As of May 2018, the implementation of the General Data Protection Regulation (GDPR) has affected organizations with business relationships involving EU data subjects.
At Reply.io, we are fully committed to upholding compliance with these regulations for both our product and our overall organization. Moreover, we strive to support our customers in their endeavors to meet GDPR requirements.
In this article, we address prevalent inquiries related to GDPR and the EU-US Privacy Shield, aiming to provide our customers and partners with a clear comprehension of our present standing and the measures we undertake to safeguard data privacy and protection.
General info
Reply is aligned with GDPR legislation. We recognized the importance of GDPR and have made a strong effort to align with GDPR principles and maintain data protection standards.
However, it's important to note that Reply is not fully compliant with every legal obligation outlined in the regulation. The only reason for this is that we use Reply: LinkedIn Email Finder and Outreach extension for LinkedIn scraping.
Using scraping tools like Reply's LinkedIn Email Finder and Outreach extension for extracting information from LinkedIn raises potential concerns regarding GDPR compliance. This is primarily due to factors such as amassing of information and the possible absence of explicit consent from those controlling the data (data controllers).
What is the solution for this?
If you are using Reply without the Reply: LinkedIn Email Finder and Outreach extension for LinkedIn scraping, you can be sure that all the rest components of the platform are fully compliant with the legal obligations outlined in the GDPR regulation.
However, if you're using Reply along with the LinkedIn Email Finder and Outreach extension, it's important to consider the following points:
We use the extension exclusively to extract information that is in open access on LinkedIn.
We respect all of the data controller's rights and help handle all data requests, including deleting information from sellable databases. In case the data controller is referring to you, or to Reply, with any issues regarding access to their data, we can instantly erase that data from the system.
Consequently, when the data controller raises questions regarding the data and the methods employed to gather it, you can reference "Reply" and contact us. We will then take care of the process of removing that data from the system.
Below is a comprehensive overview of how Reply is addressing GDPR compliance.
Discover personal data
Search for and identify personal data
For Reply.io, the personal data of our customers stored in our application is located in the Azure Cloud and in internal systems needed for operations that are also cloud applications. We've made internal policy changes to ensure that there is no personal data stored locally by employees outside of this scope. For data that belongs to our customers as controllers in their accounts, it is only stored in Azure Cloud. It is recommended that customers access their infrastructure, as it is their responsibility to handle personal data in their accounts.
Categorization
We do not make a conscious effort to collect personal data of specific groups, such as information about persons under 18 years of age, for example, that are specifically mentioned in GDPR regulations.
Maintain an inventory of personal data holdings
Currently, we have a clear separation of personal data about our employees and customers used in a number of systems (CRM, Intercom, Reply application, Slack). Personal data of data subjects in customer accounts are stored and processed only in the Reply application. Outside of the Reply application, we use and process such data only as aggregated data for analysis purposes.
Manage data
Enable data governance practices and processes
We are in the progress of developing a scope of processes that will affect many departments and respect data subject rights under the GDPR ruling and how we handle them.
Provide detailed notice of processing activities to data subjects
We developed a ‘Trust’ page on the website with an updated privacy policy that will cover how we use the data of our customers as the controller. There is also an explanation of how personal data in their Reply accounts will be processed (as the processor).
Discontinue processing on request
On the ‘Trust’ page, there will be a request form and we are implementing a process to stop processing the personal data of data subjects and notify data controllers (customers).
Collect unambiguous, granular consent from data subjects
We will use the personal data of our customers and employees under the ‘legitimate interests’ clause as it's needed to fulfill our contractual obligations or to provide customer support in using the Reply platform. For data subjects in our customers' accounts, it is their responsibility as data controllers to obtain consent or use other reasons (compliant with GDPR) to get and store personal data. We, as the processor, are here to help respect the rights of data subjects and provide info on how we process such data.
Facilitate communication mechanism between data subject and organization to handle data subject requests
We are working to launch the 'Trust' page on our website Reply.io by Mid April. It will allow locating request forms for requests regarding GDPR or EU-US privacy shield. Our DPO or Customer Support team will communicate via email or support chats about these topics.
Rectify inaccurate or incomplete personal data regarding data subjects
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it.
Erase personal data regarding a data subject
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it. In April, we will implement an internal process as to how we will fulfill such requests.
Provide data subject with their personal data in a common, structured format
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it.
Restrict the processing of personal data
On the ‘Trust’ page, it will be possible to post such a request (and also request to provide data that we store on data subjects) and we will respect it.
Review data processing conducted by automated means
On the ‘Trust’ page and in the privacy policy, we will highlight the cases when we use automated means of processing personal data or profiling it.
Appoint a Data Protection Officer (DPO)
By May 1, 2018, we will appoint a DPO and his/her contacts (with contacts of our representative in EU and 3rd party company that will provide independent recourse mechanics for EU-US privacy shield) that will be available on the ‘Trust’ page.
Protect data
Data protection and privacy by design and default
As part of going through GDPR compliance implementation, we've reviewed, our internal policies and how we approach building new value for customers with privacy in mind.
Secure personal data through encryption
By May 1st, we are planning to use encryption for data stored in the Reply application in Microsoft Azure Cloud (subject to technical or performance limitations).
Secure personal data by leveraging security controls that ensure the confidentiality, integrity, and availability of personal data
A three-way approach is currently in place. First, we've updated our internal employee policies to grant access to needed roles and limit breach possibilities. Secondly, processes to respect GDPR rules are in implementation. Finally, technical improvements in infrastructure, such as the Azure key vault and DB encryption, are planned until May 25th.
Prepare for, detect, and respond to data breaches
The process and policies we develop right now will cover how we communicate about possible breaches while technical improvements should limit such risks.
Facilitate regular testing of security measures
During 2017, we undertook a 3-month period of intensive application security testing and fixed 15+ vulnerabilities. After May 2018, we will plan another session to analyze the current situation.
Report
Keep a record to display GDPR compliance
We store data in processed or raw formats and have a list of processing activities that can be combined for each record if needed.
Track and record flows of personal data into and out of the EU
To cover such flows, we've applied and are currently in the process of self-certification for the EU-US privacy shield program for the migration of data between the EU and the US. Also, our employees (or contractors) will sign contracts with contractual clauses that will cover the transfer of data to countries other than these covered by EU-US Privacy Shield. The data, that moves through integrations in our customers' accounts, belongs to them as data controllers, in addition to the connected accounts. To make sure such applications cover compliant record flows of personal data, customers should consult representatives of these organizations.
Track and record flows of personal data to third-party service providers
Personal data of our customers or employees that moved to third-party providers (such as our internal systems that are needed to automate company operations) are stored there and can be accessed or deleted at any time. We also have log tracks of data flows from the point where we collected this data to third-party systems (if such transfer occurred).
Facilitate data protection impact assessment
As of now, we have implemented the first wave of processes and technical changes needed to be compliant. After that, we will consider taking the data protection impact assessment.