|The European Union's new data protection law, the General Data Protection Regulation (GDPR), is meant to protect the data and rights of individuals who are in the European Union and European Economic Area (EU/EEA). More than that, the GDPR details how organizations are to deal with these individuals' personal data in safe, secure, open, and benign ways. Responsibility for compliance extends to any organization that communicates with individuals who are in the EU/EEA. As such, the GDPR affects both organizations that are established in the EU/EEA, and to many organizations that operate outside of the EU/EEA and interact with individuals who are in the EU/EEA.
Enforcement of the GDPR began on 25 May 2018. SharpSpring met the GDPR requirements prior to that date. To remain compliant with the GDPR, SharpSpring will continue to implement and maintain changes to software and policies to specifically address these new GDPR responsibilities and continue to assist customers in meeting some of their responsibilities under the GDPR.
Disclaimer: This document is not legal advice. It is only meant to provide general information on selected aspects of the GDPR. While this document addresses some legal aspects of the GDPR, it is not intended to provide legal advice. SharpSpring recommends that you consult your attorney on how best to comply with the GDPR.
The updated policy includes the following:
- Information transparency. Greater transparency and a clear definition of the data and information SharpSpring collects from you, why it is collected, and how it is used it to provide service.
- Data and privacy rights. Expanded clarity on the roles and responsibilities of SharpSpring in handling your data, as well as the privacy rights you have.
- Privacy Shield certification. SharpSpring has Privacy Shield certification. With this certification, European Union customers and visitors can be confident in the way SharpSpring processes and handles their data, and that SharpSpring meets European Union requirements in doing so.
The ability to prove consent is an important aspect of the GDPR. Article 4 of the GDPR defines consent as:
|...Any freely given, specific, informed, and unambiguous
indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data
relating to him or her...
SharpSpring already provides ways to request or revoke consent. To more closely comply with the new rules on consent in the GDPR, SharpSpring has changed how certain core features of the platform provide means to request and revoke consent.
Forms have been updated to help individuals provide consent. With these updates, more metadata about submissions to SharpSpring forms will be recorded. This metadata includes key pieces of information, including IP addresses and subscription dates, and will be available when exporting leads from SharpSpring. In addition, when building forms to solicit various kinds of consent, SharpSpring has provided some new options.
Landing pages also have been updated to address the consent requirements. SharpSpring has updated the landing page designer to allow users to configure a cookie disclosure design element. This design element discloses what cookies are being used on landing pages—and for what purpose.
These form and landing page updates are available to use as needed. SharpSpring leaves their use to the client's discretion. Clients should consider their usage based on individuals they are targeting, as well as the locations of these individuals.
Seeking request permissions is only part of the new consent rules. Now, with the GDPR, you must identify and retain exactly how you obtained an individual's information and consent. The GDPR requires the following be addressed:
- How recipients consent to you sending them information
- How recipients consent to you storing their information
- How recipients provided consent
- How recipients consented to have their information given
SharpSpring already enables you to create custom fields, organize those custom fields into folders, and view information on those custom fields on a lead's record at any time. Make a point to investigate the sources and keep track of where you get your data. Keeping this information on-hand is at your discretion. Know from which source your data was collected prior to GDPR implementation, and going forward.
Third-Party Data Tracking
The GDPR requires organizations to be transparent on their practices regarding personal data. To comply with these transparency requirements, SharpSpring internally logs more granular information on what data has been obtained from third parties, as well as how that data is being used. This list of subprocessors is publicly visible and provides information on the following:
- A list of all associated third-party data providers
- An overview of the data supplied by third-party data providers
- The contact information of associated third-party data providers
Moving forward, instances where SharpSpring shares client data with these third-party providers will be documented. In addition, SharpSpring will require associated third-party providers to self-certify their compliance with the EU-US Privacy Shield Principles, or execute a specific data privacy agreements with SharpSpring. To maintain transparency, SharpSpring will publish details of these privacy agreements, as well as those vendors which are operating under these agreements.
Internal Data Logging
SharpSpring already maintains an audit trail. These audits account for important events that occur in SharpSpring's networks and servers. These audits, as well as other records, are in place due to various existing regulatory, compliance, and legal measures. To better represent the audit process, and comply with the GDPR, SharpSpring has updated these internal audit logs and similar records. The changes reflect, in a granular fashion, how customer data is transferred, updated, deleted, and accessed within the SharpSpring platform.
Data Access and Verification
The GDPR requires organizations to provide individuals with the means to know how their data is being processed and used. To comply with these new rules on data access, SharpSpring has implemented new verification measures. Going forward, when a client makes certain support requests, SharpSpring will ask the client to provide additional information. These requests will help verify a client's identity before SharpSpring staff accesses certain data or performs certain actions on the client's behalf.
The GDPR requires organizations, upon request, to provide, free of charge, electronic copies of an individual's personal data. The SharpSpring platform has been updated to address the new rules on data access. SharpSpring's data exporting tools will be available to assist in exporting this personal data. SharpSpring also introduced new export tools—and made changes to existing export tools—allowing clients to download data that they provided to SharpSpring, excluding certain historical data that has been deleted or removed.
Data Erasure and Other Limitations
The GDPR affords the right to data erasure, also known as the right to be forgotten. This right provides individuals, in limited circumstances, with the ability to request that their data be deleted. In addition, to address data erasure more directly, SharpSpring is currently in the process of building, updating, and expanding internal tools. These internal tools allow SharpSpring to respond to data erasure requests in a timely manner.
The GDPR also provides a right to restrict the processing of personal data and to object to the processing of personal data. SharpSpring provides a means for individuals to request that their data stops being disseminated to other organizations and entities.
The backup policy at SharpSpring requires full backups of customer data daily, with incremental backups being performed each hour. SharpSpring’s data retention period for backups of customer data is seven days. SharpSpring replicates these backups to an off-site location in compliance with its own disaster recovery policy. SharpSpring cares about its customers' data, and has placed high availability (HA) mechanisms in place to reduce the need for recovery. SharpSpring makes a best effort attempt to retain customer data. However, SharpSpring does not provide any direct guarantee against loss of customer data.
SharpSpring's backup procedures follow the basic rules of the CIA triad: confidentiality, integrity and availability. They are verified for integrity, are encrypted, are securely transferred, and are stored both at on-site and off-site locations. These backups are then verified through reanimation testing.
SharpSpring utilizes open source technologies, such as Zabbix and OpenVAS, to monitor the availability of its services, obtain web application performance metrics, and perform regular vulnerability scans against its critical infrastructure. SharpSpring also reinforces these processes by regularly performing penetration tests against its own architecture. SharpSpring’s monitoring and associated alerting processes are regularly tested to ensure that SharpSpring Network Operations Center (NOC) staff is notified immediately upon the occurrence of any operations anomaly or service interruption.
Recommended Customer Actions
It is not just SharpSpring that is impacted by the GDPR. Email marketers should take action to remain compliant. Again, GDPR compliance is required for all marketers that have leads in the EU/EEA. While in no way a complete list, SharpSpring recommends that email marketers do the following to begin to comply with the GDPR:
- Prove individual consent. With the GDPR, the basis of consent has changed. There is now a requirement to prove whether or not your email recipients consent to the communication you are sending them. Certain SharpSpring features—such as double opt-in and confirmed opt-in—provide records of consent. However, records and other information from outside SharpSpring may not be as complete. As such, ensure that contacts brought into SharpSpring can have their consent proven based on the GDPR's current definition of consent.
- Establish and re-establish consent. Just as consent can be given, it can also be revoked. If you do not have consent from a lead, you must remove the lead from your lists. Also, even if an email recipient has explicitly stated that they want to receive your emails, it is in your best interest as a marketer to send a reconfirmation email to that recipient when they have low engagement or are unengaged. Additionally, be wary of leads who have not opened emails, visited websites, or completed forms in quite some time. These leads may no longer be willing to provide consent. Routine re-permission campaigns will help to maintain records of consent.
- Make unsubscribe footers visible and accessible. SharpSpring automatically adds an unsubscribe link to all emails sent through automations and sent to lists. Unsubscribe links must be visible and unobstructed in emails. Smart Mail may also require unsubscribe links. Depending on the context, if the Smart Mail is not transactional in nature, include an unsubscribe link to ensure compliance with the GDPR. By default, Smart Mail does not include an unsubscribe link, so it is important for you to include an unsubscribe link in the footer to ensure that recipients can opt out from receiving future communications.
- Ensure that all third-party services are compliant. This extends beyond SharpSpring. If you are utilizing other third-party services, validate that they comply with the GDPR. If they do not, be aware that their service may be interrupted, which will interrupt yours in turn. SharpSpring is working to ensure that all its third-party vendors are compliant—or, at a minimum, adhere to strict data privacy and protection standards.
- Consider hiring a data protection officer. The GDPR has specific requirements for organizations that process or store large amounts or personal data. A data protection officer (DPO) may be required in some circumstances. Among their many job roles, DPOs primarily audit organizations to ensure compliance and train organizations on how to maintain GDPR compliance.
For more information on customer actions and the marketing impacts of the GDPR, refer to the following external help resources: