may want to speak to a data protection specialist before committing to an approach in your Spektrix system.
Before you can set up your system, you’ll need to choose whether you’re using Explicit Consent or Legitimate Interest as your legal basis for the types of communication you plan to use.
What is Explicit Consent?
Explicit or valid consent means that someone has explicitly agreed to receive marketing content from you. This agreement can be verbal, digital or written.
TIP: Each method of contact (email, SMS, digital advertising, etc.) will require separate explicit consent and/or a specific legitimate interest analysis.
Explicit consent requires a positive action such as checking a box, clicking an agree button or answering a yes or no question to opt-in.
Customers can be asked for explicit consent when they first create an account or make a purchase, and have the opportunity to withdraw this consent at any time.
WARNING: Pre-ticked boxes or ‘default consent’ methods don’t provide explicit consent.
What is Legitimate Interest and Soft opt-in?
In some cases, a Legitimate Interest and Soft opt-in can be used instead of explicit consent.
It is possible to use Legitimate Interest as the legal basis for your marketing and fundraising communications. However, when sending electronic communications, there is a second requirement to comply with PECR to also have Soft opt-in consent.
Soft opt-ins don’t require a positive action (opt-in). Instead, consent is gained through a default consent method, or a pre-checked box.
To use a Soft opt-in approach, PECR requires that you have legitimate interest (GDPR) and that customers must be able to choose to opt out at the point the Soft opt-in is applied.
You cannot use Soft Opt-in for:
- Contacting new or potential customers.
- Sending fundraising communications.
Explicit Consent and Spektrix
You can keep a record of explicit consent in Spektrix using Contact Preferences.
When signing up or making a purchase, customers are given the option to agree to one or more Contact Preferences.
Each Contact Preference can have three possible responses:
- Yes: the customer has seen and accepted the Contact Preference. A checked box is a yes response.
- No: the customer has seen and declined the Contact Preference. An unchecked box is a no response.
- Not Asked: the Customer has not been asked for the Contact Preference. The Not Asked option is only available to Sales Users when a customer makes a purchase in person or over the phone. Only Sales Users can change a Contact Preference back to Not Asked.
When setting up Contact Preferences to collect Explicit Consent, make sure to leave the This preference is selected by default box unchecked.
When building Customer Lists for mailings, you should always include the relevant Contact Preference.
For example, if you want to send a marketing email, you should only include customers who have responded Yes to your email marketing Contact Preference in your Customer List.
TIP: We recommend that you create a Global Segment for your Contact Preferences to make it easy to always segment on Yes responses in your Customer Lists.
Explicit Consent Best Practice
Best practice for Explicit Consent:
- Gather permission from your customers to communicate with them in a certain way. For example, by phone, email or post.
- Let customers choose how often they’d like to be contacted. For example, weekly updates, monthly updates or large announcements only.
- Let customers choose what they’d like to be contacted about. For example, Fundraising campaigns, different types of Events (Cinema, Drama, Comedy) or news about certain projects.
- All communications should clearly identify your organisation, including contact information.
- Using a clear naming convention structure can help provide clarity when it comes to reporting and segmenting based on Contact Preferences.
- Allow customers to manage and withdraw Explicit Consent at any time. Dotdigital emails will always give the option for customers to unsubscribe or manage their contact preferences, which will also update their preferences in Spektrix.
Soft opt-in and Spektrix
You can collect Soft opt-in consent in Spektrix by using default Contact Preferences.
When signing up or making a purchase, customers can be given the option to opt out of any default Contact Preferences you set up.
When setting up Contact Preferences to collect Soft opt-in consent, you should check the This preference is selected by default box.
This will display the Contact Preference with the box automatically checked and allow the customer to uncheck the box to opt out.
Soft opt and Legitimate Interest Best Practice
Best practice for working with Soft opt-ins and Legitimate Interest:
- You must have a pre-existing relationship with the customer. Typically this means they have previously purchased from your organisation.
- You are required to carry out a Legitimate Interest Assessment (LIA) before relying on this basis.
- Be as granular as possible when creating Contact Preferences. For example, “I am happy to receive monthly emails about comedy events at this venue”.
- Ensure your marketing is relevant, non-intrusive, and aligned with your customers’ expectations. Avoid untargeted messages that could lead to complaints or violate your Legitimate Interest basis.
- Always provide easily accessible information about how you use customer data in your Privacy Policy.
- All communications should clearly identify your organisation, and include contact information (such as your organisation’s address and phone number).
- Customers should be able to withdraw consent at any point. Dotdigital emails will always give customers the option to unsubscribe or manage their contact preferences, which will also update their preferences in Spektrix.
- Regularly review your data to ensure Legitimate Interest remains valid.
TIP: Using a custom unsubscribe page is more beneficial than just having an unsubscribe link as it allows customers to be more specific about which Contact Preferences they wish to update.
Transactional Emails
Transactional Emails, sometimes referred to as Customer Service emails, are known as System Emails in Spektrix.
Transactional emails include information that is necessary to the customer as part of the transaction. This can include things like delivery information, order confirmation, or event cancellation messages.
System Emails which are sent from Spektrix include:
- E-ticket / Print at Home Delivery
- Login Link
- Gift Vouchers and Gift Memberships
- Account Emails
- Gift Aid
- Memberships
- Order Confirmation
- Summary Emails
Transactional emails do not require explicit consent, as sending the email is necessary to fulfil the terms of the transaction. You must still adhere to other GDPR principles, such as, only collecting data necessary for the transaction, protecting the data and being clear about how you will use the data.
WARNING: Including marketing content in a Transactional email is a compliance violation.
To learn more about transactional emails in Spektrix, read our article on System Emails.
Further Reading
To continue learning about Data Protection and Spektrix, take a look at the following resources:
- Contact Preferences
- How to build Customer Lists
- Sign up forms
- How to link Contact Preferences to Dotdigital
You can find more resources on GDPR and Data Protection on the Spektrix website:
- Boldly Compliant: A Guide to GDPR for Performing Arts Marketers & Fundraisers: A comprehensive white paper detailing Spektrix’s view on GDPR and our suggested approach to compliance.
- How to Implement your GDPR Approach in the Spektrix System: A practical guide to how you can use Spektrix to implement the approach you choose to take to GDPR.
- GDPR Compliance Checklist: recommended steps based on different types of organisation Fundraising or Commercial.