We are excited to announce that Allbound has expanded into the European Union (EU), with an operational platform in Germany. Customers can choose to operate out of the US or Germany when implementing Allbound.
To ensure customers’ data is protected regardless of the region they select, the EU has instituted a new data protection framework called the General Data Protection Regulation (GDPR). On May 25th, 2018, the EU’s new GDPR goes into effect and the framework is designed to:
1. Strengthen individuals’ privacy rights related to processing of their personal data
2. Significantly expands their rights over their data
3. Provides increased transparency
Allbound is fully committed to being GDPR-compliant by May 25th, 2018. To that end, between now and May 25th, Allbound will be releasing multiple updates to enhance the tools we offer our customers within the product. Also, Allbound is consistently updating our overall Information Security practices to ensure data protection for all individuals and customers.
Allbound’s Commitment to Data Protection for Everyone
First and foremost, Allbound is committed to protecting all data it controls for any user or customer. We closely follow the NIST Cyber Security framework and have a continuous focus on issue prevention, detection and response. We have a robust practice based on comprehensive policies and demonstrable actions.
Some controls Allbound implements around your data are:
- Identify important data
- With regards to GDPR, it’s personally identifiable data such as name and email and consent to usage that is our focus
- Protect data and prevent issues
- End-to-end security focus in software development
- Strict patch management to ensure all software is up to date
- Data encrypted at rest and in transit
- User training and access control, including two-factor authentication
- Detect an issue
- Vulnerability scanning and system monitoring
- Consistent log monitoring and alerting
- Respond to an issue
- Rapid and transparent response procedures
- Recover from an issue
- All data is backed up to multiple locations on and off-site for quick recovery of any lost data
Brief GDPR Overview
GDPR encompasses all organizations that process the personal data of EU citizens, regardless of the entity’s location. Currently, the terms processing and personal data are broadly defined:
Processing involves “any operation or set of operations which is performed on
personal data.” Personal data means “any information relating to an
identified or identifiable natural person (‘data subject’).”
The GDPR makes a critical distinction between Controllers, or entities who determine the purpose and methods of the processing of personal data, and Processors, or entities who process personal data as directed by a Controller. Allbound is considered a Processor and is required to provide the underlying security controls to protect data, as well as provide the tools a Controller requires to be GDPR-compliant. Allbound’s customers are considered Controllers and are required to implement proper controls to ensure compliance with the GDPR.
GDPR Compliance Requirements for Processors (Allbound)
The GDPR will change the way organizations collect data, as well as how they obtain, document, and manage the legal basis for processing. Below is an overview of some, but not all, of the GDPR requirements for Processors. Processors must:
- implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Allbound follows NIST standards as discussed above
- provide the tools needed by Controllers to handle individuals requests, including their right to be forgotten, right to get a copy of their data, right to reduce the usage of their data, etc… Allbound provides these capabilities via our data editing tools within the product.
- provide the tools required to allow Controllers to manage obtaining consent
- execute DPAs (Data Protection Agreements) with Controllers that are managing EU citizen data.
- provide the tools required to allow for Accountability of data. This includes audit trails, role based permissions, data management tools, etc…
- appoint a Data Protection Officer if required. Allbound’s CTO Kyle Burnett will be appointed as our DPO.
- appoint a local representative in the EU. While Allbound isn’t fully required to appoint a local EU rep, we have decided to appoint one anyway to ensure there is no ambiguity related to our compliance requirements.
- provide data breach notifications – Allbound is committed to reporting any data breach within 48 hours to impacted Controllers
- assist with Data Protection Impact Assessments – Allbound will work with its customers (Controllers) to quickly assist them with any requests related to an impact assessment.
- obtain consent for the legal processing of data and migration of data outside of the EU.
Allbound is committed to providing the required tools and processes by May 25th to ensure all of our customers can easily be GDPR-compliant if required.
GDPR Impact on Channel Marketing
One of the more important requirements of GDPR is the requirement to clearly obtain Consent, manage Consent, and have a clear audit trail in place before directly contacting any individual that falls under GDPR. The issue of obtaining consent presents a significant challenge to Controllers that are selling via indirect Partners. Allbound provides the ability for a Partner User to indicate they have obtained consent before submitting any personal information on a prospect into the Allbound Platform. However, Allbound as a Processor is only providing a mechanism to be used by its users. Allbound is not in a position to prove that a user properly obtained consent, since Allbound does not directly interact with the prospect. We recommend that the Controller/customer of Allbound establish legal and operational safeguards with all their Partners to ensure a clear process to obtain and document Consent is in place and strictly followed. Here are some helpful discussions on managing Consent:
Other Helpful GDPR Resources
While the content on this page is intended to help understand the GDPR related to the use of Allbound’s services, the information contained herein may not be construed as legal advice and companies should consult with their legal counsel to understand their obligations under the GDPR.