So far in our GDPR series, we’ve learned about what GDPR is and who it applies to and how it affects prospecting. This week we’re examining how GDPR impacts your tech stack with our VP of Information Security, Mike Meyer.

Revenue systems are where the rubber meets the road for the sales team’s compliance with GDPR. Many organizations have ever-increasing technology portfolios, and under GDPR it will be critical to know where all personal data elements live.

Technology Inventory

In order to better understand how EU resident personal data enters your systems, as well as where data resides within your technology stack, a system data flow map or inventory should be created. Below is a list of the types of systems that should be considered in this inventory:

  • Marketing automation
  • CRM and connected applications
  • Sales engagement software
  • Any other system that systematically processes data as part of the sales process

The data elements captured by each system should also be included in this inventory. Once the inventory is established, access to the systems should be appropriately limited, and administrative functions within those applications should also be limited to authorized personnel.

Website System Governance

Marketing and sales operations teams will play a crucial role in ensuring that systems do not capture noncompliant data. In our previous post, we mentioned limiting the collection of nonessential information in the prospecting phase. Similarly, marketing websites must be appropriately configured to limit the amount and types of data collected about EU residents.

Companies often collect data about a person via marketing automation tools. As such, appropriate notice should be supplied to EU visitors of a website, especially if you target EU residents. In order to accomplish this, companies should post their privacy policy and cookie policy (if one exists). Additionally, modals should be used where technically feasible to ensure visitors are adequately notified that their activity is being tracked.

Vendor Management

In most technology stacks, third parties play an important role in the sales cycle and process personal data as a result. Under GDPR, vendors with access to this data are considered “processors.”

Article 28 of the GDPR lays out special requirements for transfers of data to processors. First, a Data Processing Addendum (DPA) should be in place for all vendors/third parties with access to EU resident personal data. Additionally, the security and privacy controls at each in-scope vendor should be reviewed by your legal and security teams, and a process should be in place to vet any new vendors before granting access to data.

The GDPR also specifies that if data is transferred to third parties outside of the EU, special requirements must be met. There are several acceptable justifications for transferring data to parties outside the EU, but the three primary justifications are:

  1. Adequacy decision by the European Commission – several countries have been deemed to have adequate privacy practices for transfer of data. Note that the US is one of those countries, provided that the vendor in question is certified under the Privacy Shield framework.
  2. Inclusion of standard contractual clauses (also called model clauses) in a DPA or other agreement
  3. Binding corporate rules (BCRs) – these primarily apply to “a group of enterprises engaged in a joint economic activity” and are outlined in Article 47 of the GDPR.

If your vendor falls into the above categories, they may process your data; however, your privacy notice and other agreements must be transparent about the types of vendors used in sales activities.

Data Subject Rights

Under GDPR, data subjects now have the following rights with respect to their data:

  • Right to be forgotten (i.e., erasure of data)
  • Right to obtain a copy of data
  • Right to restrict process of data
  • Right to have data ported to another controller
  • Right to rectification of data

With the above in mind, sales teams must configure their systems and adjust their processes to ensure that these types of requests may be easily submitted and facilitated. The right to be forgotten is of particular importance, as it requires erasure of personal data from all systems (including any relevant third party systems). As mentioned earlier, a map of all data processing systems and activities will give your team better visibility into where data lives so that it can be properly deleted.

Technology is an increasingly important aspect of the sales cycle. While GDPR doesn’t change that, it will require sales teams to ensure their technology is compliant.

Hungry for more?  Here are some other GDPR pieces you might find useful: