Arrow pointing to left
All posts

Copper news

GDPR + Copper + You

Copy blog urlTwitter share logoLinkedin share logoEmail to logo
Article featured image
Author photo: Harvey Ranola

Harvey Ranola

By now you’ve probably heard about the General Data Protection Regulation (GDPR) going into effect May 25th 2018, but are you up to speed on what it actually means? GDPR is a new set of laws that regulate how you access and process personal data for EU citizens.

Our VP of Engineering, Rahul Parthak, led the charge to ensure Copper is GDPR compliant. Curious about what we’ve done? Rahul shares a rundown on all things GDPR and how Copper is preparing in this webinar and in the recap below.

GDPR compliance: What does it take?

To understand what it means to comply with GDPR, we’ll start with a few key terms:

  • Data controller - When an organization determines the purpose, conditions, and means of processing personal data, they are acting as a data controller. This is the first point of direct interaction that an individual has with a company, when their personal data is collected. Your business acts as a data controller when you collect personal information.
  • Data processor - A company is acting as a data processor when they process personal data on behalf of the data controller. For example, as a Copper customer, Copper is a data processor of your contact’s data.
  • Subprocessor - A subprocessor processes sensitive data on behalf of a data processor. It includes any technology you use to touch, relay, or store your contact data. For example, Amazon Web Services (AWS) is a subprocessor for Copper contact data, as they host our data servers.

In order for your organization to be GDPR compliant, you have to take a holistic approach and make sure your entire data processing chain is compliant.

First, you’ll want to establish policies, controls, and procedures for data protection and data privacy to ensure they’re enforced across your company.

Once you’ve done that, you must analyze all areas where you’re acting as a data controller and data processor. For each instance, you’ll want to figure out where the data is being stored, if it’s secure, who has access to it, and if it can be deleted on request, along with many other GDPR requirements. You’ll need to repeat this exercise for every subprocessor.

You must also have any vendor that touches contact data sign a data processing agreement (DPA). A DPA describes the organization's obligations with respect to personal data. For example, as a Copper customer, we are a data processor for your organization. We have a pre-signed agreement you can download on our Knowledge Base. Please fill it out and email the completed form to

Another big piece of GDPR compliance is consent. Consent to collect their personal data must be explicitly given, not implied (e.g. an opt-in form). The same goes for tracking cookies, which often applies to your company website. You must have users accept your company’s cookie tracking and agree to giving you their personal information.

How is Copper preparing for GDPR compliance?

Data security and ensuring data privacy are top priorities at Copper. We have been actively preparing to be GDPR compliant by creating a robust set of security measures including privacy policies, controls, and procedures. They include:

  • We ensure contact data is being handled properly through several third-party certifications, including SOC 2, EU-US Security Shield, and TRUSTe
  • We encrypt your data in transit and at rest
  • We perform background checks and provide annual data security training for all employees at Copper
  • We limit our employees’ access to contact data. If access isn’t critical for getting their jobs done, they don’t have access to it.
  • We run periodic vulnerability and penetration tests to ensure we aren’t creating any security holes as we add new features to our product
  • Because consent to collect personal data must be explicit, not implied, we’ve added opt-ins for collecting data and tracking cookies to our website
  • All third-party vendors that touch our contact data have signed DPAs

You can learn more about how we’re preparing on our Knowledge Base.

What are your next steps?

Approach GDPR holistically. Copper is just one vendor in your GDPR equation. You must work with all vendors that touch your EU citizen contact data to ensure compliance. If you haven’t already, analyze all areas where you’re acting as a data controller and data processor to ensure it’s being handled in a compliant manner. Get DPAs signed from each individual vendor before May 25.


We’ve had customers reach out with some questions over the past few months in preparation for GDPR. Here are answers to the most frequently asked:

Is using email open tracking GDPR compliant?

As long as a contact has opted in to receive communications from you, email open tracking complies with GDPR. If you have email tracking enabled and a contact writes in asking for their data to be deleted, you’ll have the option to delete that tracking to ensure compliance with the right to be forgotten.

What is a “Data Protection Impact Assessment”? Does Copper have one? Do I need to have one?

A Data Protection Impact Assessment (DPIA) is a risk-assessment document. GDPR dictates that companies which engage in activities that have high risks to the rights and freedoms of natural persons need one. Industries like healthcare, insurance, and banking, as well as data analytics companies, online marketing businesses, and search engines fall into this category. Copper doesn’t need a Data Protection Impact Assessment, and whether your company needs one depends on your industry.

Where can I find your list of subprocessors?

You can find Copper’s list of subprocessors and other information on how Copper is preparing for GDPR compliance on our Knowledge Base.

Does GDPR apply to personal data processed before the May 25, 2018 effective date?

Yes, the GDPR law is retroactive!

If you have any additional questions that come up, please email us at

Try Copper free

Instant activation, no credit card required. Give Copper a try today.

Ideo graphic
Masterclass graphic
Swell graphic
Bubbles graphic
Try Copper free image

Keep Reading

All posts
Arrow pointing to right
Featured image: How to say "thanks" to a client or customer for their business

8 min READ

How to say "thanks" to a client or customer for their business

Send automated and handwritten personalized thank you emails and notes to clients with this step-by-step guide on how to thank customers for their business.

Featured image: Recession-proofing your small business in 6 steps

7 min READ

Recession-proofing your small business in 6 steps

You can take steps to protect your organization from economic issues. Learn how recession proofing helps your small business during difficult times.

Featured image: 15 memorable customer appreciation ideas

7 min READ

15 memorable customer appreciation ideas

Surprise them with an upgrade, shine the spotlight on them, or throw a party. Let’s dive into 15 unique ways to say thanks to your customers. Read more ideas!

Featured image: Top CRM questions to ask your sales rep

5 min READ

Top CRM questions to ask your sales rep

Finding the right CRM platform comes down to asking the right CRM software questions before the purchase. Here’s what to ask.