GDPR Compliance Overview

What is GDPR?

The General Data Protection Regulation (GDPR) is a new privacy regulation enacted by the European Union (EU) to protect its member country citizens’ right to privacy and control over their personal data in the digital world.

The way we use the internet has changed dramatically since the first privacy laws were created in the 90s. It’s the EU’s hypothesis that by allowing citizens more control over their digital footprint, they will have more trust in online business, therefore increasing their likelihood of conducting business with them and thereby increasing the digital economy.

The regulation went into effect May 25, 2018 and the potential financial penalties for failure to comply is steep!

The following is a very high level overview of need to know information. The actual legislation is quite dense! If you’re interested in going straight to the source you can do so here.

Why does GDPR matter?

First, it matters because it affects far more of us than you probably realize. The safest assumption to make is that that GDPR will affect you in one way or another. It touches anyone who works for a company established in the EU, sells to people within the EU, or monitors the actions of citizens of the EU regardless of where your headquarters is or where you’re emailing from.

It also matters because the cost of failing to prepare is huge. The highest amount a single company could pay is 4% of their global annual turnover or 20 million euros, whichever is higher. Lower tiered fines will apply to lower level penalties and shake out to be 2% of global turnover or 10 million euros.

GDPR Glossary

Use this glossary to help make sense of the language around GDPR in the sections shown below:

• Consent - Contacts in the EU must give explicit permission to be contacted. If contact information was gained through a third-party, the source must be specified at first contact with the Data Subject
• Cross-Border Data Transfer - Sending data and/or personal information outside of EU/EAA borders
  
• Data Controller - Apollo customers and Apollo itself. Controllers include parties who manage personal data or collect personal data.
  
• Data Portability - A Data Subject’s right to their own personal data  from the controller in a familiar, machine-readable format
  
• Data Processor - Apollo. A party that is instructed by the controller in how personal data should be handled and used.
  
• Data Subject - A natural person and citizen of the EU who’s information has been collected and can be identified by the controller.
  
• Data Subject Rights - New rights within the GDPR include the right to be forgotten, the right to data portability, and the right to object to profiling.
  
• GDPR Articles - The GDPR includes two sections, the recitals and the Articles. The Articles include the text of the legislation and the Privacy Management Activities (PMAs) that are required for compliance.
  
• Personal Data - Personal data included in Apollo typically includes name, company address, company phone number, email address, and IP address.
  
• Privacy by Design and Default - Companies have an obligation to keep data privacy top of mind throughout the design process and to build default and adequate privacy controls into all new features. 
  

How does GDPR specifically relate to sales?

A key element of the GDPR that can cause business friction is the gravity of consent that is required from individuals. Specifically, in order to collect and handle – i.e., to “process” -- personal data of Europeans, marketers and services like ours must have a “legal basis.” Two common legal bases are (a) consent of the data subject, and (b) a “legitimate interest” to use the data that is not outweighed by fundamental “rights and freedoms,” taking account data subjects’ “reasonable expectations” of how data may be used.  The GDPR cites “direct marketing” as an example of a likely “legitimate interest.”

Many legal commentators have noted that the GDPR leaves many questions unanswered and, potentially, for courts to resolve in the years to come. Based on the best legal interpretations as of today, we (and many others) believe that under this balancing test, most B2B marketing (newsletters, etc.) and most direct marketing is protected as a “legitimate interest”  if executed in a thoughtful way. On the other hand, campaigns that are not targeted in a way that is likely to be useful to someone given their industry or position may not fit a “legitimate interest.” It will, therefore, be more important than ever for B2B marketers to use data wisely and tailor campaigns and marketing to be relevant.

These elements are also only relevant for prospects located in the EU, so no need to worry about any of these regulations if you’re emailing anyone outside the GDPR’s jurisdiction.

How is Apollo preparing for GDPR?

Our team has been working hard to ensure that we remain in compliance for both our benefit as well as that of our customers. Our product is more complex in the way that it handles data than most, so our compliance is similarly complicated.

We have updated our privacy policy and terms of service to include our Data Processing Addendum. The addendum help users control what we do with their data and give them the freedom to access and/or remove their data from our system if they so desire, among other rights.

Much of maintaining GDPR compliance as a vendor involves how we secure our data. In order to maintain a high bar of security we have already completed the following:

• Apollo has achieved a SOC 2 Type I accreditation report. The SOC 2 evaluates Apollo controls that are relevant to data security, availability, and confidentiality. To gain this accreditation, we completed an evaluation into our effectiveness to prove the success of our controls and their ability to maintain security, availability, and confidentiality over a predetermined span of time.
• Apollo has implemented advanced data controls, which include the encryption of all user data, designed to protect our customers’ data from leak and malicious intent. Our team regularly tests our product to fix any potential problems and maintains the industry’s highest standards in information security.
• Apollo has built and follows data incident response processes. These processes are tested each year for continued effectiveness.
• Apollo also has processes built out to supplement data recovery and integrity to help any customers who’s data is lost or unintentionally corrupted.
• Apollo has systems in place to protect all customers right to their own data footprint in our platform.
• Apollo’s key data sub-processors, such as Amazon Web Services (AWS) and Google Cloud Platform, all have achieved similarly high-level security standards (SOC 2 and/or ISO 27001 certifications, where possible), and have undergone rigorous security evaluations.

GDPR lays out different requirements for “Processors” and “Controllers” of data. In our case, we operate as both since we help our users acquire data (“Controller”) and communicate with prospects (“Processor”).

Here’s how we’re preparing as “Controllers” to help our users stay in compliance:

As it stands, we are fully prepared to be in compliance as data “Controllers” by the standards within the GDPR.  On our side, we will be managing the data we collect to ensure it’s in compliance. We also view it as our responsibility to educate everyone who uses our data to keep them informed and prepared to use our data in a way that similarly keeps them in compliance.

Come May 25th, our users will see the option of excluding citizens of member countries within the EU to help protect themselves against accidentally emailing someone they shouldn’t. Users will be able to relax knowing that they won’t have to comb through lists of prospects to double check their own compliance while prospecting.

For our users that sell or market to EU citizens, they must be transparent in their intentions with any personal data that they collect and must have consent from individuals before sending them any information. If they do send any form of communication, they have must also provide the ability for people to opt-out of any future messages. If our data users are also using us as their sales engagement platform, they will have the ability to include opt-out links within their emails.

That said, we will have the ability to enrich data pertaining to citizens of the EU should our users already possess their contact information. For example, if a user has the email address and name of an individual working for L’Oréal Paris, we have the ability to enrich title and company information. That said, this ability is only applicable if the enrichment is for the purpose of data hygiene and cleanliness, or if you have a good faith reason to believe that the recipient has a demonstrated interest in receiving the information or offer, such as information that would help them perform their job.

As data “Controllers”, we will maintain our own compliance and aid users with their own compliance, but we highly recommend that all of our customers familiarize themselves with the regulations and seek out additional support from privacy advisors if any questions are still lingering!

Here’s how we’re preparing as “Processors” to help our users stay in compliance:

Beyond the precautions and measures we have already laid out, we have completed the following actions to maintain compliance as data “Processors”:

• Working with our legal counsel (and when requested, those of our customers) to ensure full preparation and compliance.
• Evaluating every use case within our platform to help back up every decision we make should they come under legal question.
• Crafting internal workflows to quickly and thoroughly complete data subject requests
• Conducting an in-depth review of all requirements implications for data processors and where we may be a joint controller
• Updating all contact information and notices so data subjects and controllers (customers) may contact us if necessary.
• Obtaining all resources necessary for ongoing compliance requirements and documentation necessitated by GDPR
• Updating and maintaining data security standards and workflows to meet all requirements necessitated by GDPR
• Evaluating all customer contracts where necessary to ensure we’ve laid out a path for legal compliance for them to the best of our ability and to clearly detail our own responsibilities to avoid any possible confusion that could result in a penalty.

Apollo will maintain a close eye on the Article 29 Working Party (the group that will be replaced by the European Data Protection Board [EDPB]) to make sure we’re aware of any new changes before May 25th. We are aware that laws and regulations could continue to change even after the effective date, so we will be working to continuously maintain compliance and to help our customers do the same.

When in doubt, your best form of action is to talk to attorneys well-versed in the space or with a data specific officer. For all Apollo-related questions, we’re more than happy to help! 

Related Resources

• How To Use the New GDPR SafeGuards
• Maintain GDPR Compliance with Apollo