4 minute read

GDPR Basics: What to Know and How SmarterHQ Complies

With the EU’s new General Data Protection Regulation (GDPR) deadline fast approaching, many of our partners and clients are interested in SmarterHQ's perspective on GDPR and how we will comply with its requirements.

Below is a high-level (and hopefully helpful!) guide on GDPR, how it affects SmarterHQ, and the careful steps we take to protect personal data:

What Is GDPR? 

GDPR is a new regulation in EU law that protects any identified or identifiable natural person (a “data subject”) who resides in or is a citizen of a nation within the European Union. In the past, many countries within the EU created consumer data protection directives that promote the goals of fair use of personal data. On May 25, 2018, these will be replaced with the stronger GDPR laws.

Companies who collect and process personal data of data subjects who fall under GDPR regulations must comply with its provisions regardless of where the company is located. This includes SmarterHQ. As a result, we’ve worked with our clients to develop a plan to comply with GDPR regulations.

What Has SmarterHQ Done to Meet GDPR Compliance?

According to Article 4 of GDPR, there are two principle roles for protecting data: Controllers and Processors. Controllers determine the means of processing the personal data, whereas Processors process personal data on behalf of the Controller. In the normal course of business, SmarterHQ is a Processor of data. To this end, we’ve implemented appropriate technical and organizational measures to fully meet the requirements of GDPR, protecting the rights of data subjects.  

SmarterHQ enforces the several principles that underpin data protection rights, responsibilities, and requirements enumerated in GDPR, including:

Transparency: Organizations must always process personal data lawfully, fairly, and in a transparent manner. Transparency means Controllers and Processors must communicate to data subjects how their personal data is being processed in plain language that is easily understood.

Limitation: Organizations can collect personal data required to perform the services for which the organization is hired. They cannot collect or process personal data unnecessarily or in a manner incompatible with the expressed purpose of the organization. SmarterHQ uses limited amounts of personal data and only for the purpose determined by the Controller.

Accuracy: Personal data must be accurate and up-to-date. Data subjects have the right to examine the personal data an organization stores and correct it when it is in error. SmarterHQ will provide this at the request of the Controller.

Erasure:  Personal data must be kept only for as long as it’s needed to fulfill the original purpose of collection. Data subjects also have the right “to be forgotten”, whereby their personal data is erased from databases housed by the collector or Processor. We’ve developed processes to erase personal data from its databases to comply with erasure requirements when requested by the Controller.

Security: Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized access or processing, accidental disclosure, loss, or alteration.

What Personal Data Do We Collect Under GDPR?

SmarterHQ collects or is provided by the Controller a limited amount of personal data. This data includes—but is not necessarily limited to—email address, name, IP address, language of choice, and IDs created by the Controller (such as CRM ID, Subscriber ID, or Loyalty ID). Moreover, we do not collect directly or indirectly the special categories of data specified under GDPR Article 8, including: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sexual orientation.

How Does SmarterHQ Protect Personal Data?

While GDPR only applies to residents and citizens of the EU, SmarterHQ already upholds very strong data processing standards to protect any Personal Data or PII regardless of where individuals reside.

1. We only collect data with the permission of clients for whom we provide services. The personal data contained in the data we collect either comes from the Controller directly, or is collected from the Controller’s website with their permission and supervision.

2. We process data securely. All data collected and processed by SmarterHQ is encrypted in transit and at rest, or, in other words, all data we collect is fully encrypted throughout the life of the data as stored or processed by SmarterHQ.

3. We’re in the process of gaining SOC 2, Type II certification. Companies who have achieved this certification, the most comprehensive within the Systems & Organization Controls protocol, prove their system is designed to keep clients’ sensitive data secure.

4. All personnel at SmarterHQ undergo regular security and privacy training to ensure all employees treat personal data properly and securely.

SmarterHQ does not employ services of other companies or consultants as sub-processors of personal data we collect or are provided. We take our role in lawfully and purposefully protecting personal data, transparency with our clients and data subjects, and full compliance with GDPR very seriously.

Want to Know More About GDPR?

The official GDPR document can be found at https://bit.ly/GDPRInformation. This infographic gives an easy-to-digest summary of GDPR compliance and what this means for data collection, and this law is also listed among our email best practices to adopt in 2018.

If you're a client of SmarterHQ, feel free to reach out to your Client Success Director with further questions—we have an in-depth FAQ on the subject that our team can take you through.