Arrow pointing to left
All posts

Copper news

GDPR + Copper + You

Copy blog urlTwitter share logoLinkedin share logoEmail to logo
Article featured image
Author photo: Harvey Ranola

Harvey Ranola

By now you’ve probably heard about the General Data Protection Regulation (GDPR) going into effect May 25th 2018, but are you up to speed on what it actually means? GDPR is a new set of laws that regulate how you access and process personal data for EU citizens.

Our VP of Engineering, Rahul Parthak, led the charge to ensure Copper is GDPR compliant. Curious about what we’ve done? Rahul shares a rundown on all things GDPR and how Copper is preparing in this webinar and in the recap below.

GDPR compliance: What does it take?

To understand what it means to comply with GDPR, we’ll start with a few key terms:

  • Data controller - When an organization determines the purpose, conditions, and means of processing personal data, they are acting as a data controller. This is the first point of direct interaction that an individual has with a company, when their personal data is collected. Your business acts as a data controller when you collect personal information.
  • Data processor - A company is acting as a data processor when they process personal data on behalf of the data controller. For example, as a Copper customer, Copper is a data processor of your contact’s data.
  • Subprocessor - A subprocessor processes sensitive data on behalf of a data processor. It includes any technology you use to touch, relay, or store your contact data. For example, Amazon Web Services (AWS) is a subprocessor for Copper contact data, as they host our data servers.

In order for your organization to be GDPR compliant, you have to take a holistic approach and make sure your entire data processing chain is compliant.

First, you’ll want to establish policies, controls, and procedures for data protection and data privacy to ensure they’re enforced across your company.

Once you’ve done that, you must analyze all areas where you’re acting as a data controller and data processor. For each instance, you’ll want to figure out where the data is being stored, if it’s secure, who has access to it, and if it can be deleted on request, along with many other GDPR requirements. You’ll need to repeat this exercise for every subprocessor.

You must also have any vendor that touches contact data sign a data processing agreement (DPA). A DPA describes the organization's obligations with respect to personal data. For example, as a Copper customer, we are a data processor for your organization. We have a pre-signed agreement you can download on our Knowledge Base. Please fill it out and email the completed form to

Another big piece of GDPR compliance is consent. Consent to collect their personal data must be explicitly given, not implied (e.g. an opt-in form). The same goes for tracking cookies, which often applies to your company website. You must have users accept your company’s cookie tracking and agree to giving you their personal information.

How is Copper preparing for GDPR compliance?

Data security and ensuring data privacy are top priorities at Copper. We have been actively preparing to be GDPR compliant by creating a robust set of security measures including privacy policies, controls, and procedures. They include:

  • We ensure contact data is being handled properly through several third-party certifications, including SOC 2, EU-US Security Shield, and TRUSTe
  • We encrypt your data in transit and at rest
  • We perform background checks and provide annual data security training for all employees at Copper
  • We limit our employees’ access to contact data. If access isn’t critical for getting their jobs done, they don’t have access to it.
  • We run periodic vulnerability and penetration tests to ensure we aren’t creating any security holes as we add new features to our product
  • Because consent to collect personal data must be explicit, not implied, we’ve added opt-ins for collecting data and tracking cookies to our website
  • All third-party vendors that touch our contact data have signed DPAs

You can learn more about how we’re preparing on our Knowledge Base.

What are your next steps?

Approach GDPR holistically. Copper is just one vendor in your GDPR equation. You must work with all vendors that touch your EU citizen contact data to ensure compliance. If you haven’t already, analyze all areas where you’re acting as a data controller and data processor to ensure it’s being handled in a compliant manner. Get DPAs signed from each individual vendor before May 25.


We’ve had customers reach out with some questions over the past few months in preparation for GDPR. Here are answers to the most frequently asked:

Is using email open tracking GDPR compliant?

As long as a contact has opted in to receive communications from you, email open tracking complies with GDPR. If you have email tracking enabled and a contact writes in asking for their data to be deleted, you’ll have the option to delete that tracking to ensure compliance with the right to be forgotten.

What is a “Data Protection Impact Assessment”? Does Copper have one? Do I need to have one?

A Data Protection Impact Assessment (DPIA) is a risk-assessment document. GDPR dictates that companies which engage in activities that have high risks to the rights and freedoms of natural persons need one. Industries like healthcare, insurance, and banking, as well as data analytics companies, online marketing businesses, and search engines fall into this category. Copper doesn’t need a Data Protection Impact Assessment, and whether your company needs one depends on your industry.

Where can I find your list of subprocessors?

You can find Copper’s list of subprocessors and other information on how Copper is preparing for GDPR compliance on our Knowledge Base.

Does GDPR apply to personal data processed before the May 25, 2018 effective date?

Yes, the GDPR law is retroactive!

If you have any additional questions that come up, please email us at

Try Copper free

Instant activation, no credit card required. Give Copper a try today.

Ideo graphic
Masterclass graphic
Swell graphic
Bubbles graphic
Try Copper free image

Keep Reading

All posts
Arrow pointing to right
Featured image: Copper CRM product principles … 2023 and beyond

6 min READ

Copper CRM product principles … 2023 and beyond

How and why Copper defined our CRM product principles, and why we think they’ll make a difference for our users.

Featured image: An easy way to track your critical workflows

6 min READ

An easy way to track your critical workflows

Building the right pipeline structure in your client relationship system, for sales or non-sales workflows, can help you better manage key processes. Here's how.

Featured image: How to get more leads and hit your sales quota

3 min READ

How to get more leads and hit your sales quota

Skip the looming dread of missing your sales quota with these expert tips on how to get more leads.

Featured image: Case study: SportsDataIO powers a personalized email marketing strategy with Copper X Mailchimp

2 min READ

Case study: SportsDataIO powers a personalized email marketing strategy with Copper X Mailchimp

Fast-growing sports data provider added our Mailchimp integration to Copper CRM to power up their email marketing with personalized newsletters.