How GDPR Impacts SharpSpring and You
The European Union’s new data protection law, the General Data Protection Regulation (GDPR), is meant to protect the data and rights of individuals who are in the European Union and European Economic Area (EU/EEA). More than that, the GDPR details how organizations are to deal with these individuals’ personal data in safe, secure, open, and benign ways. Responsibility for compliance extends to any organization that communicates with individuals who are in the EU/EEA. As such, the GDPR affects both organizations that are established in the EU/EEA, and to many organizations that operate outside of the EU/EEA and interact with individuals who are in the EU/EEA.
Enforcement of the GDPR will begin on 25 May 2018. SharpSpring is preparing to meet the GDPR requirements by that date. As such, SharpSpring will be implementing changes to software and policies in the coming weeks to specifically address its new responsibilities and assist its customers in meeting some of their responsibilities under the GDPR.
Disclaimer: This document is not legal advice. It is only meant to provide general information on selected aspects of the GDPR. While this document addresses some legal aspects of the GDPR, it is not intended to provide legal advice. SharpSpring recommends that you consult a data protection specialist on how best to comply with the GDPR.
- What data SharpSpring collects from clients and third-party entities
- How SharpSpring processes and uses data
- How client data and third-party data interact
- SharpSpring’s responsibilities to clients and client data as it concerns United States and EU/EEA privacy law
- In addition, SharpSpring will include specific examples of data processing practices.
The ability to prove consent is an important aspect of the GDPR. Article 4 of the GDPR defines consent as follows:
…Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him or her…
SharpSpring already provides ways to request or revoke consent. To more closely comply with the new rules on consent in the GDPR, SharpSpring will be changing how certain core features of the platform provide means to request and revoke consent.
Forms will be updated to help individuals provide consent. More metadata about submissions to SharpSpring forms will be recorded. This metadata will include key pieces of information, including IP addresses and subscription dates, and will be available when exporting leads from SharpSpring. In addition, when building forms to solicit various kinds of consent, SharpSpring will provide some new options.
Landing pages will also be updated to address the consent requirements. SharpSpring is updating the landing page designer to allow users to configure a cookie disclosure design element. This design element will disclose what cookies are being used on landing pages—and for what purpose.
These form and landing page updates will be available to use as needed. SharpSpring leaves their use to the client’s discretion. Clients should consider their usage based on individuals they are targeting, as well as the locations of these individuals.
Seeking request permissions is only part of the new consent rules. Now, with the GDPR, you must identify and retain exactly how you obtained an individual’s information and consent. The GDPR requires the following be addressed:
- How recipients consent to you sending them information
- How recipients consent to you storing their information
- How recipients provided consent
- How recipients consented to have their information given
SharpSpring already enables you to create custom fields, organize those custom fields into folders, and view information on those custom fields on a lead’s record at any time. Make a point to investigate the sources and keep track of where you get your data. Keeping this information on-hand is at your discretion. Know from which source your data was collected prior to GDPR implementation, and going forward.
Third-Party Data Tracking
The GDPR requires organizations to be transparent on their practices regarding personal data. To comply with these transparency requirements, SharpSpring will internally log more granular information on what data has been obtained from third parties, as well as how that data is being used. This information will be publicly visible. SharpSpring will publish the following:
- A list of all associated third-party data providers
- An overview of the data supplied by third-party data providers
- The contact information of associated third-party data providers
Instances where SharpSpring shares client data with these third-party providers will be documented. In addition, SharpSpring will require associated third-party providers to self-certify their compliance with the EU-US Privacy Shield Principles, or execute a specific data privacy agreements with SharpSpring. To maintain transparency, SharpSpring will publish details of these privacy agreements, as well as those vendors which are operating under these agreements.
Internal Data Logging
SharpSpring already maintains an audit trail. These audits account for important events that occur in SharpSpring’s networks and servers. These audits, as well as other records, are in place due to various existing regulatory, compliance, and legal measures. To better represent the audit process, and comply with the GDPR, SharpSpring will update these internal audit logs and similar records. The changes will reflect, in a granular fashion, how customer data is transferred, updated, deleted, and accessed within the SharpSpring platform.
Data Access and Verification
The GDPR requires organizations to provide individuals with the means to know how their data is being processed and used. To comply with these new rules on data access, SharpSpring will implement new verification measures. Going forward, when a client makes certain support requests, SharpSpring will ask the client to provide additional information. These requests will help verify a client’s identity before SharpSpring staff accesses certain data or performs certain actions on the client’s behalf.
The GDPR requires organizations, upon request, to provide, free of charge, electronic copies of an individual’s personal data. The SharpSpring platform will be updated to address the new rules on data access. SharpSpring’s data exporting tools will be available to assist in exporting this personal data. SharpSpring will also introduce new export tools—and will be making changes to existing export tools—allowing clients to download data that they provided to SharpSpring, excluding certain historical data that has been deleted or removed.
Data Erasure and Other Limitations
The GDPR affords the right to data erasure, also known as the right to be forgotten. This right provides individuals, in limited circumstances, with the ability to request that their data be deleted. In addition, to address data erasure more directly, SharpSpring is currently in the process of building, updating, and expanding internal tools. These internal tools allow SharpSpring to respond to data erasure requests in a timely manner.
The GDPR also provides a right to restrict the processing of personal data and to object to the processing of personal data. SharpSpring will provide a means for individuals to request that their data stops being disseminated to other organizations and entities.
SharpSpring will publish a comprehensive overview of its data retention policies. This overview will answer the following questions:
- What data does SharpSpring keep?
- How long does SharpSpring keep that data?
- Why does SharpSpring keep the data?
Recommended Customer Actions
It is not just SharpSpring that is impacted by the GDPR. Email marketers should take action to remain compliant. Again, GDPR compliance is required for all marketers that have leads in the EU/EEA. While in no way a complete list, SharpSpring recommends that email marketers do the following to begin to comply with the GDPR:
Prove individual consent. With the GDPR, the basis of consent has changed. There is now a requirement to prove whether or not your email recipients consent to the communication you are sending them. Certain SharpSpring features—such as double opt-in and confirmed opt-in—provide records of consent. However, records and other information from outside SharpSpring may not be as complete. As such, ensure that contacts brought into SharpSpring can have their consent proven based on the GDPR’s current definition of consent.
Establish and re-establish consent. Just as consent can be given, it can also be revoked. If you do not have consent from a lead, you must remove the lead from your lists. Also, even if an email recipient has explicitly stated that they want to receive your emails, it is in your best interest as a marketer to send a reconfirmation email to that recipient when they have low engagement or are unengaged. Additionally, be wary of leads who have not opened emails, visited websites, or completed forms in quite some time. These leads may no longer be willing to provide consent. Routine re-permission campaigns will help to maintain records of consent.
Make unsubscribe footers visible and accessible. SharpSpring automatically adds an unsubscribe link to all emails sent through automations and sent to lists. Unsubscribe links must be visible and unobstructed in emails. Smart Mail may also require unsubscribe links. Depending on the context, if the Smart Mail is not transactional in nature, include an unsubscribe link to ensure compliance with the GDPR. By default, Smart Mail does not include an unsubscribe link, so it is important for you to include an unsubscribe link in the footer to ensure that recipients can opt out from receiving future communications.
Ensure that all third-party services are compliant. This extends beyond SharpSpring. If you are utilizing other third-party services, validate that they comply with the GDPR. If they do not, be aware that their service may be interrupted, which will interrupt yours in turn. SharpSpring is working to ensure that all its third-party vendors are compliant—or, at a minimum, adhere to strict data privacy and protection standards.
Consider hiring a data protection officer. The GDPR has specific requirements for organizations that process or store large amounts or personal data. A data protection officer (DPO) may be required in some circumstances. Among their many job roles, DPOs primarily audit organizations to ensure compliance and train organizations on how to maintain GDPR compliance.