What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation enacted on May 25, 2018. It is designed to protect the privacy and rights of EU citizens, no matter where they are in the world. If you do business in Europe, or have any contacts in your FunnelMaker CRM that are EU/EEA citizens, the GDPR applies to you. This means people who are citizens of the EU, UK, Norway, Iceland, and Liechtenstein must have the protections outlined in the GDPR whenever their personal data is stored or handled by any company in the world.

Note: this page is a high level description and is not intended as legal advice or counsel. For your own protection, we recommend you retain a legal expert who can review your company processes and advise you the best course of action to maintain compliance with GDPR.

Who is affected by GDPR?

There are two types of organizations that must prepare for GDPR, data controllers (likely you, a FunnelMaker customer and user of our platform) and data processors (us, FunnelMaker, because we are processing the data you put into the FunnelMaker CRM). Since our networks store your client data, we must provide the tools and resources to help you meet your obligations under GDPR as a data controller.

GDPR affects the storage, transfer, and use of personal data as it related to an identifiable individual person. These individuals are also referred to as data subjects in the context of the GDPR.

How does FunnelMaker protect privacy?

From the very beginning we have made protecting your data our highest priority and have committed to always ensuring only you have access to your data. More information about this is available in our Privacy Policy, and we remain forever committed to protecting the data you trust us with.

Additionally, The FunnelMaker platform undergoes regular audits and security testing, to ensure our networks are secure. All connections you make to our networks are secured by SSL, using the latest encryption algorithms to ensure maximum protection for your data, both at rest and in transit.

What does GDPR mean for the rights of data subjects?

Your data subjects are the contacts in your CRM, and if they are EU citizens, they have certain rights related to the processing of their personal information given to them by GDPR. By “processing”, the regulation means collecting, storing, and using that personal information. These rights can be summarized in a few key points:

• The right to be informed. Data subjects have the right to know how their personal data is used. Your privacy policy should describe how you collect and use personal information. If you have an application, the terms of use of that application should include how personal information is stored and used.
• The right of access. If you are processing personal information, data subjects can ask you if and how you use their personal data. You have one month to respond, without charging the person for the information, to provide a description. FunnelMaker also provides a helpful contact data export feature to make it easy for you to send a summary of all data we have collected about that contact.
• The right of rectification. If a data subject sees something incorrect, they have the right to correct the data you have stored in your CRM. With FunnelMaker, this is easy, as you can modify any personal data you have on file. If you have shared this information with anyone else, you have to inform those third parties of the changes in that data. 
• The right to be forgotten. A data subject can request that their personal information be removed from your data storage. There are some limitations, such as keeping record of unsubscribed contacts, and matters of legal and national security, which may override the contact’s right to be forgotten. If you are not sure, consult a legal expert. 
• The right to restrict processing. A data subject can request that you limit the processing of their data. In practical terms, this generally means you can store the data, but you can’t actively engage with the person. Using FunnelMaker, we would suggest marking the contact as an unsubscriber and moving that person to a “Do Not Contact” group. 
• The right to data portability. A person can request data you store about them and use it elsewhere. 
• The right to reject automated decisions. A data subject can request that algorithms are not used to classify how they are treated. The most common example given for this is automated ways to determine if someone can get a loan (for example, by combining income and credit score). If an individual requests that the algorithm not be used as part of the decision-making process, you must abide by that request.

What is data minimization?

GDPR encourages companies to practice data minimization, which means only collecting the minimum amount of personal information about any individual to allow you as a company to do your job to serve the customer. This is a subjective assessment of the data you collect, so that companies don’t just try to collect as much information as they can about someone for the sake of just keeping that data.

What is data integrity and confidentiality?

GDPR requires all data controllers and processors to take all reasonable steps to protect any and all personal information. This means protecting data backups with encryption, always using encrypted connections when transferring data, and limiting access to data to only those who need it.

What is the minimum age for giving consent to process data?

GDPR sets a minimum of 16 years of age before an individual can provide content that a company can process that individual’s personal information. Some countries in the EU have lowered the age to 13, so be sure if you are asking younger people to provide information that you confirm their parents are providing the consent to do so.

What lawfully gives you the right to process data?

GDPR requires that for a business to process data about data subjects (individuals), you have to satisfy at least one of six requirements: a) consent, b) contract, c) legal obligation, d) vital interest, e) public interest, and f) legitimate interest. Be sure you assess this for every point of data you collect about the contacts in your CRM. If you do collect information about contacts without their consent, be sure you have a good reason, such as for fraud protection or identity confirmation, or as a necessity to execute your contract with your clients. Your company privacy policy should address all of these data points and requirement(s) that apply to each.

What happens if you don’t comply with GDPR?

Enforcement of GDPR is managed by the member nations, as they protect the rights of their citizens. The intent of the regulation is to have a dialogue with companies who are not complying, get them into compliance, and resolve issues quickly. The regulation does, however, include a fine for non-compliance of 20 million Euros or 4% of your company’s annual global revenue (whichever is greater).

What kind of data breach notification is required?

If there is a data breach, GDPR requires the company responsible for the breach to inform data protection authorities in the countries where affected citizens had their data leaked. This must be done as soon as possible, but no later than 72 hours after discovery of the breach. There may be a requirement to inform the individual data subjects, as well.

What should companies do to prepare for GDPR?

There are some steps that you and your team will want to do as part of preparing for GDPR and ensure you are in compliance.

• Review your existing methods of collecting, transferring, and storing data about the contacts in your database. Address any weak points, looking for ways that data could be leaked, stolen, or lost. Note that this should include any import/export you do of any data from different software platforms, as well as any APIs you currently use for transferring data to different services. 
• Make sure you have privacy notices and links to your privacy policy whenever you are collecting information from leads and contacts. If you are collecting information off-line, be sure there is adequate signage and explanation about how that data will be used. 
• If you don’t already have one, create a plan for what happens if there is a security or data breach. 
• Establish internal procedures if a data subject requests information about the personal information you have collected about them.
• If you are sharing data with third parties, be sure you know exactly who and exactly what data you are sharing. Be sure your privacy policy explains this and the reason for sharing your contacts’ personal data. 
• Institute a program for your entire team (employees, management, and C-level executives) so they understand what data you are collecting, why, and how you protect it.