GDPR-Compliance

GDPR (General Data Protection Regulation) is applicable from May 25, 2018.

SalesHandy is committed to putting in place all required changes in the app, on the website, and on the blog in relation to it. We have presented below, what SalesHandy will do to comply with the regulation, and what users of SalesHandy should know about GDPR.

Contents:

• What are the actions that SalesHandy is taking to comply with GDPR?
• Role of SalesHandy in data protection?
• What is GDPR?
• Why is there a need for GDPR?
• Kinds of information under protection?
• What does ‘processing’ mean?
• Lawful basis for data processing?
  • Lawfulness, fairness, and transparency
  • Adequacy, relevance, limitedness
    • How SalesHandy users can change or remove their personal data?
    • How we apply GDPR to cold email campaigns
  • Accuracy
  • Storage limitation, Integrity and confidentiality
• Features Development to comply with GDPR (Status & Roadmap)

1. What are the actions that SalesHandy is taking to comply with GDPR?

SalesHandy is dedicated to meet all the GDPR requirements and is committed towards protecting the privacy concerns of our app users, website and blog visitors, as well as email lists subscribers.

Below is a list of actionables that we would be doing before the regulation comes into effect:

• Familiarize ourselves with the full text of the regulation (COMPLETED)
• Refer legal communities that cover GDPR related topics  (COMPLETED)
• Nominate Data Protection Officer: We’ve nominated Utsav Patel, Product Analyst for the role (COMPLETED)
• Make necessary changes to our Privacy Policy and Terms of Service documents (COMPLETED)
• Make a list of all the in-app areas that need to be managed and organized to comply with the regulation (COMPLETED) 
• Update necessary changes in the app to ensure that all users can comply with GDPR when sending emails from SalesHandy (COMPLETED)
• Make a list of all the areas on the website and blog that need to be updated to get in-line with the regulation (COMPLETED)
• Execute changes on the website and blog to make sure they are in-line with the GDPR rules (COMPLETED)
• Implement pseudonymization to protect the users’ data which do not have a compulsion to be kept in its original form (COMPLETED)
• Ensure protection of personal data of SalesHandy users and email lists subscribers (COMPLETED)
• Create a standard Data Breach Response plan (COMPLETED)
• Update the users about GDPR in relation to email outreach (COMPLETED)

2. Role of SalesHandy in data protection?

SalesHandy is defined as:

1) data administrator in relation to SalesHandy users and email lists subscribers;

2) data processor in relation to the data owners whose personal data is uploaded to SalesHandy and used in emails sent from SalesHandy by its users.

It implies that as a company, we superintend a couple of matters:

• SalesHandy needs to update its users and email lists subscribers whenever a third party takes part in processing their personal data.
• SalesHandy is liable to immediately inform the data administrator (the user) in case someone from the user’s prospect list, contacts SalesHandy to stop the outreach.
• SalesHandy permits the ‘right to be forgotten’ and the ‘right to assist in data deletion’ on a special request. As SalesHandy user or email list subscriber, you may request your personal data change or deletion. The detailed instruction on how to exercise those rights can be found below in the section Adequacy, relevance, limitedness of the GDPR Compliance.
• SalesHandy will address any violation of GDPR reported at support[at]saleshandy[dot]com.

3. What is GDPR?

The General Data Protection Act (GDPR) is being introduced by the European Union to regulate how personal data can be processed. Its goal is to ensure data protection of the people who live in the EU.

4. Why is there a need for GDPR?

EU data protection rules have not been changed over last two decades. There are two main reasons why the EU legislative branch decided to upgrade the existing regulations.

• The reach of technology is global in today’s era – personal data processing is present everywhere in today’s digital world making existing regulation outdated;
• According to a survey taken by Eurobarometer in 2011, 75% of people want to exercise their right to be forgotten. 90% believe that it’s necessary to standardize the rights related to personal data protection (source).

5. Kinds of information under protection?

The scope of GDPR covers natural persons and their rights. It excludes business entities or organizations and processing of their data.

It protects processing of below mentioned personal data:

• Name
• Age
• Address
• Phone number
• Also indirect identifiers including physiological, mental, physical, genetic, economic, cultural and social identity.

Hence, it protects any information using which one can identify the individual.

6. What does ‘processing’ mean?

‘Processing’ relates to personal data “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,” as in Article 4 (2) of the regulation.

7. Lawful basis for data processing

Processing personal data, in compliance with GDPR, requires one to follow the principles below:

• Lawfulness
• Fairness
• Transparency
• Adequacy
• Relevance
• Limitedness
• Accuracy
• Storage
• Limitation
• Integrity
• Confidentiality.

Here is how SalesHandy falls in line with these principles and what all you should know to use SalesHandy in accordance with GDPR.

7.1 Lawfulness, fairness, and transparency

Being a Data Processor, SalesHandy remains clear and fair when processing data of its subscribers and users. On completing the signup process, every SalesHandy user and subscriber receives notification that the personal data they provide will be processed in ways specified by Terms of Service and Privacy Policy.

As data administrator, users must ensure that their actions have a clear and legitimate purpose to it. It is a must to have a valid reason to process personal data of EU citizens. One should also be able to explain the entire process of collecting the required data.

7.2 Adequacy, relevance, limitedness

SalesHandy only processes the data necessary with respect to the purpose of the of the objective and does not collect any sensitive data such as gender, ethnic background, race, political views, etc.

A given user data is processed till the user has a SalesHandy account, or they report a request to avail their right to erasure, which initiates a process to removes their data from our user base.

SalesHandy processes its email subscribers’ list from the moment they submit their consent for it and is processed until a user requests to be removed from the same.

SalesHandy emailing lists include:

• Product Newsletter list,
• Blog Newsletter list,
• a few lists of people who subscribed to specific pieces of content or specific courses.

While ending a subscription, a user can request immediate deletion of their data from the application and all lists, availing their ‘right to be forgotten’. A user can also view and change their data in their SalesHandy account or on the email subscribers list.

7.2.1 How SalesHandy users can change or remove their personal data?

SalesHandy users can edit their account name or change their password by visiting “My Profile” section in the web app, after logging in. To request deletion of their data, a user can contact the support team at support[at]saleshandy[dot]com.

7.2.2 How we apply GDPR to cold email campaigns

If we decide to contact an EU citizen, who is not a user or on our email list, then we will ensure that the person is relevant to our business purposes and would be benefited by our contact.

If a contact requests us to stop communicating with them, we would respect his request and stop all future contact immediately.

As data administrator, one can process personal data of EU citizens, of people who have given consent to process their data by subscribing to an emailing list. As long as you follow the data processing rules covered by the regulation, GDPR does not forbid the practice of cold emailing, read out the blog to know more: Email Marketing after GDPR

Whenever you contact an individual who is not a customer or a subscriber of an email list, then you need to have a clear reason to claim that the connection is related to your business purpose and would be benefited by it. A rational offer connected to the specifics of your recipient’s business can be placed in the cold email.

Informing the cold email prospects about the details of how you are processing their data is important. There should also be a clear placement of a section/link in the email, from where a recipient can request change or removal of his or her personal data.

As a data administrator, you are required to immediately stop sending emails to a person who has wished not to be contacted again. Also, you need to respect if a prospect requests to get their data removed from your emailing lists, availing their right to be forgotten.

Personal data that only have a clear purpose for which you process it should be collected and used. It implies that all additional data that are not related to your email campaign should be removed. You should be able to defend all the fields of data that you collect from your prospects are necessary to be collected, for the objective you are aiming to achieve.

7.3 Accuracy

Our Privacy policy describes how a SalesHandy user or an email list subscriber can request a change or edit ones data.

As data administrator, you need ensure that the data that you process is updated and current. Personal data that is imprecise should be removed or updated immediately.

7.4 Storage limitation, Integrity and confidentiality

SalesHandy will never store personal data for a duration longer than necessary, for the objective for which the personal data is processed.

As data administrator, you need to ensure that you do not store personal data longer than it is required for achieving the end goal, for which the data is required. While sending cold emails it is important to ensure that you do not follow-up on a non-responsive recipient longer than it may be assumed necessary, like a month after you have tried to contact the person for the first time. Hence, it is important to keep your data updated at all times.

SalesHandy processes users personal data, ensuring proper security of it. To know more details you can refer our Privacy & Security document.

As data administrator, in case you share the personal data you process with third parties, you would be required to update and take consent of your data subjects to do so.  You are obliged to take a proper care of the security of the personal data you process.

8. Features Development to comply with GDPR (Status & Roadmap)

We have users from around the world many of whom are based in the EU or process data of EU subjects and therefore require to get compliant with GDPR while sending emails. We are committed to helping all those users with features that would ensure that they acquire and process data of EU subjects in a legally compliant manner. Here’s a birds-eye view of the related features that are lined-up and all that you need to know about it:

8.1. Set and update communication preferences

Status: Implemented (Released on 26th of May 2018)

At SalesHandy we send out newsletters, product updates, exclusive discounts emails etc. As a SalesHandy user, you can select the preference to receive specific fields of communication from our side.

8.2 Unsubscribe Option in Mail Merge

Status: Implemented (Released on 26th of May 2018)

We’re happy to rollout unsubscribe feature in email merge campaign. As a SalesHandy user, you can add custom merge tag in email campaigns. After this update, you get an option to add Unsubscribe URL link in your email right with other merge tags, as shown in the image below. When the recipient clicks on the unsubscribe link they will not receive any future emails from you even if they are on your email list.

If you send out emails to users in EU regions then it is recommended to put unsubscribe link in the email.

8.3 Permanent Account Delete

Status – Completed 

As a controller of the data you bring to SalesHandy, you have right to erase your data completely. With this update, all Saleshandy account admin user will be able to completely remove all their data (non recoverable) including all the invited users with a single click.

When you click on delete my account option, you will have 48 hrs to undo the action (email to support[at]saleshandy[dot]com). After 48 hrs our system will erase all the data from our system permanently and it won’t be recovered.

8.4 Manage GDPR option in SalesHandy Account

Status – Completed

Since GDPR is applicable to residents of EU any individual or company who deals with EU citizens, a SalesHandy user can enable or disable GDPR features option as and when required. A Saleshandy account admin can enable or disable GDPR features in your Saleshandy account from Settings > GDPR

Please note, enabling GDPR will have an impact on Email tracking and Link tracking modules.

8.5 GDPR Compliant Email Tracking

Status – Completed

The GDPR regulation requires that subject (recipient) must be aware of the fact that their email open data is being tracked and as a controller (sender) you must have consent to do the same.

If GDPR option is enabled in your SalesHandy account then as a Chrome/Outlook plugin user you will have `GDPR Compliant` option in email tracking plugin.

How is it different?

If you send a tracked email with the GDPR Compliant option enabled in the plugin, then the recipient will see an image at the bottom of the email which reads that “The sender has requested a read receipt, if you do not want to provide, click here.”

If the recipient chooses to not send read receipt by clicking the link, then SalesHandy will not report current open, future open for that email message.

We’ve decided to design it this way since GDPR requires that recipient come to know that his or her behavioral and location information is being tracked and should have right to opt out.

8.6 Data Retention and expiry

Status – Completed

GDPR requires the processor to give the right to the controller to select the duration of data storage. Complying with that, we’ll give users an option in settings where they can specify the number of days they want to retain the recipient/contact data (email open, link click) with SalesHandy. This implementation ensures that your data is not stored longer than that specified time interval, and is periodically deleted (permanently) from our system.

8.7 Export (Subject) Data

Status – Completed

GDPR gives a right to EU subjects to request and modify the data. As a Saleshandy user and collector of the subject’s data, Saleshandy app will give you the option to export the contact (subject) data stored in our System.

8.8 Delete (Subject) Data

Status – Completed

GDPR gives the right to EU Subjects subject to request removal of their data. As a SalesHandy user and controller of the subject’s data, SalesHandy app will give you the option to permanently delete the contact and related information stored in our System.