If you sell/offer products or services to customers based in the EU, you will by now have heard of the General Data Protection Regulation (GDPR).
Here’s a summary of our work towards GDPR compliance, along with the changes and information you can expect from Vero as we approach the deadline on 25 May 2018.
What is GDPR and who does it apply to?
The GDPR is EU regulation designed to protect the privacy of EU citizens and will have an impact on every organization that processes the personal data of such citizens, regardless of whether the organization itself is based in the EU or not.
“Personal data” means any piece of data that, used alone or with other data, can identify an individual.
If your business collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens, you’ll need to comply with the GDPR.
The GDPR has different requirements depending on how you handle customers’ personal data.
- “Data Controllers” are businesses that collect customer data and also decide how, when and why that customer data is processed.
- “Data Processors” are businesses that carry out the processing of customer data on behalf of a Data Controller.
Vero is both a Data Controller in our capacity as a marketer to our own customers, and a Data Processor as a business that helps other businesses process their customer data.
Vero’s commitment to GDPR compliance – as a Processor
In line with our commitment to GDPR compliance, we’ve been modifying many of our internal practices and policies to ensure we meet our requirements as a Data Processor on or before the deadline in May 2018.
This process has meant a thorough review of our technical and security practices, internal organizational systems and legal documentation, alongside a review of our own third-party Data Processors to ensure their compliance with the GDPR.
We’re also assessing the impact of the GDPR on our product features and considering if there are any further tools we can build to make implementation more practical for Vero customers who are subject to the GDPR.
Upcoming changes to support GDPR
Over the next two months we will be rolling out the following changes:
- Data Processing Agreement (DPA). We will release a new DPA that ensures compliance with GDPR in our contractual obligation with you as a customer, including provision for any data transfer to storage outside the EU. This is permitted within the GDPR as long as the correct requirements are met and contractual obligations made.
- Customer data export (“Right of portability”). We’ll be providing a way for you to export all data maintained in Vero for a single customer profile so that you can respond to requests from individual customers regarding their personal data.
Existing ways in which Vero supports GDPR
We currently offer the following product functions that help us fulfill our role as a Data Processor, and we are reviewing each to ensure we enable you to fully comply with the GDPR in your role as a Data Controller:
- “Delete” requests (“Right to be forgotten”). We already provide
/deleteendpoint on our API. This endpoint removes the customer and all of their data from Vero’s systems. We will be extending this endpoint, or introducing a new one, to help ensure that any data sent against a deleted profile is dropped rather than re-tracked.
- Updating customer data (“Right to rectification”). Calling Vero’s
/identifyAPI endpoint updates and overrides a customer’s user properties, enabling you to respond to customer requests to ensure accuracy in the data you have about them.
- Event tracking. Vero’s events enable you to track very granular data about your customers. Ensuring that you track consent given by customers is critical under GDPR and our events will assist in this process. We’re reviewing how we can make changes that will enable you to make use of these events efficiently and effectively to support your GDPR compliance.
Vero’s commitment to GDPR compliance – as a Controller
As part of our GDPR compliance efforts, we are also ensuring we comply as a Data Controller. In particular, we are ensuring we comply with each of the following key areas:
- Right to be forgotten. You can request to delete your Vero account at any time, and we will ensure that all data about you and your account is deleted.
- Right to object and right of access. We will provide clear information on the ways in which we will use your data for product improvement and marketing, and ensure that we collect the correct consent where required, as well as provide you with mechanisms to opt-out of each type of processing we do. We will be reviewing the customer data we currently have for our customers and ensuring that any extra consent required is collected.
- Right to rectification. You can get in touch with us to have any of your account information updated at any time. Much of this information is already available for you to update via your account Settings.
- Right of portability. We will export your individual account data to a third party at any time upon your request.
A note on consent
Under GDPR you must have a legal basis for all data processing. As a Data Controller using Vero, it is likely that consent will be the key legal basis used to ensure compliance for the data you send us.
In order to be valid, this consent must be explicit and verifiable.
- Verifiable consent requires a documented, written record of how and when a customer agreed to let you process their data. Vero’s events capture the activity and timestamp of a user activity and can form a basis for tracking this consent.
- Explicit consent requires that each contact takes an action to consent to the data being processed. This means they must actively tick a box as part of their signup or subscription process and this opt-in process must include a message that clearly (in plain language) states all of the ways in which you can possibly use the personal data you are collecting. A pre-ticked box will not work, as the customer must explicitly opt-in by taking an action. Examples of ways in which you are likely to use data when using Vero and for which you’ll require consent could include:
- Transferring the user’s contact data to Vero
- Sending the user email messages using Vero
- Tracking behavioural interactions for email marketing purposes
If you rely on consent to process customers’ personal data, double check where and why your contacts shared their data with you to make sure that the consent you obtained meets the GDPR’s standards.
How you can prepare yourself for the GDPR
The first step is to educate yourself on the provisions of the GDPR to understand how they may differ from your current obligations and practices. The best way to do this is to read the GDPR itself. You can find the full text here. You can also get details and updates directly from the European Commission website.
Another good place to start is to create an up-to-date inventory of personal data that you collect and manage about your customers and where this data is stored, including all third party data processors, such as Vero. Having an understanding of the data you are sending Vero will enable you to ensure that you have consent for the data in question. Remember that historical data also needs to meet the requirements of the GDPR.
You will want to determine if your company needs to appoint a Data Protection Officer (DPO) and likely work with a consultant or outside legal representative who is familiar with GDPR and can assist you in your compliance journey.
Note this article provides a resource and does not constitute legal advice: we encourage you to speak to a legal practitioner with the right expertise to learn how GDPR may affect your organization.