GDPR is privacy legislation that came into effect in May 2018. The aim of the legislation is to give consumers control of their personal data and its use and collection by companies. The GDPR replaces the previous Data Protection Directive, both strengthening privacy rules and harmonizing them across the 28-nation EU bloc. Crucially, the GDPR applies not only to organizations located within the EU, but also to companies outside of the EU if they offer goods or services to, or monitor the behavior of, people in Europe.
At MarketStar, a B2B partner of many multinational corporations for more than 30 years, we take this new regulation very seriously and have partnered with DataGrail to manage privacy with our customers. In addition, we have taken great lengths to update our internal policies and practices, as well as those in regards to our clients.
MarketStar’s Ongoing GDPR Activities
- Data Mapping: A full evaluation of how all data we collect is consented, used, stored, accessed and disposed of.
- Ongoing Security & Privacy Updates: Continually evaluating data security in regards to data privacy obligations and implementing appropriate security protocols.
- Policy Updates: Full review of our internal policies, standards, procedures, and documentation; and updating them as needed.
- Contract Obligations Updates: Reviewing and updating our contractual commitments to address GDPR requirements. Ensuring our contracts with all third parties that collect, receive or process personal data include the necessary legal clauses to allow for the data transfers outside of the EU. Additionally we have implemented policies to ensure any third parties can provide the required level of security and privacy.
- Data Export Certification Updates: Continuing our certification under the EU-US Privacy Shield Framework to legally transfer data from the EU to the rest of the world under applicable law.
- Client Education: MarketStar has been proactive in educating our clients on how we fit into their GDPR plans and operating procedures.
Processor vs Controller
A data controller determines the purposes and means of processing the data. Essentially, this is the group that determines the “how and why” of the data processing. On the other hand, a processor doesn’t process the data for its own purposes, and makes no decisions regarding the purposes and means of processing. MarketStar is involved with client data in multiple contexts, and can be either a processor or a controller depending on our relationship with our customer. Typically, the client is a data controller and MarketStar is a processor.
As a third party vendor with respect to personal data that resides with our clients, there are two scenarios.
In scenario one, MarketStar uses the Client system for data collection. We follow direction from the DPA (Data Processing Agreement) as to how to gain consent for data collection and inform the Client of any requests.
In scenario two, MarketStar uses our instance of Salesforce or Performance Dynamics for data collection. We follow direction from the DPA as to how the Client wants any GDPR personal data requests handled. MarketStar tracks and manages the request and removal as applicable.
In both cases, consumers have the right to obtain confirmation that their data is being collected, and we will work with the client when the consumer requests any of the following:
- Right to access a copy of their data
- Right to erasure of their data
- Right to correct inaccuracies
- Right to restrict processing (how are we using it)
For more information on the distinctions, Gunderson Dettmer (the leading legal firm for software companies) provide a short video here.
Requests for Data – Timelines and Systems
The GDPR requires that we service requests “without undue delay,” and, in any case, within 30 days. When MarketStar receives a request, we track and process it with DataGrail. DataGrail federates requests to all MarketStar processors, as well as third party systems used by the Client.
Identity Confirmation and Fraudulent Requests
We have to confirm the identity of the requestor when they are exercising their GPDR rights with respect to their personal data. This will typically be an email account ownership test. If the request arrives via email, it will be considered to have confirmed ownership. If This is performed at Client direction if we are using our instance of a database and we have to track the confirmation of identity. If we are on the Client’s system we are send them the request within a set number of days.
Employee and Team Training Requirements
All employees who have the potential of an engagement in the EU have to take data security training and GDPR training. This is in addition to whatever the client may have our employees take in the way of training. All teams that are engaged in the EU have to undergo a self-audit of specific security and privacy requirements and report this to the Director of Security and Compliance on a regular scheduled basis.
As we press on into this new era of security and privacy compliance, we are thrilled to have DataGrail as a partner. Our firms provide a complimentary offering, integrating DataGrail's Privacy as a Service platform with our own track record of providing augmented sales solutions. The collaboration represents a strong commitment to personal data privacy for both companies, and an important step in scaling the DataGrail platform.