DATA PRIVACY WITH Deltagen
GDPR Compliance
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. It was drafted and passed by the European Union (EU), and imposes obligations onto organizations anywhere that target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR levies fines against those who violate its privacy and security standards. You can learn more about the regulatory framework here:
DeltaGen's GDPR Compliance
DeltaGen is proactive about GDPR compliance both as a controller and a processor (when processing personal data on behalf of our clients).
Highlights of our compliance efforts include:
Lawful Basis
DeltaGen does not store or process personal data without the consent of the data subject and/or the written consent of our clients in accordance with legitimate interest allowances. For more details, please review our privacy policy.
Information Security
Rectification & Erasure
GDPR Terms to Know
Personal Data
Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.
Data Processing
Any action performed on personal data, whether automated or manual, such as collecting, recording, storing, organizing, erasing, etc.
Data Subject
The person whose data is processed.
Data Controller
The entity who decides why and how personal data will be processed.
Data Processor
A third-party that processes personal data on behalf of a data controller.
Frequently Asked Questions
Win-Loss analysis and the GDPR
Q
Does the GDPR govern how organizations conduct win-loss analysis?
A
Q
Is “consent” required before contacting a data subject for win-loss feedback?
A
GDPR Terms to Know
Personal Data
Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.
Data Processing
Any action performed on personal data, whether automated or manual, such as collecting, recording, storing, organizing, erasing, etc.
Data Subject
The person whose data is processed.
Data Controller
The entity who decides why and how personal data will be processed.
Data Processor
A third-party that processes personal data on behalf of a data controller.
Q
What are “legitimate interest allowances” and how do they apply to win-loss analysis?
A
The term “legitimate interest allowances” refers to circumstances wherein a controller may legally process personal data of a data subject without their explicit prior consent to do so.
To qualify, the processing activity in question must pass a three-part test:
Purpose Test: Does the processing serve a legitimate, non-trivial business interest?
Necessity Test: Is the processing necessary to serve the purpose? Have less intrusive alternatives been considered and deemed insufficient to serve the purpose?
Balance Test: Does the processing pose any risk or harm to the data subject? Does the purpose being served justify the risk posed to the data subject?
The UK Information Commissioner provides helpful guidelines for conducting a legitimate interest assessment here.
In regards to win-loss analysis, legitimate interest allowances are widely considered adequate basis for processing due to the fact that (a) the data subject previously consented to data processing by the controller during their sales evaluation, (b) soliciting the prospect’s feedback at the end of the sales process is a reasonable, non-harmful use case that only involves business-related data, and (c) the processing serves a non-trivial business purpose for the controller.
Thus, there is widespread consensus that win-loss analysis passes the three-part test, and that organizations may contact prospects/customers for win-loss feedback without their prior consent.
Q
A
When organizations (“controllers”) process data about their prospects or customers (“data subjects”), they often need the help of third-party products or services to do so. The third-party entities that provide these products or services are referred to as “processors”.
Consider this simple example. A bank wants to send account notices to its customers via email. To do so, the bank uses a third-party software solution to design and send the emails. Under the GDPR, the bank is the “controller” and the software vendor is the “processor.” The GDPR allows controllers (bank) to utilize the processor (software vendor) without the permission of their data subjects. However, the bank must ensure that personal data is safeguarded by the processor, and that the data is only used to fulfill the controller’s lawful processing activities.
In regards to win-loss analysis, most organizations do not have in-house tools and resources to capture and analyze win-loss feedback. Thus, most organizations enlist the help of a processor like DeltaGen to carry out win-loss analysis. Like the bank example above, this is allowable under the GDPR so long as certain safeguards and contractual agreements are in place between the controller and DeltaGen.
Q
A
Yes. As discussed above, many organizations utilize vendors like DeltaGen to conduct win-loss analysis. When doing so, DeltaGen acts in the capacity of a “processor” as permitted under the GDPR. As a processor, DeltaGen may be utilized for any or all of the relevant processing activities such as:
Filtering customer/prospect data to determine which data subjects should be contacted for win-loss feedback,
Contacting data subjects to request win-loss feedback,
Collecting their win-loss feedback through surveys or interviews,
Interpreting and analyzing the data collected.
Furthermore, there is a common misconception that sending win-loss invitation emails through your existing email marketing system might somehow be preferable under the GDPR. However, the GDPR is agnostic in regards to what processor an organization uses for any given processing activity. The GDPR is only concerned that a lawful basis and proper controls have been established. Thus, using DeltaGen for win-loss invitation emails is legally equivalent to using your email marketing system, but offers more purpose-built functionality to support the niche use case.
Q
A
Yes, DeltaGen proactively supports clients with their GDPR-compliance efforts in various ways.
First, DeltaGen helps clients implement a Data Processing Agreement (with Standard Contractual Clauses) as part of our contract process to ensure the legal relationship between controller and processor is properly established, with DeltaGen bearing contractual responsibility to safeguard personal data and process it legally.
Second, the DeltaGen Platform is built in a way that supports essential data processing controls such as data rectification, erasure, and opt out management.
Third, DeltaGen is audited annually for ISO 27001 and SOC 2 Type II compliance, ensuring that personal data is safeguarded in accordance with industry best practices. As a result, Clients can legally and confidently rely on DeltaGen to process personal data on their behalf.
