Blog | 3 Things to Consider When Looking for a GDPR-Compliant Vendor
GDPR Compliance: Your Vendor Selection Matters
GDPR compliance was the hot topic leading up to the May 25th enforcement date. We explained why the GDPR matters and what you need to do to be compliant. Now that has past, and organizations have (hopefully) caught their breath—what do businesses need to consider going forward?
In many ways, the GDPR is leading the way to new data privacy laws. And by default, a new way of doing business.
The fifth largest economy in the world at $2.7 trillion dollars and home of Silicon Valley, California’s economy, businesses and consumers are intrinsically linked to data and data privacy. Shortly after the GDPR enforcement date, California passed its new privacy law noted as “the toughest in the United States.” The new California Consumer Privacy Act will require companies to identify personal data, delete data on request, increase disclosure and improve transparency in data collection and usage, among others factors. It also applies to all companies that “do business” with California, not requiring a physical presence in the state (akin to the GDPR and the European Union). Sharing many similarities with GDPR, the new regulation aims to increase transparency and control over personal data.
Canada is also looking at its data privacy regulations. The Standing Committee on Access to Information, Privacy and Ethics recently published a report recommending Canadian data protection laws be revised to include similar facets as the GDPR regulation. Others in the conversation are pushing for an independent audit function as well.
It’s apparent—a new modus operandi is evolving for organizations globally. Socially conscious investing, the rise of ESG factors, pushes for gender equality, subsisting actions from #MeToo, and Blackrock’s cry for a new governance model point to the cusp of change. Data, business, society and more.
“BlackRock – which manages more than $6 trillion in assets – believes social purpose is no longer simply a nice-to-have item on the agenda, but instead constitutes a fundamental element of future-proofing a business.”
When it comes to data and data privacy, how can leaders “future-proof” their business? As with GDPR and similar data privacy regulations, it’s not just internal policy and practice that’s viewed under the magnifying glass. It’s also who you do business with. Let’s explore three characteristics you should look for when shopping for GDPR-compliant SaaS vendors.
Characteristic #1: Clear and Proactive Preparation
The GDPR represents Europe’s first change to its privacy laws since 1995. After years of negotiations, the bill—which went into effect May 25, 2018—was ratified by the European Parliament in April 2016.
Despite the two-year grace period, most companies were caught flatfooted. 60% of European companies and 94% of North American companies weren’t fully prepared for the GDPR. Technology giants like Facebook and Google continue to wrestle with EU regulators while other companies are taking the precautious approach, limiting EU access to their sites and services.
An important measure in GDPR is due diligence on the part of the organization. As noted in our early blog on GDPR compliance, “Article 28 of the GDPR stipulates that organizations are responsible for diligently selecting service providers, utilizing only those that provide sufficient guarantees to meeting the GDPR requirements and ensuring the protection of the rights of the data subject.”
To ensure GDPR compliance, organizations need to scrutinize their partners and vendors. One of the GDPR’s requirements is “privacy by design.” That is, systems should be built with privacy top of mind instead of adding it after the fact. It’s hard to imagine companies meeting this requirement unless they’ve been zeroed in on the GDPR for some time. Best-in-class cloud software providers have been preparing for the GDPR for several years.
Questback, for example, has been focused on the GDPR since February 2015. The company’s data centers, located in Germany, already meet the highest security requirements in Europe. To take security further, Questback is in the process of implementing Binding Corporate Rules.
To comply with the GDPR, Questback’s software offers privacy by design and by default, making it easy for companies to comply with the right to be forgotten and their customer’s potential desire for data portability. Aiding our thousands of customers in their transition to GDPR compliance, Questback’s Privacy Assistant enables customers to collect valid consent from respondents and provide legally required notifications easily and conveniently.
By partnering with compliant and forward-thinking solution providers, your organization can not only ensure compliance but also reduce risk and gain a few steps on your slower-moving competitors.
Characteristic #2: Control Over the Data
Under the GDPR, individuals are given more control over their data. For example, the GDPR introduces the “right to be forgotten.” Companies must delete personal data upon request—or when it’s no longer relevant.
Establishing this level of control and data erasure ability can be difficult. Regarding the right to be forgotten, Forbes notes, “This means that all that data must be removed from every system within the organization. Unless all their databases are integrated, this could get tricky.” Finding the requested personal data is often the first hurdle organizations must overcome to be compliant; deleting all instances of it is the second. Either way, considering the massive amount of personal data most business collect on a routine basis, getting to and maintaining compliance with the facet can be monstrous. And like the first characteristic, it is increasingly difficult to retrofit systems to accomplish this.
Questback, for example, flags personal data within our feedback platform so our customers can easily identify the data that falls under GDPR (and other new regulations). It has the ability to seamlessly report on and delete relevant data upon request.
In order to be positioned to adhere to these requirements, the vendors you partner with need to have an accurate and sustainable plan to control data. The onus is on organizations to ensure, for example, data is erased appropriately when requested.
Characteristic #3: Organization of Trust
Compliance for compliance’s sake doesn’t cut it. Despite Facebook’s steps in being GDPR compliant, the data giant is on the receiving end of “…a privacy wake-up call that the markets are delivering.” Since the enforcement date, Facebook reported a decline of 3 million users in the EU, hurting revenues among others elements of the business.
The GDPR is all about keeping personal data secure. It’s about protecting individuals and giving the control back to them when it comes to their personal data. Being compliant to the GDPR should be a step towards rebuilding the trust between organizations and individuals.
As such, in selecting a GDPR-compliant partner, take into account the organizational culture and its stance on data privacy with its stakeholders. Data privacy and GDPR compliance should be a part of the organization’s culture just as customer service or innovative technology. Moreover, if data privacy is not deeply ingrained within the organization, you run the risk of a breach or issue down the road. Individuals and organizations prioritize what they value.
For example, Questback’s feedback platform is GDPR-ready. But so are we as a company! It’s one thing for a company to develop a plan to adhere to the GDPR. It’s quite another to have a team of informed and prepared employees ready to deliver.
Throughout 2017, Questback provided comprehensive GDPR training and support to all its employees. You can rest comfortably knowing that our team has access to ongoing training support to help ensure GDPR compliance for our customers. And we went further. Questback has also had training, webinars and various articles and infographics to help our customers and the market in their GDPR efforts.
When searching for GDPR-compliant software vendors, it’s important to consider the organization’s culture, commitment to data privacy and level of trust. The last thing you want is to rely on folks who aren’t up-to-speed or just want to check the GDPR compliance box.
Simply put, companies that don’t take security seriously will have a very hard time trying to comply with the GDPR.
Partnering with a Trusted Ally
When it comes to your customer, employee or market insight, Questback is the safe choice. Our customers can use our products with the peace of mind that comes with knowing the feedback data they’re collecting and the way it’s stored and processed are GDPR-compliant. It’s that simple.
- Unleash the full power of insight. Gaining leading-edge and innovative data is easy with Questback. Working with thousands of customers around the world, we have a range of solutions to cover every step of your journey from the traditional surveys to continuous listening. Unleash the full power of insight with a partner that can support you throughout your feedback journey.
- Industry-leading data privacy and security. It all starts with data. And GDPR drastically alters how your organization handles that data. With Questback, get the peace of mind knowing we are not only GDPR compliant as a company, we’ve invested in our solutions to enable you to get the insight you need. Society demands more from companies when it comes to data, we’ve listened.
- The Questback difference. A powerful platform supported by empowered people. As your needs change, rest assured that our robust platform delivers a comprehensive insight journey. Questback’s technology handles it all—with ease. We have the tech. But we also have the people with the expertise to help you achieve and excel. Get the software, services and human support you need to manage customer, employee and market feedback—all in one place.
It’s not just surveys, it’s getting the insight you need to transform your business. Learn how we can help you unleash the full potential of insight.