What is GDPR?
The General Data Protection Regulation (GDPR) is a privacy regulation enacted by the European Union (EU) in April of 2016 to protect member country citizens and their right to privacy and control over their personal data in the digital world.
The internet and the way we use it have changed a lot since the first privacy laws were created in the 90s. It is the EU’s hypothesis that allowing citizens more control over their digital footprint will foster more trust in online business. This should increase the citizens' likelihood of conducting business with them and thereby increase the digital economy.
The regulation went into effect on May 25, 2018, and the potential financial penalties for failure to comply are steep. The sections below provide a high-level overview of important terms, impacts, and how Apollo participates in GDPR.
If you would like to read the actual text for the General Data Protection Regulation in its most recent form, please visit EU GDPR website.
Why is GDPR important?
GDPR is important because it likely affects many people more than they realize. The safest assumption to make is that GDPR affects your company in at least some capacity, especially if you work for a company established in the EU, a company that sells to people within the EU, or a company that monitors the actions of citizens of the EU regardless of where your headquarters is or where you send marketing emails from.
Failure to adhere to GDPR guidelines can be expensive. The highest amount a single company could pay is 4% of their global annual turnover or 20 million euros, whichever is higher. Lower-tiered fines apply to lower-level penalties and can be the equivalent of 2% of global turnover or 10 million euros.
GDPR Terminology Glossary
Use the glossary below to help make sense of the important terms contained in the GDPR.
- Consent: Contacts in the EU must provide explicit permission before you can contact them. If contact information was gained through a third party, the source must be specified at first contact with the Data Subject.
- Cross-Border Data Transfer: Sending data and/or personal information outside of EU/EAA borders
- Data Subject: A natural person and citizen of the EU whose information has been collected and can be identified by a data controller.
- Data Controller: Controllers include parties who manage personal data or collect personal data. Apollo and Apollo's customers are considered data controllers.
- Data Portability: A data subject’s right to their own personal data from the data controller in a familiar, machine-readable format
- Data Processor: A party that is instructed by the controller in how personal data should be handled and used. Apollo is also considered a data processor.
- Data Subject Rights: New rights within the GDPR include the right to be forgotten, the right to data portability, and the right to object to profiling.
- GDPR Articles: The GDPR includes two sections—the recitals and the Articles. The Articles include the text of the legislation and the Privacy Management Activities (PMAs) that are required for compliance.
- Personal Data: Personal data included in Apollo typically includes name, company address, company phone number, email address, and IP address.
- Privacy by Design and Default: Companies have an obligation to keep data privacy top-of-mind throughout the design process and to build default and adequate privacy controls into all new features.
GDPR's Effect On Sales Teams
A key element of the GDPR that can cause business friction is the gravity of consent that is required from individuals. Specifically, in order to collect and handle (or to “process”) personal data of Europeans, marketers, and services like Apollo must have a “legal basis.”
Two common legal bases include:
- Consent of the data subject
- A “legitimate interest” to use the data that is not outweighed by fundamental “rights and freedoms,” taking into account data subjects’ “reasonable expectations” of how data may be used
The GDPR cites “direct marketing” as an example of a likely “legitimate interest.”
Many legal commentators have noted that the GDPR leaves many questions unanswered and the potential for courts to resolve those questions in the years to come. Based on the best legal interpretations as of today, Apollo (and many others) believe that under this balancing test, most B2B marketing like newsletters and most direct marketing is protected as a “legitimate interest” if executed in a thoughtful way.
On the other hand, campaigns that are not targeted in a way that is likely to be useful to someone given their industry or position may not fit a “legitimate interest.” It will, therefore, be more important than ever for B2B marketers to use data wisely and tailor campaigns and marketing to be relevant.
These elements are also only relevant for prospects located in the EU so you don't need to worry about any of these regulations if you’re emailing anyone outside the GDPR’s jurisdiction.
How does Apollo adhere to GDPR?
The Apollo team works hard to ensure that we remain in compliance for both the company's benefit as well as that of our customers. The Apollo platform is more complex in the way that it handles data than most, so our compliance is similarly complicated.
Much of maintaining GDPR compliance as a vendor involves how we secure our data. In order to maintain a high bar of security we have completed the following:
- Apollo has achieved a SOC 2 and ISO 27001 security accreditation report. These accreditations evaluate Apollo controls that are relevant to data security, availability, and confidentiality. To gain them, Apollo needed to prove the success of our controls and their ability to maintain security, availability, and confidentiality over a predetermined span of time.
- Apollo has implemented advanced data controls, which include the encryption of all user data, which is designed to protect our customers’ data from leaks and malicious intent. The Apollo team regularly tests our product to fix any potential problems and maintains the industry’s highest standards in information security.
- Apollo has built and follows data incident response processes. These processes are tested each year for continued effectiveness.
- Apollo built processes to supplement data recovery and integrity to help any customers whose data is lost or unintentionally corrupted.
- Apollo has systems in place to protect all customers' rights to their own data footprint in the platform.
- Apollo’s key data sub-processors, such as Amazon Web Services (AWS) and Google Cloud Platform, all have achieved similarly high-level security standards (SOC 2 and/or ISO 27001 certifications, where possible) and have undergone rigorous security evaluations.
GDPR lays out different requirements for “Processors” and “Controllers” of data. In Apollo's case, we operate as both a data controller and data processor since we help our users acquire data as a controller and communicate with prospects as a processor.
Apollo's Adherence to GDPR as Data “Controllers”
As it stands, Apollo is in compliance as a data controller by the standards contained in the GDPR. Apollo manages the data we collect to ensure it is in compliance. We also view it as our responsibility to educate everyone who uses our data to keep them informed and prepared to use our data in a way that similarly keeps them in compliance.
Our users have the option of excluding citizens of member countries within the EU to help protect themselves against accidentally emailing someone they shouldn’t. This prevents our customers from having to comb through lists of prospects to double-check their own compliance while prospecting.
Apollo customers that sell or market to EU citizens must be transparent in their intentions with any personal data that they collect and must have consent from individuals before sending them any information. If they do send any form of communication, they must also provide the ability for people to opt out of any future messages. If our customers also use Apollo as their sales engagement platform, they have the ability to include opt-out links within their emails.
Apollo has the ability to enrich data pertaining to citizens of the EU should our users already possess their contact information. For example, if a user has the email address and name of an individual working for L’Oréal Paris, we have the ability to enrich title and company information. With that said, this ability is only applicable if the enrichment is for the purpose of data hygiene and cleanliness or if you have a good faith reason to believe that the recipient has a demonstrated interest in receiving the information or offer, such as information that would help them perform their job.
As data controllers, Apollo maintains our own compliance and aids users with their own compliance, but Apollo highly recommends that all of our customers familiarize themselves with the regulations and seek out additional support from privacy advisors if any questions remain.
Apollo's Adherence to GDPR as Data “Processors”
Beyond the precautions and measures laid out above, Apollo has completed and will undertake the following actions to maintain compliance as a data processor:
- Working with our legal counsel (and when requested, those of our customers) to ensure full preparation and compliance.
- Evaluating every use case within our platform to help back up every decision we make should they face legal scrutiny.
- Crafting internal workflows to quickly and thoroughly complete data subject requests
- Conducting an in-depth review of all requirements implications for data processors and where we may be a joint controller
- Updating all contact information and notices so data subjects and customer data controllers may contact us if necessary
- Obtaining all resources necessary for ongoing compliance requirements and documentation necessitated by GDPR
- Updating and maintaining data security standards and workflows to meet all requirements necessitated by GDPR
- Evaluating all customer contracts where necessary to ensure we’ve laid out a path for legal compliance for them to the best of our ability and to clearly detail our own responsibilities to avoid any possible confusion that could result in a penalty.
We are aware that laws and regulations could continue to change, so we will continue the work of maintaining compliance and will help our customers do the same.
When in doubt, your best course of action is to talk to attorneys well-versed in the data-privacy space or with a data-specific officer. For all Apollo-related questions, we’re more than happy to help.