GDPR compliance for US companies: What you need to know


    Nick Hawkins

    Security & Compliance

    In May 2018, the European Union began enforcing regulations on data protection and privacy for all individuals within the EU, which is known as the General Data Protection Regulation...

    GDPR compliance for US companies: Beyond the EU

    In May 2018, the European Union began enforcing regulations on data protection and privacy for all individuals within the EU, which is known as the General Data Protection Regulation (“GDPR”). The regulation arrived at a time when increasingly advanced web technologies have enabled more and more online businesses to collect and use personal data for aggressive advertising and marketing purposes.

    The spirit of GDPR is to give individuals more control and protection over their personal data. More specifically, this means requiring businesses to have appropriate technical and organizational measures for data protection, disclose of any data collection and its reasons, as well as not processing personal data unless they have legal cause to do so, consent from the consumer being one of them. Not being GDPR compliant means facing significant regulatory fines.

    GDPR may seem like a chore for some businesses, but it’s potentially a milestone in a longer trend towards stricter consumer data protections worldwide. As companies use more data-driven digital campaigns to market and sell their products, these data protection measures are instrumental in limiting potentially predatory practices towards consumers.

    This trend towards stronger data protection is evidenced by other regulations that have emerged in places outside of the EU. For instance, in the United States, many states that have strengthened breach notification laws, expanded the definition of personal information, and increased oversight of third-parties when dealing with data. Also, France’s CNIL has imposed a 50 million euro penalty on Google for GDPR breach while the FTC is currently negotiating with Facebook on a potentially multi-billion-dollar fine.

    BLOG - 05-XX-19 GDPR - 01 Facebook stands to pay billions to the FTC for data breaches.

    The cost of data governance errors

    For businesses to succeed in a more data-sensitive and data-aware market, smarter data governance and strategy must be a priority. Data governance is crucial for software-as-a-service (SaaS) companies, which frequently store customer data on an ongoing basis as part of their subscription-based business models.

    There are many risks of operating in an environment with GDPR and other data protection regulations that go beyond EU law. Aside from the prominent regulatory fines, which can be the greater of up to 20 million euros or 4% of the global annual revenue of the previous financial year, companies face a more-immediate threat directly from customers, or even from specific individuals, that end up with a data breach, since either party might seek legal damages.

    Another risk is the damage that mishandled data or poor communication about customer data can cause to a brand. For example, Ghostery, a company known for being a customer advocate in data protection, accidentally did not blind CC its email recipient list in its announcement email about GDPR. Though the company handled the error professionally (including immediately alerting GDPR authorities about its potential privacy breach), less-transparent companies may take a hit in terms of brand loyalty.

    Even in areas outside of the EU, businesses still have to take data protection seriously. Publications like the LA Times waited until the very last minute to get their customer data infrastructure in order, and on the day GDPR was enforced, they had to block their European audience instead of showing their regular news website.

    BLOG - 05-XX-19 GDPR - 02 The LA Times’ lack of GDPR preparation led to this unfortunate page for EU users.

    Businesses that take the time to think through their data strategy and governance can potentially reap more benefits than just being compliant with regulation. They can also become leaders in their space for being data-aware and customer-focused, using transparent communication to build brand goodwill with customers. Businesses that operate with a robust data governance strategy can not only avoid potential regulatory minefields, but they can also outpace competitors who cannot make the same security guarantees.

    GDPR compliance checklist for US companies: Data governance

    Partner with marketing and advertising vendors that are compliant

    It’s essential to partner with marketing and advertising vendors that maintain the strictest levels of compliance. Since there are so many different customer data vendors out there, making sure you find a vendor that is compliant with the highest standards of data security is vital to ensuring your company can avoid penalties. Even in the event of a data security issue on the part of a vendor, it’s entirely possible your company may be financially liable!

    For example, is GDPR- and SOC2-compliant and undergoes regular penetration testing to ensure data security. You can learn more about what these certifications mean on the trust page. Working with vendors that take data security seriously gives your company a headstart in maintaining compliance.

    Create and follow a data plan and data governance strategy

    Data strategy and governance shouldn’t be an afterthought, especially when using marketing and advertising tools in a post-GDPR world. Companies that carefully consider policies surrounding their customer data collection, analysis, and use are actively using these considerations to improve the end-to-end customer experience. For example, New Relic, which uses a General Automation Platform to combine the ease-of-use of CSV files with the capacity and responsiveness of Redshift for data warehouse and the deep customer insights of Segment, uses customer data to intelligently customize customer lifecycle messaging across multiple channels, including email and its chat solution Intercom.

    A data governance strategy should address both the technical aspects of the data governance itself, which could include questions about how the data is collected, processed, stored, and used. But a good strategy should also consider organizational alignment within your company to access and use data for business intelligence. Is there one data team? Or will each product team have a data person? Every organization has unique needs, and the team structure and process with which different groups access, analyze, and act on data should reflect those needs. The benefit of a customer-focused data governance strategy at a technical and organizational level is a more-coherent data strategy that can simplify data-related decisions moving forward.

    BLOG - 02-20-19 Hot Topic 4 - 01 New Relic uses comprehensive data governance to customize messaging across the customer journey.

    What does smart data governance look like?

    A smart data governance strategy enables businesses to maximize their marketing and sales operations while minimizing a wide variety of risks, such as data regulations and changing consumer needs.

    Another challenge in data governance is managing data at scale. For example, revenue teams typically must capture an enormous number of leads daily to ensure a healthy sales pipeline. To ensure these best practices are in keeping with data regulations, companies can use solutions such as data enrichment to ascertain users’ region and, with software automation that can directly manage your database, properly mask or even hash data as needed.

    Of course, hashing user contact details, mass unsubscribes, and otherwise deleting user data would be simple if we were talking about a handful of email addresses in a spreadsheet. However, enterprises and rapidly-growing firms typically handle user information for thousands, if not millions, of prospects linked to multiple applications - CRM, marketing platforms, outbounding platforms, chat messaging, support helpdesks, and many others. Manually removing a single contact from multiple apps is a painful chore. Manually removing thousands of contacts from multiple apps is functionally impossible.

    It’s no wonder that companies are considering robust automation solutions that can securely connect to any software in your tech stack to instantly hash or delete user contact info on-demand. The best such solutions typically use API integrations - connections among cloud-based apps at the software level which, when appropriately managed, can securely and seamlessly flow essential data, including contact information. Some companies are choosing the strategy of combining software integrations with an automation layer that automatically sends API requests to delete specific contact information on request within every integrated app within their tech stacks to expedite the entire process.

    Examples: Using integrations + automation for GDPR data governance is a leading team scheduling solution that found a formidable challenge with GDPR. Previously, when an early-stage prospect unsubscribed from further messages, Deputy would dig up that contact’s record from their tech stack, which includes Salesforce and Intercom, and manually remove it. With GDPR looming, this annoying task became a significant financial threat. Deputy used an integration and automation platform to sync Salesforce to Intercom and rapidly automate the unsubscribe process. “We’re a SaaS application used in 110 different countries,” explains global revenue operations manager Keith Jones. “GDPR was a significant event that required us to fix a laundry list of issues for compliance. Thankfully, we found a solution that’s fast enough and robust enough for our needs, and unlike other competitors, offers both SOC2-compliance as well as penetration testing, so we can build with confidence. And now we can process unsubscribe requests with just two clicks.”

    SOC-2 and GDPR-compliant sales intelligence leader Outreach goes to great lengths to ensure it manages its inbound marketing leads with the highest levels of data security. And the firm also uses a highly secure automation platform in concert with its database to rapidly upload and process leads.

    Analytics leader New Relic uses automation to execute data governance at scale by tying together automated workflows with cloud services such as Intercom, Segment, and customer happiness platform Wootric. Niels Fogt, Senior Director of Growth, explains that due to GDPR, his team had previously found themselves manually searching for and removing contact information from each of these services to ensure compliance. “We built out an easy-to-use, front-end request form for our team to enter user contact info. The form connected to a series of automated workflows that would automagically scrub that user from all of our services, without having to hunt down each one by hand,” Fogt explains. “We even built in an extra automated step that sends a final email report, confirming the user’s deletion for our records. Now that we’ve automated our GDPR compliance process, we’ve been able to leave behind the painful and time-consuming busy work. Honestly, it’s a breeze, now.”


    For better or for worse, data protection regulations are here to stay and may become even more prominent. But with a smart data governance strategy and a carefully-curated vendor list that includes only partners that take data security, your company can attract new opportunities your competitors can’t. To learn more about how to use automation to securely large amounts of data, join a weekly group demo.

    Subscribe to our blog

    Privacy Policy