How Dotdigital helps with GDPR compliance

We want to make sure that our clients have the tools that they need to be compliant with the GDPR.

Gareth Burroughes avatar
Written by Gareth Burroughes
Updated over a week ago

In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten.

In April 2018, we added a feature for clients’ storing the consent text each contact agreed to when subscribing (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you’re able to see exactly what a contact is happy to receive and cross-reference it with the permissions you hold on them. You can read more in our support article 'Recording consent for your contacts'.
Here's a summary of all the changes within the platform to help our clients with the GDPR.

Features that help respond to subject access requests

In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten. You can view and export the data you hold on both subscribed and suppressed contacts from November 2018.

How are we cater for multi-consent and preference centres?

At a product level, we are reviewing how our current preference centres serve our customers – and changes may come as a result. Multi-consent preference centres are currently supported by the platform, either self-serve by utilising data fields or address books, or through custom work using address books, data fields or Insight data. We are continually developing in this area and welcome any ideas you may have, so keep an eye on the roadmap for changes in this area.

Legal basis and using Dotdigital to help

Can we document the legal basis we are processing the data uploaded to the Dotdigital platform?

If you are using consent as your legal basis, Dotdigital includes enhanced functionality around consent storage to allow a client to store additional information.

In April 2018, we added a feature for clients’ storing the consent text each contact agreed to when subscribing (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you’re able to see exactly what a contact is happy to receive, and cross-reference it with the permissions you hold on them. You can read more in our support article 'Recording consent for your contacts'.

Will we need to keep a log of the opt-in text at the time of consent?

We recommend capturing and storing what disclosures were provided to the data subject when consent was initially given to demonstrate that consent was informed and freely given. This is possible through platform enhancements for consent capture and management.

Do we have to know every subscribe and unsubscribe date if they have opted in and out?

As a data controller, you should know where, when and how you obtained the personal data of a data subject. The dates associated with subscribe and unsubscribe is available within our platform if using the ConsentInsight feature.

Can we determine which campaign led to an individual unsubscribing?

No, we have no plans to change this functionality as, on balance, more customers are concerned with when the person unsubscribed than the specific message itself.

What should we do with a contact's data other than their status and email address when someone unsubscribes?

When a contact unsubscribes, their data is no longer viewable in the app. The data however is still stored by us, and will be viewable again if the contact resubscribes. Right now, we’re working on the assumption this process won’t change. The process for deleting (rather than unsubscribing) a contact, however, will be updated to physically remove all of the contact’s data.

Should we also remove their behavioural data if they unsubscribe?

The action of an individual unsubscribing or removing a contact from a mailing list will not remove their contact data from the platform. However, this data can be removed and deleted by clients within the platform using the delete functionality.

Are we going to be able to add the date of opt-in in Dotdigital?

In April 2018, we added a feature for clients’ storing the consent text each contact agreed to when subscribing (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you’re able to see exactly what a contact is happy to receive, and cross-reference it with the permissions you hold on them.

Is the 'Last subscribed' date actually when the recipient opted in or when they were last added into the account?

The ‘last subscribed’ date is just that: the last date they subscribed. If a contact resubscribes, this date gets updated. If an already subscribed contact is uploaded again, it won’t update. This date can also be manually added by a user.

Decision making and profiling

Is the data provided by clients used to make automated decisions about data subjects?

Not within the platform; any ability to make automated decisions is entirely controlled by clients.

Is the right to opt-out of web behavioural tracking incorporated into Dotdigital's platform?

Dotdigital allows you to use the data you hold on your contacts to profile them (such as what email they should receive and when). If you have a contact who is exercising a right under the GDPR to not have their information processed for profiling purposes, the easiest and safest action is to unsubscribe them. This means you guarantee that Dotdigital won’t use their data for any profiling. However, it also means they won’t be able to receive any standard, non-automated campaigns.

If you have large numbers of contacts exercising their individual rights, you can create a new account and request us to turn off the segmentation, program and Web Behavior Tracking tools. Note, however, that the send time optimisation tool may be considered as automated processing, and this can't be turned off.

Finally, if you’d rather not use profiling for any of your contacts, you may request we turn off the automated tools for your main account.

Did this answer your question?