General Data Protection Regulation (GDPR)
What is GDPR?
Does the GDPR apply to me?
The scope of the GDPR extends to any business (both EU and non-EU) that markets to people in the EU or tracks the behavior of people in the EU. It doesn’t matter where you’re located, it only matters if you control or process data of EU citizens.
Hubspot has put together a helpful checklist to assess if you’re ready for the GDPR.
Disclaimer: This website is neither a magnum opus on EU data privacy, nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Referral Rock has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
|GDPR Rule||What it means||How to be compliant with Referral Rock|
|Right to be forgotten / Deletion||Individuals have the right to have ALL of their data be deleted. GDPR requires the permanent removal of an individual’s data from your systems and database |
In many cases, you’ll need to respond to their request within 30 days.
|All Member and Referral data can easily be deleted by an Admin user from your Referral Rock Admin interface.|
|Right to data portability / Right to Access||Allows individuals/data subjects to demand a copy of their data in a common format |
The timescale for processing an access request will also drop to a 30 day period.
|All Member and Referral data can be exported via a CSV file.|
|Modification||Allows individuals/data subjects to demand that you modify their personal if it’s inaccurate or incomplete.||All Member and Referral personal data can be edited and changed through the Admin portal on their profile record|
|Lawful basis of processing||You need to have a legal reason to use an individual’s personal data. That reason could be consent (they opted in) with notice (they know what they’re opting in for), performance of a contract, or purposes of “legitimate interests”(e.g. They joined the referral program, and you want to send them information related to the referral program).||All Members and Referrals in Referral Rock should fall under the “legitimate interest” or “consent” lawful basis of processing depending on your registration process because they have joined your referral program. |
All Referral Rock related emails should be related to your referral program and not an unrelated issue.
We recommend that you track the lawful basis of processing in your system of record (i.e. CRM, Email Marketing, Ecommerce, etc.). Use our various integration tools to update your system of record.
|Consent||One type of lawful basis of processing is consent with proper notice. |
The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous.”
In order for an individual to give consent, you must meet a few criteria:
|This is only applicable for Referral Rock if you are using our Referral Form to collect new lead/referral information and want to run other promotional marketing campaigns. If this is the case, then use one of the custom dropdown fields on the Referral Form to have individual opt-in for other marketing campaigns (this gives you consent to market to them in other ways). Be clear on how you will market to them.|
|Withdrawal of consent (or opt out)||Individuals need to see what they’ve signed up for and withdraw their consent (or other lawful basis of processing). This needs to be as easy to withdraw as to give.||In Referral Rock, a member can manage their emails preferenance and unsubscribe from any emails they no longer wish to receive. They’ll be added to a block list and will no longer receive any future emails from Referral Rock. |
Through Zapier and our API they can also unsubscribe from everything. For example, if they they unsubscribe from your Newsletter, you can unsubscribe them from any Referral Rock emails.
|Cookies||An individual needs to be given notice that you're using cookies to track them. This needs to be in clear, simple language that they can understand. If you’re using tracking cookies, they need to give consent to being tracked. |
Any cookie that is capable of identifying an individual, or treating them as unique without explicitly identifying them means your business is processing personal data.
|Referral Rock’s referral cookie doesn’t store any unique or identifiable information. It’s not used for any third party usage. As such, our cookie doesn’t apply to the GDPR rule. |
The referral cookie is solely used for making sure the member gets attribution for the specific referral action. The specific referral action are only set by you, the client, and are not used by any third parties.
If you still don't want Referral cookies to be set, you can immediately delete them by setting the cookie length to 0 days.
UPDATE: On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
|The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.||Referral Rock is EU-U.S. Privacy Shield Certified |
UPDATE: Referral Rock is actively investigating alternative options to adhere to the Privacy Shield obligations and analyzing the implications of the July 16th decision. We will continue to engage relevant authorities as the situation continues to develop.
|Data Protection Agreement||The GDPR imposes many obligations on companies wanting to collect and use personal data about their clients. One of the most important obligations is having a DPA with every entity that has access to this data.||Review Referral Rock's Data Processing Agreement|
Be careful of these GDPR features
Given the stricter regulations of GDPR, there are a few features in Referral Rock you shouldn't use, or should at least be careful when using. Here they are:
Don't use these features, as they are a direct violation of GDPR.
Member Email Form: Allows your Members to send emails directly from their Member Dashboard. This is a violation of GDPR because those emails are coming from your email domain, and not coming from the Member's email domain.
Solution: Turn this feature off on your Member Dashboard and have Members only send emails through their own email account (e.g., Gmail, Outlook). These emails will still be templated and pre-drafted, but will come directly from the Member's email account.
Be careful when using
Be careful when using these features. They do not violate GDPR directly, but could if you don't use them properly. Make sure you understand the entire workflow of how these features fit with GDPR.
Direct Referral Add: Allows your Members to directly add a Referral's information from their Member Dashboard. This isn't a violation of GDPR, but you need to be careful to not email the member once their information is collected as you don't have permission to contact them.
Solution: If you are using the Direct Referral Add, it's a best practice to call the Referral directly instead of sending them an email. If you are going to email the Referral, then be sure to check the source so you know how the Referral was added.
Importer: Allows you to import Members (and Referrals) directly into your account. Be careful when using this feature and make sure you only import people who have already given you permission to email them. It's a violation of our Terms and Conditions to email without their consent or as part of a lawful basis of processing.
Solution: Always make sure you have consent or another lawful basis of processing to email people.
Referral Invite Email: An automatic email you send inviting any new Referrals to join your referral program as Members. If you got proper consent when they first contacted you, then this shouldn't be a problem. But you need to be careful and make sure you have a lawful basis of processing before automatically emailing them.
Solution: This one's a little tricky as some people could give consent while others don't. As a general rule, we recommend turning this feature off and instead promoting the referral program through your other marketing channels.
How to think of GDPR, as it relates to Referral Marketing
While GDPR makes marketing harder in the short-term, it’s another step in the right direction and is focused on making your customers happier and more protected. Compliance is stressful and requires a lot of work, but the long-term benefits are a better experience for your customers, which is what we all want.
GDPR is just another reason why we think referral and word-of-mouth marketing will become an increasingly more important marketing channel. The days of outbound marketing and sales, cold calling/emailing, intrusive tracking are coming to an end. Inbound and relationship marketing are the future and referral marketing is a key piece.