Below is a brief rundown of our understanding of the General Data Protection Regulations (GDPR) and where SmarterTools' products, and you as users of our products, fall within the GDPR. It goes without saying that this is not a legal breakdown of GDPR, it does not constitute legal advice, nor is it a comprehensive review of what you need to do to ensure your business fully conforms to GDPR. You should familiarize yourself with GDPR to ensure you’re doing your part to conform across your entire organization.
What Is It?
Essentially, the GDPR is a set of European Union regulations that aim to "standardize and strengthen data protection policies for residents of EU member nations." As such, it outlines a data protection framework that public and private entities should follow to allow for the protection of personal data as well as penalties for organizations, either public or private, who run afoul of that framework or who put personal data at unnecessary risk. In addition, any public or private entity that handles any information of any citizen of an EU Member State is subject to this framework, even if the entity is outside of the EU. Basically, if you have customers or users in the EU, you’re under the auspices of GDPR.
Processors Versus Controllers
The GDPR outlines two (2) types of data collection entities: processors and controllers.
A Data Controller is an entity that determines the "purpose and means of the processing personal data". A Data Processor is an entity that "processes personal data on behalf of the controller." Generally speaking, GDPR treats data controllers as the principal party for collecting consent, managing consent-revoking, enabling right to access personal data and other responsibilities.
For example, if you're a service company that uses SmarterTrack for handling support tickets, SmarterTools -- via SmarterTrack -- is the data processor as you're using that product for processing the ticket(s) you receive. You are the controller as you're dictating what information is gathered from the person submitting the ticket: you set how the ticket is submitted (via email or only via the portal), you dictate the information required for the ticket (using custom fields, default ticket templates, etc.) and then you dictate how that communication is handled (either solely via the portal/within SmarterTrack or via email.)
Where SmarterTools Fits In
In many use cases, SmarterTools' products act in the "processor" role with regards to GDPR. In turn, many licensees of SmarterTools products act in the role of Controller as they are dictating how the product is used. This is especially true with SmarterTrack as people who use SmarterTrack for their help desk dictate the types of information that is required for things like user accounts, ticket and live chat submission, etc. In some instances, licensees also act in the role of Processor, especially in cases where SmarterMail, SmarterTrack or SmarterStats are offered as standalone products or even complements to other services.
A Quick Note About SmarterStats
With regards to SmarterStats, it acts as a data Processor because it only presents data from a web server's log files, and system administrators have the ability to dictate the information that a web server collects. In addition, it may be possible that SmarterStats doesn't necessitate a potential issue with regards to personal data and *may* not be at issue with regards to GDPR. Recital 30 of the GDPR states:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
However, SmarterStats doesn't give you any additional information to make that association between a user's IP address and any other identifiable marker that would allow someone to "create profiles" of natural persons for the purpose of identifying them. There's nothing in SmarterStats to combine an IP address to any other unique identifier. That said, it IS possible that there is additional information within a web server's logs that would make this association possible, even though that associate cannot be made from the reports presented by SmarterStats.
Key Concepts and Data Rights
Consent is just that: when a user acknowledges your collection of personal data and gives their approval for that collection and potential use. This covers everything from creating an account in a shopping cart to allowing the use and storage of cookies. Consent must be freely given, unambiguous about the information collected and how it’s used, and provide a clear affirmative action for approval.
This is one of the more confusing aspects of GDPR as it is somewhat open for interpretation. For most users of SmarterTools’ products, “legitimate interest” is simply the day-to-day communication between colleagues, b2b users and more. You CAN email someone who has not explicitly granted their consent to you. You CAN direct market to someone. (Within reason.) You CAN reply to a ticket that someone sends in to your organization. You CAN email each other internally. Recital 47 states, in part:
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
That said, protections must be in place for opting-out of direct marketing campaigns, etc. Plus, with regards to direct marketing, Consent comes into play. However, it’s understood that general day-to-day operation of a business, especially when that business is conducted through email (or via ticket submission) and outside of things like direct marketing, is allowed as a “legitimate interest”.
Under the GDPR, owners of personal data -- those for whom data may be collected -- have certain rights. These rights are worded differently in the GDPR itself, but most experts break them down pretty simply.
In addition, in some instances we’ll look at SmarterTools’ products alone with regards to a certain Right. This does not take into consideration any integrations in place for control panels, accounting systems, shopping carts, etc. that may be tied into SmarterMail or even SmarterTrack. Each of those must be accounted for as well by the Data Controller.
Finally, each right DOES have some restrictions and / or limitations for the data controller. These are not addressed, but you should understand your rights as a data controller and processor in each circumstance.
Right to information
Basically, a user (or their legal representative) has the right to ask you for the exact information that’s collected about them, why that information is being collected and how that information is being used. For example, they have the right to know if any data is shared about them, what that information is, why it’s being collected, to whom that information is shared with and how that information is being used by you as well as any third-party you’ve shared the information with. This Right complements:
Right to access
Right to rectification
Put simply, a user has the ability to have their information corrected, especially if the user feels that data is inaccurate. Generally, a user of SmarterMail has the ability to update their account information on their own or they can request a domain administrator to update it. In SmarterTrack, Portal users can update their own information or they can put in a request to have their account info updated by an agent, manager or system administrator.
Right to erasure / to be forgotten
Basically, a user has the right to have personal data erased without “undue delay.” This can happen based on a user’s request or by their withdrawing consent, when the data is no longer necessary in relation to the purpose for which it was collected, where a user objects to direct marketing and other grounds.
Both SmarterMail and SmarterTrack offer the ability to deep search for user data and delete it. This can happen with email and live chats, tickets, instant messages and more. In addition, with regards to SmarterTrack, when used on-premise, users have the ability to access the database directly and use queries to further search for, and delete, information.
Right for data portability
Essentially, a user has the right to get their data in a format that makes it easier for the user to use that information in another context, or to transmit that data to another controller.
For SmarterMail, as it supports multiple protocols, user data can easily be imported into other products or used with other services via migration wizards provided by those providers and/or services. This includes IMAP or POP migration, etc. All calendar items can be exported as can all contacts. Emails are stored as standard .GRP files.
For SmarterTrack, this is a bit more complex. That’s because SmarterTrack uses a SQL database and custom tables and relationships for the storage and retrieval of data. That said, SQL commands can be used to export this data and most major help desk applications allow for the importing and/or transition of data stored in this standard format.
Right to object
A user has the right to object to processing on grounds relating to a particular situation, in relation to direct marketing, etc. Generally the user must provide the specific data they object to and the reasoning for the objective. In SmarterMail, user accounts can be disabled as opposed to being deleted: disabling an account leaves it in place, but you can prevent that account from being accessed, from receiving or sending email, etc. In addition, if a user is subscribed to a mailing list, those users can be easily unsubscribed by the owner of the list. SmarterTrack is a little more complicated as users cannot be disabled. (Agents, however, can be.) However, there are ways to deactivate a user for a period of time.
Right to restriction / restrict processing
This is different than the Right to erasure in that the user simply has the right to limit the purposes for which processing of data can occur.
Rights related to automated processing
A user has the right to not be evaluated in any material sense solely based on the automated processing of their data. SmarterTools does not offer any evaluation of users based on this process.
A Note About Encryption
Contrary to some of the fear, uncertainty and doubt out there surrounding GDPR, encryption of data is NOT required. The GDPR guidelines mention it as a way to protect personal data, and it certainly can be part of that process. However, discussions regarding encryption in the GDPR itself are couched with phrases such as "...appropriate safeguards, which may include encryption... " and "..including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data." As such, within the GDPR guidelines, encryption is certainly encouraged, but it's not mandatory. It is simply one part of the process of securing data.
Inform and Update
One key thing you can do when approaching GDPR is make sure you're open and honest with your users about where you stand with its implementation and what you're doing to follow the guidelines. This is simply in general, and not necessarily tied to any SmarterTools product. Our products fill a need for you, as a licensee. However, there are probably many other systems you use for your day-to-day operation that will need to be taken into consideration when adjusting your policies for GDPR. For example:
- Create articles for users on how to request their information, how to request the removal of their information, etc. Do what you can to clear up any fear, uncertainty and doubt.
- Adjust any marketing emails to explicitly allow for opt-in as well as clearly defined unsubscribe processes. If possible, don't hide this information at the bottom of emails. If you do, at least make it apparent and clearly define the process.
- Take an active role in understanding GDPR. The ideal of it is extremely positive: the protection of personal data. People get too caught up in the negative aspects -- the potential fines, etc. -- and the intent is lost.
- Realize that this is new territory for most businesses NOT residing in the EU. There is a learning curve and anyone NOT in the EU, but who does business with the EU, is on the same page -- unless they have unlimited resources and unlimited budgets.
- Test and retest your policies and procedures.
It is our understanding that GDPR is primarily intended for businesses that process large amounts of personal data, especially those in advertising, email marketing, social networking and more. These businesses are in the practice of tracking users of their products and/or services, or providing products and services that do this type of tracking. That data is then used for other reasons. (E.g., marketing of tangential products.) When reading the GDPR, and especially reviewing the various Rights offered to data subjects, these uses become even clearer and the fear of having to delete email messages and all that entails -- deleting instances of a specific email address that’s part of a chain, of aliases, deleting archived messages, etc. -- becomes murkier. The vast majority of users of SmarterTools products should be fine in their day-to-day business as long as some common sense and communication is part of your overall planning.
Just to reiterate: the above is our interpretation of GDPR and its requirements. Adoption, and adaptation, is a process and, in many cases, will take time. However, all businesses that have customers in an EU member state need to review the GDPR documentation and make whatever adjustments are necessary to ensure they also meet the requirements. With the most recent revelations about a large social networking site’s use -- or misuse -- of personal information, more stringent and binding regulations surrounding personal data are coming, regardless of where you're located or what business you’re in.
At SmarterTools, we are always looking for ways to improve our products. In most cases, SmarterTools provides features that at least follow the spirit of GDPR. That said, there’s always room for improvement.
We are committed to user privacy and the protection of user data. As such, in upcoming versions of our products we will make things easier for administrators to accomplish the goals and guidelines as outlined by GDPR, and any future regulations relating to privacy and protecting user data. Many of these changes and features are already in the planning stages, or implemented in current BETAs. For example, SmarterMail 17 will offer a disclaimer that can be displayed when a user logs in to their webmail account that needs to be acknowledged prior to the user being able to actually log in. This acceptance is then noted on their account, so it could also be used as a consent decree. There is also logging and tracking of that acknowledgement on a per user basis. This same process is being implemented in the next version of SmarterTrack for user creation, ticket submission, live chat submission and more. Additional features are also coming, so stay tuned.