The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018, and we’re more than prepared for it. The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. Our privacy team is well ahead of schedule to make sure SalesLoft meets the requirements of the GDPR.

Want to learn more about GDPR? Here are the important facts.

Who has to comply with the GDPR?

  • Any EU-based organizations considered “controllers” or “processor” of data. In general, controllers determine the means and purposes of data processing while processors handle data for specified purposes on behalf of controllers.
  • Organizations considered controllers or processors of personal data of EU residents in relation to goods or services provided to them
  • Organizations who monitor the behavior of EU residents

Many of SalesLoft’s customers will fall into the “controller” category as they are collecting and using personal data about their prospects. And since SalesLoft falls under the “processor” category, we are required by the GDPR to treat our customers’ data as if it were our own.

Why is the GDPR such a big deal?

The GDPR is an unprecedented privacy regulation in terms of its breadth, depth, and impact. More organizations than ever are required to comply with the regulation, and the regulation is chock full of new requirements for controllers and processors. Fines for noncompliance with GDPR may be imposed up to the greater of €20 MM or 4% of global revenue.

What are some of the major changes the GDPR brings about?

  • The GDPR gives EU residents the “right to be forgotten” by controllers and processors. If a data subject requests their data to be removed, controllers are responsible for securely deleting the data from their systems and ensuring processors delete data as well.
  • The GDPR outlines specific requirements for notifications in the event of a data breach. Organizations who experience a data breach must notify data protection authorities, and in certain cases, they must also notify the data subject.
  • The GDPR now extends to organizations who monitor the behavior of EU residents online. This includes e-mail tracking as well as tracking of user behavior on an organization’s website.
  • The GDPR centralizes the regulation of processing of EU resident data. All processing of personal data belonging to residents of the EU will be governed by the GDPR, regardless of the member state in which the data subject resides.

What is SalesLoft doing to prepare for the GDPR?

Data security and privacy are top priorities for SalesLoft. To demonstrate our dedication to security and privacy, we have obtained ISO 27001 certification and a SOC 2 Type 2 report for our platform, and we are currently in compliance with the EU/US Privacy Shield framework. More information on our current security practices can be found on our Security and Compliance page. Our privacy team has analyzed the requirements of the GDPR and is working to enhance our policies, procedures, contracts and platform features to ensure we comply with the GDPR prior to the deadline and enable compliance for our customers.

What should SalesLoft customers do to prepare for the GDPR?

If your organization is a controller or processor of EU resident data, it will be critical to establish compliant security and privacy practices prior to the May 25, 2018 deadline. The following steps will allow you to achieve compliance:

  • Tone at the top is key. Establish support at top levels for GDPR compliance efforts, and designate a data protection officer (DPO) to oversee the compliance efforts.
  • Review current security and privacy efforts and perform a privacy impact assessment (PIA) over high-risk data processing activities. Results of the PIA should drive the establishment of new control activities to mitigate the identified risks.
  • Ensure transparency with data subjects. Any time an organization collects data from European residents, explicit consent from the data subject must be obtained. Additionally, data should only be used for the purposes specified and should only be transferred to third parties disclosed in agreements.
  • Keep a record of compliance activities. It always helps to have a detailed record of the work your organization has done to comply with the GDPR. Whether it’s a PIA, policy document, or consent form, etc., documentation of security and privacy practices will assist your organization in demonstrating its compliance with the GDPR.

If you or anyone in your organization has questions about the GDPR, or any of SalesLoft’s security and privacy practices, please do not hesitate to contact our security team at security@salesloft.com.