The European Union's new data protection law, the General Data Protection Regulation (GDPR), is meant to protect the data and rights of individuals who are in the European Union and European Economic Area (EU/EEA). More than that, the GDPR details how organizations are to deal with these individuals' personal data in safe, secure, open, and benign ways. Responsibility for compliance extends to any organization that communicates with individuals who are in the EU/EEA. As such, the GDPR affects both organizations that are established in the EU/EEA, and to many organizations that operate outside of the EU/EEA and interact with individuals who are in the EU/EEA.
Enforcement of the GDPR began on 25 May 2018. Lead Gen & CRM met the GDPR requirements prior to that date. To remain compliant with the GDPR, Lead Gen & CRM will continue to implement and maintain changes to software and policies to specifically address these new GDPR responsibilities and continue to assist customers in meeting some of their responsibilities under the GDPR.
The updated policy includes the following:
- Information transparency. Greater transparency and a clear definition of the data and information Lead Gen & CRM collects from you, why it is collected, and how it is used it to provide service.
- Data and privacy rights. Expanded clarity on the roles and responsibilities of Lead Gen & CRM in handling your data, as well as the privacy rights you have.
- Privacy Shield certification. Lead Gen & CRM has Privacy Shield certification. With this certification, European Union customers and visitors can be confident in the way Lead Gen & CRM processes and handles their data, and that Lead Gen & CRM meets European Union requirements in doing so.
The ability to prove consent is an important aspect of the GDPR. Article 4 of the GDPR defines consent as:
...Any freely given, specific, informed, and unambiguous
indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data
relating to him or her...
Lead Gen & CRM already provides ways to request or revoke consent. To more closely comply with the new rules on consent in the GDPR, SharLead Gen & CRM Spring has changed how certain core features of the platform provide means to request and revoke consent.
Forms have been updated to help individuals provide consent. With these updates, more metadata about submissions to Lead Gen & CRM forms will be recorded. This metadata includes key pieces of information, including IP addresses and subscription dates, and will be available when exporting leads from Lead Gen & CRM. In addition, when building forms to solicit various kinds of consent, Lead Gen & CRM has provided some new options.
Landing pages also have been updated to address the consent requirements. Lead Gen & CRM has updated the landing page designer to allow users to configure a cookie disclosure design element. This design element discloses what cookies are being used on landing pages—and for what purpose.
These form and landing page updates are available to use as needed. Lead Gen & CRM leaves their use to the client's discretion. Clients should consider their usage based on individuals they are targeting, as well as the locations of these individuals.
Seeking request permissions is only part of the new consent rules. Now, with the GDPR, you must identify and retain exactly how you obtained an individual's information and consent. The GDPR requires the following be addressed:
- How recipients consent to you sending them information
- How recipients consent to you storing their information
- How recipients provided consent
- How recipients consented to have their information given
Lead Gen & CRM already enables you to create custom fields, organize those custom fields into folders, and view information on those custom fields on a lead's record at any time. Make a point to investigate the sources and keep track of where you get your data. Keeping this information on-hand is at your discretion. Know from which source your data was collected prior to GDPR implementation, and going forward.
Third-Party Data Tracking
The GDPR requires organizations to be transparent on their practices regarding personal data. To comply with these transparency requirements, Lead Gen & CRM internally logs more granular information on what data has been obtained from third parties, as well as how that data is being used. This list of subprocessors is publicly visible and provides information on the following:
- A list of all associated third-party data providers
- An overview of the data supplied by third-party data providers
- The contact information of associated third-party data providers
Moving forward, instances where Lead Gen & CRM shares client data with these third-party providers will be documented. In addition, Lead Gen & CRM will require associated third-party providers to self-certify their compliance with the EU-US Privacy Shield Principles, or execute a specific data privacy agreements with Lead Gen & CRM. To maintain transparency, Lead Gen & CRM will publish details of these privacy agreements, as well as those vendors which are operating under these agreements.
Internal Data Logging
Lead Gen & CRM already maintains an audit trail. These audits account for important events that occur in Lead Gen & CRM's networks and servers. These audits, as well as other records, are in place due to various existing regulatory, compliance, and legal measures. To better represent the audit process, and comply with the GDPR, Lead Gen & CRM has updated these internal audit logs and similar records. The changes reflect, in a granular fashion, how customer data is transferred, updated, deleted, and accessed within the Lead Gen & CRM platform.
Data Access and Verification
The GDPR requires organizations to provide individuals with the means to know how their data is being processed and used. To comply with these new rules on data access, Lead Gen & CRM has implemented new verification measures. Going forward, when a client makes certain support requests, Lead Gen & CRM will ask the client to provide additional information. These requests will help verify a client's identity before Lead Gen & CRM staff accesses certain data or performs certain actions on the client's behalf.
The GDPR requires organizations, upon request, to provide, free of charge, electronic copies of an individual's personal data. The Lead Gen & CRM platform has been updated to address the new rules on data access. Lead Gen & CRM's data exporting tools will be available to assist in exporting this personal data. Lead Gen & CRM also introduced new export tools—and made changes to existing export tools—allowing clients to download data that they provided to Lead Gen & CRM, excluding certain historical data that has been deleted or removed.
Data Erasure and Other Limitations
The GDPR affords the right to data erasure, also known as the right to be forgotten. This right provides individuals, in limited circumstances, with the ability to request that their data be deleted. In addition, to address data erasure more directly, Lead Gen & CRM is currently in the process of building, updating, and expanding internal tools. These internal tools allow Lead Gen & CRM to respond to data erasure requests in a timely manner.
The GDPR also provides a right to restrict the processing of personal data and to object to the processing of personal data. Lead Gen & CRM provides a means for individuals to request that their data stops being disseminated to other organizations and entities.
The backup policy at Lead Gen & CRM requires full backups of customer data daily, with incremental backups being performed each hour. Lead Gen & CRM's data retention period for backups of customer data is seven days. Lead Gen & CRM replicates these backups to an off-site location in compliance with its own disaster recovery policy. Lead Gen & CRM cares about its customers' data, and has placed high availability (HA) mechanisms in place to reduce the need for recovery. Lead Gen & CRM makes a best effort attempt to retain customer data. However, Lead Gen & CRM does not provide any direct guarantee against loss of customer data.
Lead Gen & CRM's backup procedures follow the basic rules of the CIA triad: confidentiality, integrity and availability. They are verified for integrity, are encrypted, are securely transferred, and are stored both at on-site and off-site locations. These backups are then verified through reanimation testing.
Lead Gen & CRM utilizes open source technologies, such as Zabbix and OpenVAS, to monitor the availability of its services, obtain web application performance metrics, and perform regular vulnerability scans against its critical infrastructure. Lead Gen & CRM also reinforces these processes by regularly performing penetration tests against its own architecture. Lead Gen & CRM's monitoring and associated alerting processes are regularly tested to ensure that Lead Gen & CRM Network Operations Center (NOC) staff is notified immediately upon the occurrence of any operations anomaly or service interruption.
Recommended Customer Actions
It is not just Lead Gen & CRM that is impacted by the GDPR. Email marketers should take action to remain compliant. Again, GDPR compliance is required for all marketers that have leads in the EU/EEA. While in no way a complete list, Lead Gen & CRM recommends that email marketers do the following to begin to comply with the GDPR:
- Prove individual consent. With the GDPR, the basis of consent has changed. There is now a requirement to prove whether or not your email recipients consent to the communication you are sending them. Certain Lead Gen & CRM features—such as double opt-in and confirmed opt-in—provide records of consent. However, records and other information from outside Lead Gen & CRM may not be as complete. As such, ensure that contacts brought into Lead Gen & CRM can have their consent proven based on the GDPR's current definition of consent.
- Establish and re-establish consent. Just as consent can be given, it can also be revoked. If you do not have consent from a lead, you must remove the lead from your lists. Also, even if an email recipient has explicitly stated that they want to receive your emails, it is in your best interest as a marketer to send a reconfirmation email to that recipient when they have low engagement or are unengaged. Additionally, be wary of leads who have not opened emails, visited websites, or completed forms in quite some time. These leads may no longer be willing to provide consent. Routine re-permission campaigns will help to maintain records of consent.
- Make unsubscribe footers visible and accessible. Lead Gen & CRM automatically adds an unsubscribe link to all emails sent through automations and sent to lists. Unsubscribe links must be visible and unobstructed in emails. Smart Mail may also require unsubscribe links. Depending on the context, if the Smart Mail is not transactional in nature, include an unsubscribe link to ensure compliance with the GDPR. By default, Smart Mail does not include an unsubscribe link, so it is important for you to include an unsubscribe link in the footer to ensure that recipients can opt out from receiving future communications.
- Ensure that all third-party services are compliant. This extends beyond Lead Gen & CRM. If you are utilizing other third-party services, validate that they comply with the GDPR. If they do not, be aware that their service may be interrupted, which will interrupt yours in turn. Lead Gen & CRM is working to ensure that all its third-party vendors are compliant—or, at a minimum, adhere to strict data privacy and protection standards.
- Consider hiring a data protection officer. The GDPR has specific requirements for organizations that process or store large amounts or personal data. A data protection officer (DPO) may be required in some circumstances. Among their many job roles, DPOs primarily audit organizations to ensure compliance and train organizations on how to maintain GDPR compliance.
Refer to the following external help resources for more information on customer actions and the marketing impacts of the GDPR: