Over the past year, Totango has been preparing to meet the requirements of the GDPR, the new data protection law coming into effect on May 25, 2018. The GDPR affects European and non-European businesses using personal information from users in the European Economic Area.
The following is an informational document outlining key principles and recommendations for guiding our customers on becoming prepared for the GDPR and what Totango has done to meet the GDPR requirements. Please note that this document does not provide legal advice and should not be used as such. We recommend you consult with the appropriate legal counsel for that purpose.
If your company uses Totango as its Customer Success platform, you may be sharing personal data with us. In these scenarios, Totango acts as a data processor because Totango processes the personal data on your company’s behalf.
The GDPR (General Data Protection Regulation) is a European regulation aimed at strengthening and unifying the data protection rights for all GDPR-protected individuals.
It will not only apply to companies that process the personal data of protected individuals and have a presence in the EU (e.g. offices or establishments) but also to companies that do not have any presence in the EU but target the European market (e.g. by offering goods or services to individuals in the EU) and/or monitor the behavior of protected individuals where their behavior takes place within the EU.
Recommendation: Customers should carefully assess whether they are subject to the GDPR and, if so, to what extent. The consequences of breaching the GDPR are very serious and could include fines of up to 20 million Euro or 4% of the breaching company's global turnover.
Given the GDPR's extraterritorial effect, our non-EU based customers are also encouraged to assess whether the GDPR applies to them or not.
A core part of GDPR compliance is ensuring that your data processors implement security best practices for safeguarding personal data.
In order to comply with GDPR, Totango launched Totango Data Shield last year, an umbrella set of platform capabilities designed to keep your users’ data (and your data in general) safe.
In addition, we have updated the product where needed in order to prepare for GDPR requirements and make sure the product addresses the needed aspects. From a marketing perspective, Totango ensures that all EU users have opted-in to receive any correspondence from us and that they have the ability to delete their information at any time.
By nature of Totango’s integration architecture, you determine what data is sent over for processing. Accordingly, your company acts as the controller and must abide to a set of core principles regarding the handling of the personal data, as outlined in the next sections of this document.
First of all, as part of the GDPR principles, you should avoid sharing unnecessary personal data with Totango. Typically, the only class of personal data you should share with Totango is contact information (name, business email/phone) and you should not share other classes of data (e.g. health-related data, sexual orientation, religion-related information) that are not relevant to managing the customer’s success with your service.
Recommendation: Review the user information shared with Totango and ensure you are not sharing any unneeded personal data.
GDPR states that formal binding agreement should be executed between the controller and processor of personal data (called a Data Processing Agreement, or DPA). The DPA should describe the data processing activities being carried out.
Recommendation: Determine with your legal counsel if a DPA with Totango is required and contact us in case it is needed. We will provide you with our standard updated DPA.
GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. As such, you may need to update your privacy policy to reflect your use of Totango as a data processor for the purpose of improving and managing customer success.
If your legal counsel determines you also need to obtain user consent before using Totango, make sure you update your integration with Totango to only send data from those who provided the required consent or have otherwise consented to it. Please note that proof of consent is required and may be necessary in the event of legal proceedings.
Recommendation: Determine with your legal counsel what additional information should be added to your privacy policy. Determine if you need consent and, if so, update your consent collection and implement API changes accordingly.
If you have any additional questions on how to prepare, please reach out to our privacy team at [email protected].