By now you’ve probably heard about the General Data Protection Regulation (GDPR) going into effect May 25th 2018, but are you up to speed on what it actually means? GDPR is a new set of laws that regulate how you access and process personal data for EU citizens.
Our VP of Engineering, Rahul Parthak, led the charge to ensure Copper is GDPR compliant. Curious about what we’ve done? Rahul shares a rundown on all things GDPR and how Copper is preparing in this webinar and in the recap below.
GDPR compliance: What does it take?
To understand what it means to comply with GDPR, we’ll start with a few key terms:
- Data controller - When an organization determines the purpose, conditions, and means of processing personal data, they are acting as a data controller. This is the first point of direct interaction that an individual has with a company, when their personal data is collected. Your business acts as a data controller when you collect personal information.
- Data processor - A company is acting as a data processor when they process personal data on behalf of the data controller. For example, as a Copper customer, Copper is a data processor of your contact’s data.
- Subprocessor - A subprocessor processes sensitive data on behalf of a data processor. It includes any technology you use to touch, relay, or store your contact data. For example, Amazon Web Services (AWS) is a subprocessor for Copper contact data, as they host our data servers.
In order for your organization to be GDPR compliant, you have to take a holistic approach and make sure your entire data processing chain is compliant.
First, you’ll want to establish policies, controls, and procedures for data protection and data privacy to ensure they’re enforced across your company.
Once you’ve done that, you must analyze all areas where you’re acting as a data controller and data processor. For each instance, you’ll want to figure out where the data is being stored, if it’s secure, who has access to it, and if it can be deleted on request, along with many other GDPR requirements. You’ll need to repeat this exercise for every subprocessor.
You must also have any vendor that touches contact data sign a data processing agreement (DPA). A DPA describes the organization's obligations with respect to personal data. For example, as a Copper customer, we are a data processor for your organization. We have a pre-signed agreement you can download on our Knowledge Base. Please fill it out and email the completed form to email@example.com.
Another big piece of GDPR compliance is consent. Consent to collect their personal data must be explicitly given, not implied (e.g. an opt-in form). The same goes for tracking cookies, which often applies to your company website. You must have users accept your company’s cookie tracking and agree to giving you their personal information.
How is Copper preparing for GDPR compliance?
Data security and ensuring data privacy are top priorities at Copper. We have been actively preparing to be GDPR compliant by creating a robust set of security measures including privacy policies, controls, and procedures. They include:
- We ensure contact data is being handled properly through several third-party certifications, including SOC 2, EU-US Security Shield, and TRUSTe
- We encrypt your data in transit and at rest
- We perform background checks and provide annual data security training for all employees at Copper
- We limit our employees’ access to contact data. If access isn’t critical for getting their jobs done, they don’t have access to it.
- We run periodic vulnerability and penetration tests to ensure we aren’t creating any security holes as we add new features to our product
- Because consent to collect personal data must be explicit, not implied, we’ve added opt-ins for collecting data and tracking cookies to our website
- All third-party vendors that touch our contact data have signed DPAs
You can learn more about how we’re preparing on our Knowledge Base.
What are your next steps?
Approach GDPR holistically. Copper is just one vendor in your GDPR equation. You must work with all vendors that touch your EU citizen contact data to ensure compliance. If you haven’t already, analyze all areas where you’re acting as a data controller and data processor to ensure it’s being handled in a compliant manner. Get DPAs signed from each individual vendor before May 25.
We’ve had customers reach out with some questions over the past few months in preparation for GDPR. Here are answers to the most frequently asked:
Is using email open tracking GDPR compliant?
As long as a contact has opted in to receive communications from you, email open tracking complies with GDPR. If you have email tracking enabled and a contact writes in asking for their data to be deleted, you’ll have the option to delete that tracking to ensure compliance with the right to be forgotten.
What is a “Data Protection Impact Assessment”? Does Copper have one? Do I need to have one?
A Data Protection Impact Assessment (DPIA) is a risk-assessment document. GDPR dictates that companies which engage in activities that have high risks to the rights and freedoms of natural persons need one. Industries like healthcare, insurance, and banking, as well as data analytics companies, online marketing businesses, and search engines fall into this category. Copper doesn’t need a Data Protection Impact Assessment, and whether your company needs one depends on your industry.
Where can I find your list of subprocessors?
You can find Copper’s list of subprocessors and other information on how Copper is preparing for GDPR compliance on our Knowledge Base.
Does GDPR apply to personal data processed before the May 25, 2018 effective date?
Yes, the GDPR law is retroactive!
If you have any additional questions that come up, please email us at firstname.lastname@example.org.