What is GDPR?

The General Data Protection Regulation (GDPR) is a new privacy regulation enacted by the European Union (EU) to protect its member country citizens’ right to privacy and control over their personal data in the digital world.

The way we use the internet has changed dramatically since the first privacy laws were created in the 90s. It’s the EU’s hypothesis that by allowing citizens more control over their digital footprint, they will have more trust in online business, therefore increasing their likelihood of conducting business with them and thereby increasing the digital economy.

The regulation will go into effect May 25, 2018, and the potential financial penalties for failure to comply is steep!

The following is a very high-level overview of need-to-know information. The actual legislation is quite dense! If you’re interested in going straight to the source you can do so here.

Why does GDPR matter?

First, it matters because it affects far more of us than you probably realize. The safest assumption to make is that GDPR will affect you in one way or another. It touches anyone who works for a company established in the EU, sells to people within the EU, or monitors the actions of citizens of the EU regardless of where your headquarters is or where you’re emailing from.

It also matters because the cost of failing to prepare is huge. The highest amount a single company could pay is 4% of their global annual turnover or 20 million euros, whichever is higher. Lower tiered fines will apply to lower level penalties and shake out to be 2% of global turnover or 10 million euros.

How does GDPR specifically relate to sales?

A key element of the GDPR that can cause business friction is the gravity of consent that is required from individuals. Specifically, in order to collect and handle – i.e., to “process” — personal data of Europeans, marketers, and services like ours must have a “legal basis.” Two common legal bases are (a) consent of the data subject, and (b) a “legitimate interest” to use the data that is not outweighed by fundamental “rights and freedoms,” taking account data subjects’ “reasonable expectations” of how data may be used. The GDPR cites “direct marketing” as an example of a likely “legitimate interest.”

Many legal commentators have noted that the GDPR leaves many questions unanswered and, potentially, for courts to resolve in the years to come. Based on the best legal interpretations as of today, we (and many others) believe that under this balancing test, most B2B marketing (newsletters, etc.) and most direct marketing is protected as a “legitimate interest” if executed in a thoughtful way. On the other hand, campaigns that are not targeted in a way that is likely to be useful to someone given their industry or position may not fit a “legitimate interest.” It will, therefore, be more important than ever for B2B marketers to use data wisely and tailor campaigns and marketing to be relevant.

These elements are also only relevant for prospects located in the EU, so no need to worry about any of these regulations if you’re emailing anyone outside the GDPR’s jurisdiction.

How is Apollo preparing for GDPR?

Our team has been working hard to ensure that we remain in compliance for both our benefit as well as that of our customers. Our product is more complex in the way that it handles data than most, so our compliance is similarly complicated.

We are willing to sign, and have already signed, Data Processing Agreements (DPAs) for any customers that need them. The agreements help users control what we do with their data and give them the freedom to access and/or remove their data from our system if they so desire, among other rights.

Much of maintaining GDPR compliance as a vendor involves how we secure our data. In order to maintain a high bar of security we have already completed the following:

  • Apollo has achieved a SOC 2 Type I accreditation report. The SOC 2 evaluates Apollo controls that are relevant to data security, availability, and confidentiality. To gain this accreditation, we completed an evaluation into our effectiveness to prove the success of our controls and their ability to maintain security, availability, and confidentiality over a predetermined span of time.
  • Apollo has implemented advanced data controls, which include the encryption of all user data, designed to protect our customers’ data from a leak and malicious intent. Our team regularly tests our product to fix any potential problems and maintains the industry’s highest standards in information security.
  • Apollo has built and follows data incident response processes. These processes are tested each year for continued effectiveness.
  • Apollo also has processes built out to supplement data recovery and integrity to help any customers who’s data is lost or unintentionally corrupted.
  • Apollo has systems in place to protect all customers right to their own data footprint in our platform.
  • Apollo’s key data sub-processors, such as Amazon Web Services (AWS) and Google Cloud Platform, all have achieved similarly high-level security standards (SOC 2 and/or ISO 27001 certifications, where possible), and have undergone rigorous security evaluations.

GDPR lays out different requirements for “Processors” and “Controllers” of data. In our case, we operate as both since we help our users acquire data (“Controller”) and communicate with prospects (“Processor”).

Here’s how we’re preparing as “Controllers” to help our users stay in compliance:

As it stands, we are fully prepared to be in compliance as data “Controllers” by the standards within the GDPR. On our side, we will be managing the data we collect to ensure it’s in compliance. We also view it as our responsibility to educate everyone who uses our data to keep them informed and prepared to use our data in a way that similarly keeps them in compliance.

Come May 25th, our users will see the option of excluding citizens of member countries within the EU to help protect themselves against accidentally emailing someone they shouldn’t. Users will be able to relax knowing that they won’t have to comb through lists of prospects to double check their own compliance while prospecting.

For our users that sell or market to EU citizens, they must be transparent in their intentions with any personal data that they collect and must have consent from individuals before sending them any information. If they do send any form of communication, they have must also provide the ability for people to opt-out of any future messages. If our data users are also using us as their sales engagement platform, they will have the ability to include opt-out links within their emails.

That said, we will have the ability to enrich data pertaining to citizens of the EU should our users already possess their contact information. For example, if a user has the email address and name of an individual working for L’Oéral Paris, we have the ability to enrich title and company information.

As data “Controllers”, we will maintain our own compliance and aid all users with their own compliance, but we highly recommend that all of our customers familiarize themselves with the regulations and seek out additional support from privacy advisors if any questions are still lingering!

Here’s how we’re preparing as “Processors” to help our users stay in compliance:

Beyond the precautions and measures we have already laid out, we have completed the following actions to maintain compliance as data “Processors”:

  • Working with our legal counsel (and when requested, those of our customers) to ensure full preparation and compliance.
  • Evaluating every use case within our platform to help back up every decision we make should they come under legal question.
  • Crafting internal workflows to quickly and thoroughly complete data subject requests
    Conducting an in-depth review of all requirements implications for data processors and where we may be a joint controller.
  • Updating all contact information and notices so data subjects and controllers (customers) may contact us if necessary.
  • Obtaining all resources necessary for ongoing compliance requirements and documentation necessitated by GDPR
    Updating and maintaining data security standards and workflows to meet all requirements necessitated by GDPR.
  • Evaluating all customer contracts where necessary to ensure we’ve laid out a path for legal compliance for them to the best of our ability and to clearly detail our own responsibilities to avoid any possible confusion that could result in a penalty.

Apollo will maintain a close eye on the Article 29 Working Party (the group that will be replaced by the European Data Protection Board [EDPB]) to make sure we’re aware of any new changes before May 25th. We are aware that laws and regulations could continue to change even after the effective date so we will be working to continuously maintain compliance and to help our customers do the same.

When in doubt, your best form of action is to talk to attorneys well-versed in the space or with a data-specific officer. For all Apollo-related questions, we’re more than happy to help!

Leave a Reply

Your email address will not be published. Required fields are marked *