The European Union’s General Data Protection Regulation (GDPR), a European Union privacy regulation, took effect on May 25, 2018, and SalesLoft is committed to ensuring ongoing compliance with the regulation. The GDPR extends the reach of the European Union’s data protection laws and established many new requirements for organizations that fall under its scope.
Want to learn more about GDPR? Here are the important facts.
Who has to comply with the GDPR?
- Any EU-based organizations considered “controllers” or “processor” of data. In general, controllers determine the means and purposes of data processing while processors handle data for specified purposes on behalf of controllers.
- Organizations considered controllers or processors of personal data of EU residents in relation to goods or services provided to them.
- Organizations who monitor the behavior of EU residents.
Many of SalesLoft’s customers fall into the “controller” category as they are collecting and using personal data about their prospects. Since SalesLoft falls under the “processor” category, we are required by the GDPR to treat our customers’ data as if it were our own.
Why is the GDPR such a big deal?
The GDPR is an unprecedented privacy regulation in terms of its breadth, depth, and impact. More organizations than ever are required to comply with the regulation, and the regulation is chock full of new requirements for controllers and processors. Fines for noncompliance with GDPR may be imposed up to the greater of €20 MM or 4% of global revenue.
What are some of the major changes the GDPR brought about?
- The GDPR gives EU residents the “right to be forgotten” by controllers and processors. If a data subject requests their data to be removed, controllers are responsible for securely deleting the data from their systems and ensuring processors delete data as well.
- The GDPR outlines specific requirements for notifications in the event of a data breach. Organizations who experience a data breach must notify data protection authorities, and in certain cases, they must also notify the data subject.
- The GDPR extends to organizations who monitor the behavior of EU residents online. This includes e-mail tracking as well as tracking of user behavior on an organization’s website.
- The GDPR centralizes the regulation of processing of EU resident data. All processing of personal data belonging to residents of the EU will be governed by the GDPR, regardless of the member state in which the data subject resides.
How does SalesLoft support GDPR?
Data security and privacy are top priorities for SalesLoft. To demonstrate our dedication to security and privacy, we have obtained ISO 27001 certification and a SOC 2 Type 2 report for our platform, and we are in compliance with the EU/US Privacy Shield framework. More information on our current security practices can be found on our Security and Compliance page. Our privacy team has analyzed the requirements of the GDPR and enhanced our policies, procedures, contracts and platform features to ensure we comply with the GDPR and enable compliance for our customers.
What should SalesLoft customers do to maintain compliance in light of the GDPR?
If your organization is a controller or processor of EU resident data, it is critical to maintain compliant security and privacy practices. The following steps will allow you to maintain compliance:
- Tone at the top is key. Establish support at top levels for GDPR compliance efforts, and designate a data protection officer (DPO) to oversee the compliance efforts.
- Review current security and privacy efforts and perform a privacy impact assessment (PIA) over high-risk data processing activities. Results of the PIA should drive the establishment of new control activities to mitigate the identified risks.
- Ensure transparency with data subjects. Data should only be used for the purposes specified in agreements and privacy notices and should only be transferred to third parties that are disclosed in agreements.
- Keep a record of compliance activities. It always helps to have a detailed record of the work your organization has done to comply with the GDPR. Whether it’s a PIA, policy document, or consent form, etc., documentation of security and privacy practices will assist your organization in demonstrating its compliance with the GDPR.
If you or anyone in your organization has questions about the GDPR, or any of SalesLoft’s security and privacy practices, please do not hesitate to contact our security team at firstname.lastname@example.org.