GDPR Readiness @ LeadSquared

LeadSquared is fully committed to being compliant prior to GDPR. We promise to safeguard your data.

[Contact privacy@leadsquared.com for any questions/comments]

What is GDPR?

The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.

 

The full text of the GDPR can be found at https://gdpr-info.eu/ .

Does the GDPR apply to me?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

GDPR – important definitions

 

TERMDEFINITION
Data SubjectA person who lives in the EU
Personal DataAny information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)
Controller

 

A company/organisation that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed (for example using the LeadSquared services to market to prospects and customers), you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.
Processor

 

A company/organisation that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. So for example, LeadSquared is the processor of the data you collect in your LeadSquared application. We don’t control how you collect or use the data; we merely process it on your behalf and on your instruction.
Processing

 

Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer (DPO)A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert
Data Privacy Impact Assessment (DPIA)A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing
Supervisory Authority

 

Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)
Third CountriesCountries outside the EU

 

What is personal Data as per GDPR?

As per GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Personal data will include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual.

What are the rights of Data Subject under GDPR?

At the heart of GDPR lies a set of rights a person can exercise against organizations processing their personal data. Specifically, individuals have the right to:

AccessUnder GDPR, the Data Subject will be able to request access to his/her personal data and learn how an organization uses it.
ErasureData Subject will have a right to withdraw consent to store and use personal data and have the information erased.
Data PortabilityData Subject will have the right to transfer its data from one service provider to another, and current provider must comply with this request.
RectificationData Subject can also require any errors in personal data to be corrected, and an organization must reply to the request within one month.
To Be InformedUnder GDPR, companies must be transparent about how they gather personal information, and must do it before they collect the data. As part of this, Data Subject must freely give consent for their data to be gathered for a specific purpose.
Restrict ProcessingThis gives Data Subject the right to block and suppress processing of their personal data. Under suppressing, an organization can still store personal information but cannot use it in any way.
Stop ProcessingData Subject will have the right to object to using and processing their personal data. This includes direct marketing, profiling, processing for scientific or historical research, inclusion in statistical research and much more.

Once a Data Subject objects, all his or her data processing must cease immediately.

 

In the case of LeadSquared’s relationship with a Customer, who is Controller and who is Processor of the data?

Unless explictly clarified in any engagement, LeadSquared will be the Processor and Customer will be the Controller.  Please refer to definitions in the beginning of this document.

Is it mandatory for LeadSquared to provide EU hosting to its European customers to comply with GDPR?

No, there is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad.

LeadSquared has amended its Terms of Service and provided a new Data Protection Agreement aligned with GDPR to provide adequate safeguards on data transfer of EU data subjects to non-EU regions.

What does LeadSquared do to ensure lawful data transfers from the EU?

The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU model clauses (Standard Contractual Clauses or SCC) provide a valid mechanism to lawfully transfer personal data.  LeadSquared offers a Data Processing Agreement that incorporates the model clauses to our EU/EEA customers.

  • We have created a new Data Processing Agreement (DPA) incorporating the Standard Contractual Clauses (SCC) to meet the requirements of the GDPR in order to permit our Customers to continue to lawfully transfer EU personal data to LeadSquared and permit LeadSquared to continue to lawfully receive and process that data;
  • We have updated  our Terms of Service to refer to DPA as a mechanism to lawfully transfer data of EU Data Subjects to LeadSquared.

 

Is it mandatory for LeadSquared’s Customers dealing with EU Data Subjects to sign Data Processing Agreement (DPA)?

Yes, it is mandatory.  Much before the deadline of 25th May, LeadSquared will reach out to all its Customers dealing with EU Data Subjects to sign the DPA.

What software changes is LeadSquared planning to do in preparation of GDPR?

We are currently at work making necessary changes to LeadSquared to ensure we’re compliant by the May 25th, 2018 deadline and to help our Customers meet obligations under the GDPR to the extent that LeadSquared is used to collect and store EU personal data.  Some of the changes that have been already planned for execution:

  • Making it easy to obtain consent from Data Subject via default unchecked checkboxes with associated descriptions on forms and landing pages
  • Allowing consent to be taken for different purposes
  • Providing widget/option for consent on tracking by Cookie when our tracking script is used on web pages
  • Mandatorily capturing reason for unblocking any lead for email after it has been blocked due to bounce/unsubscribe/spam report.
  • Mandatory proof of opt-in to be required if data is being imported or pushed via API
  • Feature to take re-consent for emailing on existing lists
  • Allowing customer to let a Data Subject exercise his/her right to Access, Erasure, Portability, Rectification, Restrict or Stop Processing. The responsibility of action on such requests will be that of Customer (Controller).

Will LeadSquared be able to comply with the right to erasure (right to be forgotten)?

Yes. When one of your contacts (i.e. data subjects) asks you to delete them from your records, you’ll have the ability to do so quickly and easily.

Will double opt-in be mandatory?

For those unfamiliar with this term, “double opt-in” is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR does not require double opt-in (though certain countries may make this mandatory).

Opt-in proof or proof of legitimate interest will be needed.

I have contacts in my database that I don’t have specific opt-in records for. Do I need to delete them by May 25th 2018?

If you’ve lost track of the opt-in status of your contacts or never confirmed opt-in, you can run an “opt-in confirmation” campaign to remove any unconfirmed contacts from future sends.

A opt-in confirmation is a one-time email campaign that requests any contacts who haven’t already used some form of opt-in to confirm that they would still like to receive emails from you. Only the contacts who confirm their subscription status are then kept on your list. Those who don’t confirm will then be opted out of your marketing emails. The result is a highly engaged list of contacts who have proven that they want to continue receiving marketing emails from your company.

A quick note to think about, though: just because you don’t have record of opt-in doesn’t mean you don’t have lawful basis to process a contact record. Lawful basis comes in multiple forms:

  • Necessary for performance of a contract. Example: if Kevin buys products from you, you can send him emails related to onboarding, billing, etc.
  • Legitimate interest. In the above example, you could email Kevin about related products or services.
  • Consent (with notice). Freely given, affirmative, opt-in consent accompanied with transparent explanation of your purpose for acquiring/using the data.

 

What contractual changes is LeadSquared planning in its agreements with customers & vendors in preparation of GDPR?

 

We are reviewing all our legal agreements to ensure we make any required changes in order to be compliant with GDPR. Here are some of the planned changes:

  • We have created a new Data Processing Agreement (DPA) to meet the requirements of the GDPR in order to permit our Customers to continue to lawfully transfer EU personal data to LeadSquared and permit LeadSquared to continue to lawfully receive and process that data;
  • We have updated our Terms of Service to refer to DPA as a mechanism to lawfully transfer data of EU Data Subjects to LeadSquared.
  • We are updating our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data.