GDPR and bucket.io - We're Here To Help!

All businesses, big or small, have likely heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). It’s a new group of laws aimed at enhancing protection for EU citizens’ personal data, and increasing the responsibility of organizations to deal with that data in a secure and transparent manner. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.  So for a typical bucket.io customer, this likely impacts you and your lists.

At bucket.io, we have been hard at work ensuring that our systems and practices are GDPR-compliant. But it is equally important to us that we help you, our customers, understand the GDPR, and how it impacts your own processes.

The first big piece of that is ensuring that the bucket.io platform sets you up for GDPR compliance. To be clear, while the product can be used in a way that helps to comply with the GDPR, doing so still requires a thoughtful and planned approach by you, to ensure you meet requirements outside the bucket.io environment.


DISCLAIMER: This article is not a comprehensive explanation on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides contextual information to help you better understand how bucket.io has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. So to be clear, you may not rely on this paper as legal advice, nor as a recommendation of how to interpret legal needs as relates to these laws.  The products, services, and other capabilities described herein do not fit all possible scenarios.
 

What Is GDPR?

GDPR Explained...

To make things simple, let's imagine a typical scenario where GDPR is involved. 

For our scenario, Bob is a contact in your list(s) and an EU citizen. He's called the "data subject."

Your company (the ABC Corp.) is called the "controller" of that data.

If you're a bucket.io customer, then bucket.io acts as the "processor" of Bob’s data on behalf of ABC Corp.

With the introduction of the GDPR, data subjects like Bob are given an increased set of rights, while controllers and processors like ABC Corp and bucket.io have an enhanced set of regulations.
 

Your Responsibilities – “Lawful Basis”

According to the GDPR, you need to have a legal reason to use Bob’s data. That reason could be:

Consent (he opted in) with notice (you told him what he was opting into)
Performance of a contract (e.g. he’s a customer and you want to send a bill)
“Legitimate interest” (e.g. he’s a customer, and you want to send him products related to what he currently has).

You need the ability to track that reason (also known as “lawful basis”) for a given contact.

For the purposes of bucket.io involvement, we address only the “Consent with Notice” portion of this, while your Email Service Provider would carry all three responsibilities.
 

Product Roadmap

Below, find a detailed list of the features we’re building to help you be compliant. A quick note on timelines:

Our planned timeline is to have every feature on this list completed by May 25, 2018.  To meet this deadline, some of these features will be created in a minimalist way, but will meet the requirements needed.  We will continue to tweak and/or enhance these features going forward, to further enhance their ease of use.

 
Consent In order for Bob to grant consent under the GDPR, a few things need to happen: 

• He needs to be told what he’s opting into. That’s called “notice.” 

• He needs to affirmatively opt-in (pre-checking checkboxes are not valid). His filling out a form alone cannot implicitly opt him into everything you plan to send. 

• Consent needs to be granular, meaning it needs to cover the various ways you process and use Bob’s personal data (e.g. marketing email or sales calls).  Please note that to be safe you should check with legal counsel as to how to confirm data usage to create FB Pixel look-alike audiences.

You must log auditable evidence of what Bob consented to, what he was told (notice), and when he consented
In bucket.io, we're adding Opt-in checkboxes with customizable text, which will include a date/time stamp to make collecting, tracking, and managing consent in a GDPR-compliant way as straightforward as possible.


In your opt-in, you’ll be able to provide granular notice to Bob before he provides information to you as well as collect the appropriate consent when he’s ready to grant it.

Once Bob submits his information, we will store a copy of the opt-in text notice that Bob was provided, information about which consent he provided, and the timestamp of the interaction.
Withdrawal of consent (or opt out) Bob needs the ability (as data subject) to see what he’s signed up for, and withdraw his consent (or object to how you’re processing his data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.

This is done via your Email Service Provider, or via other means that are outside the area of bucket.io.  bucket.io only will handle the Opt-in portion of the process currently.  As bucket.io provides no direct means of communicating or using this data, this opt-out functionality is not currently implemented in bucket.io.
 
Cookies Bob needs to be given notice that you're using cookies to track him (in simple language) and needs to consent to being tracked by cookies.

As bucket.io does not provide direct cookie tracking, this messaging is your responsibility to provide on any websites you present to Bob.
 
Deletion Bob has the right to request that you delete all the personal data you have about him. The GDPR requires the permanent removal of Bob’s contact from your database, including email tracking history, call records, form submissions and more.

You’ll need to respond to Bob’s request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.  For instance, someone who is actively using your service can not request full deletion, or you could not effectively bill them.

To delete records within bucket.io, you simply have to delete them from within the funnels they have participated in.
 
Access / Portability Not only can Bob request that you delete his data, he can request access to the personal data you have about him. Personal data is anything identifiable, like a name and email address. If he requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

Bob can also request to see and verify the lawfulness of processing.

Bucket.io enables you to fulfill any access/portability request by exporting details from a funnel, and then filtering only Bob’s data out.  Note that if you are passing 100% of data into an Email Service Provider that should fulfill all obligations in this regard.
 
Modification ust as he can request to delete or access his data, Bob can ask your company to modify his personal data if it’s inaccurate or incomplete. If and when he does, you need to be able to accommodate that modification request.

In rare cases like this, you can currently make this request of bucket.io support. 
 
 
Security Measures The GDPR requires data protection safeguards.

As part of bucket.io’s approach to the GDPR, we’re enhancing all facets of our security controls.

In addition to industry standard practices around encryption, bucket.io's infrastructure team is also improving our systems for auditing to better protect our customer's data.



We will provide additional details on these security measures as they are implemented