How Replyify is Ready for GDPR

Disclaimer: The content below is provided for informational purposes only and is not meant to serve as legal advice.  You may seek professional legal counsel to determine exactly how GDPR is applicable to you and your customers.

As an email marketing services company, Replyify has taken steps to ensure that our platform and processes are compliant with the evolving regulations of GDPR.

Still not sure if you can send cold emails?  (hint- you can cold email but you should read and process this post first)

replyify’s Role in GDPR

• As a Data Processor, Replyify is not responsible for the range or the purpose of processing the personal data used by our clients who are the Data Administrators or Data Controllers. However, if we are informed that a client has violated their obligation to GDPR, we are obligated to react to the violation(s) within a reasonable amount of time.
• We’ve updated our TOS, Privacy Policy and Cookie Policy to be compliant with GDPR.
• We provide a Data Processing Agreement to our customers who are the Data Administrators defined under GDPR.  Please contact us to learn more.
• Credentials that you (our clients) use to connect your Email Account to Replyify are encrypted and pseudonymised when stored in the database.
• Replyify employees Do Not have access to your Email Account password.
• Credentials that you use to connect to external accounts, like Salesforce and Zapier to Replyify are encrypted and stored in a database.
• We always use https or SSL where possible to keep your data safe.
• We provide appropriate security for any data collected and stored for our own sales purposes or for our client services with strong password protection, physical access controls, system access controls, data access controls, transmission controls, input controls, data backups, data segregation, and industry standard technical security measures.
• We have a process for handling data breaches like infiltration of data stored on servers, loss/theft of a computer that stores information, malware, or even (for example) accidental email sent that discloses information not intended for all recipients of the email.
• The only action that Replyify takes with your Email Accounts are those necessary to run the campaigns you create in fulfilment of our contractural obligation to you as set forth in our Terms of Service.
• We ensure that every employee is trained to comply with GDPR standards of privacy and confidentiality.

We created a workflow for our customers to fulfill any request (see below) by EU citizens to edit, delete, export or object to their data processing.  Our customers will be notified of any GDPR actions so you can edit/update your Replyify account and any other systems that could be processing personal data.  We will delete any data (as requested by a verified EU citizen) 72 hours after the request has been received..

• GDPR stipulates ‘rights’ for individuals that Data Processors and Data Controllers must adhere to.  The GDPR does not seem to require that exercising these rights be fully automated or instant.  Actions must be taken, however, “without undue delay”
• ACCESS: With GDPR, individuals will be able to request access to their personal data and learn how an organization uses it after they’ve obtained.  The company processing the data will have to provide a copy, free of charge, of the personal data if requested.  You must acknowledge receipt of the request within 20 days and all relevant data must be delivered to the individual within 30 days
• ERASURE: An individual will have a right to withdraw consent to store and use their personal data.  They may request that the personal information be deleted.  The Data Processor (Replyify) has the right to erase this data on behalf of the Data Controller if requested directly by the data subject.
• DATA PORTABILITY: You have the right to transfer your data.
• RECTIFICATION: Replyify provides an accessible interface for our clients to update their information or information requested to be updated by a data subject.
• RIGHT TO BE INFORMED: With GDPR, companies must be transparent about how they gathered personal information.  Replyify documents the process of data added to the system by the Data Controller.
• RESTRICTED PROCESSING
  Individuals have the right to block and/or suppress the processing of their personal data. If suppressions is requested, an organization can still store personal information but they may not use it in any way.
• ‘STOP’ PROCESSING: Individuals (data subjects) have the right to object to you using and/or processing their personal data.  If requested or demanded, you must cease processing the individual’s data immediately.

Your Role in GDPR

• You are a Data Controller in the eyes of GDPR.
• You should retain an individual’s data only for as long as it is necessary, but there isn’t a strict rule (yet) on how long that is.
• If you receive a request of a EU citizen exercising one of their rights, you must comply with their legitimate request in a reasonable amount of time.
• Don’t collect personal data that you don’t need.  For example, if you’re not going to be making phone calls, don’t collect and store the personal phone number.  You need a legitimate interest.
• You must provide a contact with a way to Opt Out from receiving future messages from you.  Consider a disclaimer in your cold emails that inform the prospect about   In the cold email, inform your prospect that you processed their data for a specific purpose and that they can change/remove their data from your list by completing a certain action. Something like: “if you want me to change or remove the data I used to contact you, just reply back and let me know.”
• Internal Data Review: Start by identifying every source of personal data collection including your signup form(s), lead capture form(s), chat/support applications, emails from customers, and all employee information.  Document the data you possess or collect, what is this data used for, where did the data come from, where is the data stored, how long is the data stored, who has access to it and how to edit and/or delete it.  Delete any unnecessary personal data.
• Don’t buy a 3rd party list that you didn’t personally build.  You need to have a legitimate interest for contacting each and every EU citizen.  Read this post.
• Don’t get lazy and email someone because their email address was easy to find.

Think cold emailing is dead?  Read this post.