On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. GDPR is a framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. BuzzStream is committed to meeting the requirements set forth in the GDPR framework and to helping our customers meet their security and privacy requirements.
This document outlines the processes, controls and certifications that BuzzStream has put in place to meet our GDPR obligations. This document also details the data-related roles and responsibilities related to the use of BuzzStream.
BuzzStream as the data processor
The journalists, authors and website owners you store in your BuzzStream account in the Websites and People tab are your data subjects and you are considered the data controller for this personal data. When you use BuzzStream to research contacts, manage your relationships, and to conduct outreach, BuzzStream is serving as the processor for the data you submit to the service.
BuzzStream as the data controller
For the data we collect about our customers, BuzzStream acts as the data controller. This includes data that we need in order to perform our contract with you, as well as data we need to meet our obligations under GDPR Article 6.1.c. Additionally, we process your personal data to improve the app, to ensure your data is secure, and to notify you of changes to our product.
BuzzStream’s GDPR readiness efforts
Privacy Shield and data transfer
BuzzStream has certified our services, for which we act as a data processor, under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Our certification ensures our commitment to complying with the requirements for data collection, use and retention of personal information as set down by the U.S. Department of Commerce. BuzzStream’s certification demonstrates our commitment to the seven principles of the framework:
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse, Enforcement and Liability
BuzzStream is committed to ensuring the security and privacy of our customers’ data. To do this, we have taken a number of steps, including:
- Encryption of customer data in transit.
- Encryption of customer supplied email passwords.
- Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed.
- Access to both our production and staging systems are limited to BuzzStream employees who need access in order to do their jobs.
- Procedures to ensure data recovery and data integrity.
- Use of data sub-processors that maintain the most rigorous security standards (e.Amazon Web Services) Amazon’s data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure.
Resources for BuzzStream customers
BuzzStream is committed to working with you to help you understand your GDPR obligations and to help you meet them.
BuzzStream’s Data Processing Addendum (DPA)
If your company is subject to GDPR, BuzzStream can provide you with our latest DPA. Just email us at firstname.lastname@example.org.
Tools to assist with compliance
BuzzStream offers a number of tools to help you maintain compliance with GDPR regulation.
Amending, Deleting, or Sharing Data
First, you will always have full control over contact data.
You can amend or delete data directly within the BuzzStream app.
If a contact lawfully requests access to their data, you can export data directly to share with them.
BuzzStream allows you to add an unsubscribe option to any of the emails you send. Although it may not be necessary in all outreach contexts, it is highly recommended you provide this option as an alternative to getting reported for unsolicited outreach.
BuzzStream gives you complete control over the types of outreach data you track. You can easily turn open and click tracking on or off from anywhere you send outreach.
How GDPR Affects Data Processing for Outreach
The important thing to remember is that the GDPR is primarily concerned with handling data ethically and according to the intended purpose.
Because the majority of the time consent will not be explicitly given on the part of your contacts (because you’ve found relevant bloggers through a Google search, for example), the relevant part of the GDPR legislation governing outreach is Article 6 (f) which states:
- Processing shall be lawful only if and to the extent that at least one of the following applies:
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The legitimate interests clause does bring about some debate as it is one of the most frustratingly vague components of the legislation, however a closer look at Recital 47 seems to clarify that as long as the outreach is legitimate and relevant it is acceptable to collect information for that purpose.
Recital 47 states:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
According to the ICO (the UK’s independent authority with the mission of upholding information rights) the at a glance summary of legitimate interest is as follows:
- Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
- Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
- There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
- You must include details of your legitimate interests in your privacy information.
As of now, it is important to discuss within your organization whether the types of outreach you are sending meet the criteria set forth in GDPR for European outreach targets. There is no one size fits all approach.
Data Storage for Outreach
One of the other big questions around GDPR as it relates to outreach falls under the data storage criteria set forth in the regulation.
Again, there’s a lot of grey area surrounding the requirements around data storage. Effectively, you should keep data only so long as it is appropriate for you as an organization. Based on a fairly in-depth overview of the policy (also from ICO):
Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:
- the current and future value of the information;
- the costs, risks and liabilities associated with retaining the information
- the ease or difficulty of making sure it remains accurate and up to date.
Where personal data is held for more than one purpose, there is no need to delete the data while it is still needed for any of those purposes. However, personal data should not be kept indefinitely “just in case”, or if there is only a small possibility that it will be used.
If you know that a campaign will be a one-off where you will almost certainly not be reaching out to those contacts again and have completed all reporting on said campaign, it may be prudent to remove those contacts from your database after a period of time defined by your organization. Again, there is no firm regulation around “appropriate time periods” as of now, so you’ll need to determine the right time constraints around the storage of contact data for your organization.