Viper and EU GDPR Compliance

Understanding and implementing GDPR compliance may seem like a daunting task, so we’ve assembled the following information and resources to help you wrap your head around GDPR as it pertains to your use of Viper. The good news is that the changes introduced by GDPR boil down to be fairly straight forward as it pertains to your use of Viper. That being said, the regulation is lengthy and wordy and littered with “if’s” and “but’s,” so this post is not intended as legal advice or to offer a fully inclusive list of all GDPR requirements. If you have any questions about your own responsibilities regarding GDPR, we recommend that you consult with a legal professional.

In a Nutshell…

The GDPR provides increased rights to the persons you collect personal information on, like leads, clients, and provider contacts. You are responsible for collecting and documenting consent from persons in the EU before peppering them with sales and marketing communications. You are also responsible for handling their personal information in a sensitive manner (i.e. don’t share it or sell it or post your Viper credentials on social media sites), and you need to be ready to allow them to review and update their personal data, and to even be “forgetten” (to have their personal information deleted from your Viper instance) if they desire. Viper can be used to help you track and record consent details from your contacts, plus data can be exported at any time if a contact wishes to review the personal information you have collected on them.

The actionable items that can be implemented in your Viper instance are summarized below in the Your Viper Data and GDPR Compliance > Consent and Notice section.

From a data security perspective, Viper already makes use of standard security protocols and practices. Data to and from Viper is transferred via a secure encrypted connection and encrypted backups of your data are taken nightly. The GDPR also requires we inform Viper users (you) of any data breach within 72 hours. For the record, we have never had a data breach but we maintain strict security protocols to ensure that remains the case. You are also responsible for keeping your data secure so passwords should never be shared and all personal data should be handled in a sensitive manner.

GDPR Overview

The EU General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, replacing, the EU Data Protection Directive in an effort to provide more rigorous protection of the personal data of EU residents.

If you do business in Europe, have European employees, or otherwise collect or store information from anyone living in the EU, then you will need to comply with the GDPR. If you use Viper to collect and store contact information from anyone living in the EU, that data collection and processing is subject to the GDPR. This is true regardless of what country you reside in, where your business is located, or where your contact data is stored.

When it comes to the data collected and stored in your Viper instance, GDPR compliance is a joint responsibility between you as the Viper user and VIP Event Resources (VIPER). In this post, we will summarize the requirements of the GDPR and how VIPER plans to meet its GDPR obligations. We will also list some of the obligations that Viper users have with regard to the storage and protection of personal data in Viper.

GDPR Key Points

The GDPR covers the collection, storage and processing of personal data from anyone living in the EU. Personal data is defined as any information “that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

GDPR compliance is the responsibility of both the data controller (the person or organization responsible for collecting the data) and data processor (the person or organization responsible for processing the data). With regard to Viper, the data controller is the Viper user (you) and the data processor is VIPER, along with our data storage and computing providers with which your Viper data is hosted and served.

When collecting or processing personal data, data controllers and processors must ensure that data is:

  • Collected legally and transparently, with direct consent from the data subject
  • Collected and used for a specific, legitimate purpose
  • Kept accurate and up to date
  • Stored only as long as is necessary
  • Appropriately secured, with recovery and breach notification plans in place in the event of a data breach or loss

In addition, data subjects (the persons whose data is being collected or stored) have certain specific rights with regard to their personal data:

  • Right of access – the right to access and confirm the accuracy of one’s personal data
  • Right to rectification – the right to require that a data controller correct any missing or inaccurate data
  • Right to be forgotten – the right to have all of one’s personal data permanently deleted
  • Right to restriction of processing – the right to tell a data controller that they can’t use or process one’s data while corrections are being made to it
  • Right to be informed – the right to know how one’s data is being used
  • Right to data portability – the right to request a copy of all one’s personal data in a readable format
  • Right to object – the right to opt out of or object to any unauthorized use of personal data, such as for marketing purposes
  • Right to object to automated processing – the right to object to an automated decision that is made using one’s personal data

Your Viper Data and GDPR Compliance

As mentioned above, GDPR compliance is a joint responsibility between the party collecting the data (you, the Viper user) and the party storing and processing the data (VIPER). By May 25th, we plan to be fully compliant when it comes to our duties as a data processor, and also to make it as easy as possible for you to be compliant as a data controller. Below is a summary of the ways in which VIPER is addressing its GDPR obligations, along with some of the features you can use and steps you can take to help ensure that you are GDPR compliant with respect to collecting and storing data in Viper. This list is not intended to be a comprehensive checklist of all obligations and we therefore recommend that you seek the advice of a qualified professional to ensure that you are meeting all requirements of the GDPR.

Consent and Notice

Marketing, Sales and CRM

The GDPR requires that contacts must have opted in to receive sales and marketing communications from you before you can contact them for sales or marketing purposes. For contacts that do opt in, you should document how you collected the consent and which communication channels they are opted into. For instance, a client can opt in to receive sales and marketing emails but not phone calls. You cannot assume contacts are opted in by default until they opt out.

To track contact consent, we suggest using your Marketing Campaign app if you use one. Marketing Campaign apps typically offer semi-automated features to help you track consent and almost always include ways for clients to opt in or out of newsletters, phone calls, future correspondence and more, often times directly through your website and marketing emails. If you do not use some kind of Marketing Campaign tool (and do not plan to start using one in the near future), we suggest adding fields to your Viper CRM to track consent details. By default, the Contacts module in CRM allows you to track “Email Opt Out” and “Do Not Call” preferences for any given contact which reflect the old way of thinking that contacts are assumed to be opted in unless otherwise indicated. We suggest adding new fields for “Email Opt In”, “Phone Call Opt In”, and any other channels you may want to collect consent for then hiding or achiving the existing fields for “Email Opt Out” and “Do Not Call”. We also suggest adding a “Consent Details” text area to document when and how you may have collected consent from the contact. Note that if you are using a dedicated email marketing campaign tool, contact consent may be better gathered and recorded there. If you would like help configuring your CRM fields to track contact consent please contact us at support@vipeventresources.com.

Client Site

When clients view your proposals through your Viper Client Site, you may wish to update your Client Message that shows on the landing page of your Viper Client Site to include Privacy Policy details about how their personal data is being used and stored by you, the controller, and how they can make a request to access, change or delete that data. You may also wish to notify the visitor that their visit activity is tracked as they navigate the Client Site. Note that no Personal Data is collected by the Client Site Analytics, nor is the information used for any other purpose than to help you better serve your clients, so you may not be obligated to inform your users of the visit activity tracking. The default Client Message can be modified in the Admin Site under Offices & Employees >

[Select Office] > General Settings. If you would like help configuring your Client Message, please contact us at support@vipeventresources.com.

Data Use, Storage and Deletion

Viper stores and processes personal data only as necessary in the course of providing service to its users (you). Data is never sold or transferred to any non-agent third party, unless required by law. Data is maintained as long as your Viper subscription is active unless a Viper user deletes the data or requests that it be deleted. All data is permanently deleted 60 days after a Viper subscription is terminated, or earlier if requested by a Viper Administrator user in writing.

Viper users are responsible for responding to and managing deletion or “right to be forgotten” requests from their contacts. Viper users can delete all information for a contact at any time by deleting that contact and associated information. Viper users are responsible for monitoring and deleting any Viper data that is exported to any system or storage device outside of Viper. In some cases, when data is deleted by a Viper user, it is only flagged as deleted which hides it from view does not actually delete the data permanently. If a contact has requested their personal data be deleted, please submit a request to the Viper Support Team at suuport@vipeventresources.com to ensure the data is deleted permanently.

Data Access and Accuracy

Viper Administrator users are responsible for the accuracy of the data in their Viper instance. If a contact requests to review their personal data for accuracy, a Viper Administrator user can export the contact’s personal details or submit a request that the data be exported by the Viper Support Team. If a contact requests that data be updated or deleted, the Viper user can either edit the contact’s details directly in their Viper instance or delete the data (as noted above).

Data Portability

Your contacts have the right to request their data be exported from Viper and be provided to them in a portable format that is usable in other systems. Should a contact request their data from you, a Viper Administrator user can export and provide that data at any time, as noted above. Contact the Viper Support Team if you need help exporting any personal data requested by a contact.

Data Security

VIPER maintains strict controls over its customers’ data to ensure the highest levels of security. VIPER instances are cloud-hosted on Microsoft Azure and Amazon AWS infrastructure, which offers best-in-class data security and compliance routines, along with being GDPR-ready. Data is encrypted in transit, and backup files are encrypted. VIPER management reviews and updates security policies regularly to ensure that all staff are trained on and using appropriate controls when it comes to handling customer data.

Disaster Recovery and Breach Notification

Viper hosted data is backed up nightly and VIPER has failover plans in place in the event of any hosting infrastructure failure or outage. In the event of any data breach or system outage, Viper shall immediately notify all affected customers immediately. GDPR requires that any data breaches be reported to affected customers within 72 hours. This means if you discover a breach of your Viper data (by means of one of your users mishandling contact personal information for instance) you need to notify affected contacts within 72 hours.

Your Additional Responsibilities

If you are using Viper to collect or store any data from EU residents, we highly recommend becoming familiar with all the requirements of GDPR. At a minimum, you will want to take into account the rights of the data subject that we’ve listed above when importing users and exporting data to your computer or other storage devices or applications. Remember, this post is not intended as legal advice, so we highly recommend that you seek the advice of a qualified professional in order to ensure that you are meeting all requirements of the GDPR.

Questions?

Please contact us at support@vipeventresources.com if you have any general questions on GDPR as it relates to VIPER.