Data management, GDPR, ePrivacy and
security with Leadoo
When it comes to data management and Leadoo, there are two major regulations/laws that dictate what you and all other companies such as Leadoo need to fulfill, namely the ePrivacy law and GDPR, in the EU. In California the most analog is the CCPA and in Brazil the LGPD.
The ePrivacy law dictates how you are allowed to store things on users devices and GDPR on how to manage users’ personal data. You as the website owner are responsible for ensuring your website complies with all regulations. This guide is for helping you fulfil your obligations and guidelines on how Leadoo should be used. There are TIPS sections below for things you should do.
This is not to be considered as legal advice, but more as a layman’s guideline. For legal advice, contact your lawyer.
How this manifests in actuality on most websites is that because of the ePrivacy law you have to ask user consent before installing cookies on their browser (some restrictions apply). Most often this is done in popups. Please note that you have to ask for consent BEFORE installing any cookies. This means that you cannot load e.g. Google Analytics before asking for consent from a user visiting your website, unless you ensure GA is loaded in a private mode. It is also not allowed to just inform users about “this site is using cookies, by continuing to use it you accept it”. You have to explicitly ask for consent before installing any cookie on the user’s web browser. The same applies to Leadoo, which is considered a marketing tool – and you should ask for permission in the same place you ask for permission for Google Analytics, Facebook like, Hotjar, Hubspot or any other marketing tool your website uses. Most often this is done with a Consent Management Platform (CMP) of which there are several e.g. inside WordPress.
It is also important to note, that while we mostly talk about cookies, it is just an umbrella term for any ways of tracking users, e.g. in Leadoo’s case eTags.
The General Data Protection Regulation sets guidelines for how personal data needs to be managed. When you collect personal data on your website, you are a Controller of that data and need to inform the people you collect personal data on, why and how you’re going to use it, as well as which sub-processors you are using to store the data. As a controller you are obliged to ensure that you manage the personal data and don’t give it to third parties you haven’t informed the user about. The user also has the right to ask you about what info you have about them and ask you to delete their data. Most commonly you have to tell your users if you store their data in a CRM (like Salesforce or Pipedrive), process their data in an invoicing system or just store it in Google Spreadsheets or Excel files. All of these have to be listed on your website for your users to approve before you collect their data.
Personal data is any data that can be used to identify a person. Most commonly this is the name, email address and phone number but it can also be the IP address of the person visiting your site.
The best way to document this on your website is to document how you take care of security, storing of data and what 3rd party sub processors you use and for what purpose. In Leadoo’s case we have done it like this: https://leadoo.com/data-protection-and-gdpr/ which you can feel free to copy. After this you have to ask people for permission to store the data. This can in Leadoo’s case be done through a question within a bot or a separate popup.
You also need to ensure that you have a Data Processing Agreement (DPA) with all your sub processors. This document is proof that you have agreed with your sub processors about how you communicate about data and that you have the right to ask them to remove data about your customers if your customers ask you to. In Leadoo’s case our DPA is part of the standard contract, found here: https://leadoo.com/data-processing-agreement-customer/
At Leadoo we have ensured that we minimize the risk of data leakage. We have for instance enabled it for our customers to flag if they use a service or not. E.g. if they don’t use email automation, data will not go to Sendgrid and if they don’t use Smart Company profiles data doesn’t go to Clearbit, and when it does only the IP address is transferred. We have also ensured we have Standard Contractual Clauses (SCCs) with all our sub processors. For the parts where we do use non-EU based companies or services, we have documented it, created internal review processes and ensured by automatic data erasure and security measures the impact is as small as possible. We also encrypt all data in rest and in transfer and access our own production environment only over VPN. This is naturally sound advice for any company, regardless of regulation.
Data retention, clearing possibly personal data points, happens in a nightly fashion for all data that has been collected by Leadoo in a nightly fashion. By default we delete >5 year data. Customers can set this to any custom amount of days, e.g. clear personal data if it is older than 15 days.
Make sure you have a DPA with every sub contractor you use (CRM provider, etc). Leadoo’s standard contract includes this.
If unsure about how to comply with GDPR, ePrivacy or similar jurisdictions in your business and country, don’t hesitate to contact us.
You can contact Leadoo’s COO Fredrik Rönnlund directly at [email protected]