GDPR

There’s been a lot of buzz surrounding the General Data Protection Regulation, commonly known as GDPR, which is a new data privacy law that will be enforced starting May 25, 2018.

This new law means important changes for many digital marketers, so it’s crucial to be prepared. While it may feel a little like red tape, these policies are designed to build trust with customers and to provide a better user experience, which is our end goal anyway, right?

So don’t worry, SharpSpring is committed to providing customers with tools to make it easier to be GDPR compliant as of May 25 and beyond. Here are some important points to consider.

What Is GDPR and Who Should Care?

Passed by the European Union (EU), GDPR changes data privacy requirements for organizations that control or process personal data for people who live in the EU (and, yes, that includes folks in the UK), regardless of where the organization itself is located.

To understand what this means for you, here’s a quick rundown on some key GDPR terms:

  • Data Subjects – Web visitors, contacts, leads, and customers who are EU residents and whose information is stored in one of your databases
  • Controller – Your company if you have information stored about folks who qualify as “data subjects” (as described above)
  • Processor – SharpSpring or any other platform your company uses to capture and manage information about “data subjects” (as described above)

So… if you have EU customers, site visitors, or prospects, you’re probably a “controller” and GDPR likely applies to you. If you use SharpSpring (or any other marketing automation, CRM, or email marketing platform) to manage your lead/customer data, then GDPR likely applies to them (and you).

SharpSpring and GDPR Compliance

The cool thing about SharpSpring, and similar marketing automation platforms, is that many built-in features help customers tackle issues and manage their contact data to be GDPR compliant. Whether you’re talking about GDPR, CAN-SPAM, or CASL, being able to prove how customers came into your database and how they’re interacting with you is more critical than ever. This means that having a unified marketing automation platform has become even more essential.

We’re creating new functionality to make it easier for customers to comply with GDPR and strengthening our own policies to meet these requirements. Bottom line: SharpSpring will be fully compliant with GDPR by May 25.

Here are some highlights of what we have in the works, and check out SharpSpring’s GDPR Roadmap for more details.

Shiny New Privacy Policy

The first stop on our road to compliance is an updated privacy policy. This new policy will clearly outline what data we collect from customers and from third parties, how we process and use that data, and how customer data and third-party data interact. In this policy, we’ll detail what our responsibilities are to our customers and their data in terms of U.S. and EU privacy laws. We’ll also include specific examples of our data processing practices to break down how our privacy policy works.

If It Happens, We’ll Log It

SharpSpring already maintains an audit trail for many important events that occur in our networks and on our servers, but we’re about to kick it up a notch. With GDPR, we’ll log these events even more granularly to show specifically how customer data is transferred, updated, deleted, and accessed.

Verify, Verify, Verify

As mentioned above, our customers are the “controllers” of their lead data, and SharpSpring is the “processor” of that data. So naturally, we want to ensure our customers maintain full control over their databases.

Because of this, when users call SharpSpring Support, we’ll ask them to provide additional information for certain requests. This will help verify their identity before SharpSpring staff access their data or perform certain actions on their behalf. Better safe than sorry!

Transparency Is Key

GDPR requires full transparency about the collection of individuals’ data, which is A-okay with us. More transparency = more trust.

SharpSpring partners with third-party data providers to power certain features, like VisitorID. Starting in May, we’ll log more granular information about what data we obtain from third parties and how it’s being used. We’ll publish a list of our third-party data providers, an overview of the data they provide to us, and their contact information.

And we’re not stopping there. We’ll also log when we share customer data with third parties, which will be Privacy Shield certified or have a specific data privacy agreement with us. Details of the agreement and vendors operating under it will be published too.

The Right to Be Forgotten

The “right to be forgotten” is one of the more well-known conditions of GDPR. If someone wants their data removed from our system, we’ll accommodate this request within 30 days – and our feelings will only be a little hurt. Kidding.

We’ll publish a comprehensive overview of our data retention policies to explain what data we retain, for how long we keep it, and the reasons why we keep it. We’ll also expand our current tools and build some new ones to help our customers easily respond to these requests from their contacts.

New Form Tools

The ability to prove consent – like consent to receive a direct marketing email – is critically important to GDPR compliance. To help our customers prove consent, we’ll record more metadata about submissions to SharpSpring forms. This metadata (e.g., IP address, date, and time stamp of the form fill) will be available to customers when exporting leads from SharpSpring.

We’ll also provide more options on our forms to help customers solicit different kinds of consent. Customers will be able to choose whether or not to enable these options based on their specific business practices and target customer location.

Cookie Usage on Landing Pages

We’ll also beef up our landing page designer with a cool new feature to help with GDPR compliance. Users will be able to configure a “Cookie Disclosure” element on SharpSpring landing pages, allowing them to disclose to visitors what cookies they’re using and for what purpose.

The choice to enable this feature will be completely up to our customers. Opting in to web cookies will be simpler than ever.

More Export and Reporting Options

Under GDPR, an individual can request access to the data being held about them. While SharpSpring already provides many tools for exporting data, in the coming weeks, we’ll introduce some new and improved export options. This will give users access to the detailed data that GDPR requires in case one of their contacts comes knocking.

For example, the metadata that SharpSpring forms will record – such as subscription date – will be available when exporting leads from SharpSpring. Customers will be able to quickly respond to data requests and easily download the necessary information from SharpSpring – it’ll be just a couple clicks away.

What’s Next?

As we continue to take strides toward GDPR compliance, we’ll update our customers as these features become available, as we add new ones to the roadmap, and as we implement policies and best practices.

Let’s get real. No one is excited about change – unless it’s a new car, home, or equally exciting toy. But these new privacy laws just happen to present new opportunities for all marketers to rethink how they interact with people most interested in their products and services.

We look forward to being even more transparent and relevant to our prospective customers, while respecting and protecting their right to data privacy… and helping our current customers do the same.

Disclaimer: This document is not legal advice. It is only meant to provide general information on selected aspects of the GDPR. While this document addresses some legal aspects of the GDPR, it is not intended to provide legal advice. SharpSpring recommends that you consult your attorney on how best to comply with the GDPR.

AUTHOR
Jon Marburger
Jon Marburger
Head of Product, SharpSpring