Compliance Archives - Shout.com

Shout Features to Bolster Your Compliance

david@shout.com — Thu, 01 Dec 2022 12:19:01 +0000

The introduction of the GDPR and other major data protection laws around the world have changed the landscape of data collection.

As the Data Protection Officer for Shout, I’ve spent a lot of time thinking about how we can continue to drive our compliance standards.

But our development team has been working equally as hard on creating features that enable you to bolster your compliance when using Shout.

Below, I’ll go through the tools you’ll have access to in the app, and the compliance features associated with them.

Shout’s privacy by design

Before we get started with additional features you can enable, I think it’s worth discussing what we have in place to ensure you’re compliant with data protection regulations.

Firstly, all survey responses are anonymous by default.

Our mission is to minimize the amount of respondent data that’s collected without your say so. This will help you build trust with your audience, who can trust that they can’t be identified and will provide more open and honest feedback as a result.

Also, we don’t collect any referral statistics for that same reason (although you can enable this for your surveys). We want to foster an environment where respondents know their data will be protected.

For these same reasons, we don’t record IP addresses. These are masked before they’re even stored on our servers, so respondents will know we’re doing our utmost for their privacy concerns.

This also means that you don’t have to justify why an IP address is being recorded when you’re collecting survey responses.

Finally, Shout is cookieless by default. We don’t store cookies on respondent devices for any purpose of our own. We don’t force Google Analytics tracking cookies on anyone, like our competitors do.

Collecting survey responses

Now, let’s get into the nitty gritty of what we’ve created to enable higher levels of compliance when collecting survey responses.

Separate personally identifiable information (PII) from survey responses

You may find yourself tasked with collecting feedback and personally identifiable information (PII), but not wanting that data to be linked in your survey report.

Well, there’s any easy way you can do this with Shout.

Our Pseudonymization feature allows you to flag questions in your survey that collect types of PII (such as names and email addresses). Then when you start collecting results, any data from questions flagged for PII will be stored in a separate section of your report.

There is no way to link the PII back to the response data, which is essential to ensuring your full compliance when using this feature.

We’ll automatically separate any tracked data collected when sending surveys via email invitation when you Pseudonymize responses.

Set a minimum response threshold

If you plan to separate PII from response data, you could be concerned that you’ll still be able to identify respondents in the beginning.

Well, we’ve made sure to address that to.

With Shout, you’ll be able to set a minimum response threshold for your surveys that only allows you to access results once that quota has been met. This helps preserve the anonymity of respondents.

It’s important to note that this threshold is finalized from the moment your first response is selected. So, some thought will need to go into what your threshold should be.

Managing Contacts

Now we’ve covered the compliance features linked to survey data, let’s go over how you can maximize compliance when managing contacts.

Track Lawful Basis for Processing Data

When you import or collect contacts with Shout, you can create Groups to better organize them based on shared information or the types of campaigns you’ll send.

When you create contact groups, you can assign a lawful basis for processing data for all contacts in that group.

These include:
• Explicit consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests
• No consent

You may know that you can use Shout forms to collect contact information and grow your email list in our integrated CRM.

When doing so, you can connect individual forms to one or more contact groups.

If you’ve selected a contact group marked with the Explicit Consent lawful basis for processing data, we’ll automatically add a consent question below your form.

We’ll then record that consent to the contact’s profile in the CRM.

You can customize the text that is displayed to prospects and respondents when asking for consent.

Handle contact data deletion requests

Under the GDPR, data subjects are able to exercise rights regarding the use of their data.

You can update and correct any personal data via contact profiles at any time.

You can also export contact data in bulk to provide evidence of opt-in dates and other personal information they’ve provided.

When you delete a contact from the CRM, we’ll remove all associated persona data from your lists. We’ll also remove their data from any survey reports (if you enabled tracking).

Teams

Shout Teams enables you to invite your colleague to share the features of your subscription and collaborate on surveys.

But you may be concerned that your survey data is accessible to any and all team users.

Private team user dashboard

Not to worry, all surveys and reports are private by default. You can share surveys (and the associated report) with any and all team users, but you can revoke access at any time.

Admin controls

Admins are users who control the billing for Shout team. These users also take ownership over all data in the team accounts.

They’ll have full control over team users, including the ability to change details, delete accounts, and purge data.

This is perfect for scenarios where an employee leaves your organization, and you don’t want them to access the data (which is owned by you).

The post Shout Features to Bolster Your Compliance appeared first on Shout.com.

How to Ensure You are GDPR Compliant

Evan — Wed, 20 Apr 2022 15:48:28 +0000

GDPR compliance is not an option. It’s something that all businesses need to take seriously, putting processes in place to ensure they are 100% compliant.

There are a lot of high-profile businesses that have been fined for non-compliance with GDPR:

Amazon received a whopping fine of $847 million.
Google has also been fined $56.6 million.
H&M received a fine of $41 million.
WhatsApp has been fined $255 million.

Most businesses would not be able to come back from fines so significant. You must also consider any reputational damage if you’re found to be in breach of the GDPR.

It’s imperative to comply with privacy laws. In this guide, we’ll discuss some steps you can take to ensure your compliance.

What is GDPR?

GDPR is the EU General Data Protection Regulation. It is one of the most significant pieces of legislation in place regarding privacy law. It made it obligatory for businesses to make considerable amendments to their data protection efforts or face monumental fines. Read this GDPR guide for more information.

This law came into full effect in 2018. Although it is a European law, it impacts the entire world. Any business that has customers in the European Union (EU) must adhere to the regulations.

The GDPR establishes the following:

Significant penalties for non-compliance
Mandatory breach reporting
Increased duty for protecting data
Enhanced personal privacy rights

Shout is a privacy-first, cookieless survey tool with compliance enabled features. Get started with your Free Trial today.

Start your Free Trial

The importance of the GDPR

GDPR requires the protection of European data subject’s rights and provides clarification regarding what businesses need to do to safeguard these rights when processing the personal data of EU citizens.

All organizations and businesses that deal with data relating to citizens in the EU need to comply with GDPR, whether that is one customer or one million.

The data that the GDPR concerns are personally identifiable information (PII), which can include:

Full names
Email addresses
Addresses
Medical records
Identification (e.g. driver’s licenses and passports)

However, knowing where to begin can be difficult, which is why we have put this post together. You may consider hiring a GDPR consultant who can evaluate your current efforts and put a manage your compliance practices.

Steps to becoming GDPR compliant

Now that you have an understanding of what GDPR is and why you need to follow it, let’s take a look at some of the steps your business should take to make sure that you are compliant.

You can also take a look at the features we’ve created at Shout to help bolster your compliance when collecting data.

Make all of your employees aware of GDPR and the implications of it

There is only one place to begin, and this is by making sure that your employees know about GDPR and how it pertains to their role within your business.

A lot of cyber attacks happen due to employee errors, known as insider attacks. This is because workers have not received sufficient training on data concerns and how to protect personal information properly.

Decisionmakers and key personnel within your company need to know about GDPR and its impact.

After all, the GDPR says that workers must receive frequently information security staff awareness training, so this is something you will need to provide. This training is imperative in terms of making sure staff members have the required knowledge about company policies, legal requirements, and regulations that apply to their daily operations.

Businesses also need to prove that employees have read GDPR policies and that they fully understand them. If you are able to provide this evidence, it is going to put you in a much stronger position if something happens and you need to prove that your company takes privacy seriously and has put the required steps in place to reduce the risks of a breach.

We know that there are a lot of business owners that skip this because they feel that it is an unnecessary expense. However, investing in security training now can save you a lot of money in the future.

If you are a larger business, you may also be required to appoint a data protection officer to act as the representative for matters relating to the GDPR.

Conduct frequent risk assessments and audits

It is specified in the GDPR that businesses need to carry out frequent audits of any activities involving data processing and that they must adhere to a number of data protection principles that will assist them in terms of safeguarding data.

As a business, you will need to determine all of the following:

What data are you gathering?
Where are you sourcing this data?
Why are you collecting this data?
How are you processing this data?
How long are you holding onto data?
Where are you transferring data to?
Is all of the data you are holding required?
Who has access to data?

These are referred to as data protection impact assessments and must take place any time you put in place or change a process that collects personal data.

To stop data breaches from happening, businesses need to minimize access to sensitive data and lower the number of places where they physically store data.

By carrying out audits on a frequent basis, businesses can make sure that an appropriate framework is established so that customers’ data is kept secure and risks are mitigated.

Defend all points of access

To achieve complete GDPR compliance, businesses need to make sure that every endpoint is protected.

Sadly, a large number of data breaches that have happened could have been prevented if systems were patched properly.

New vulnerabilities are discovered on a continual basis. If patches are not applied, hackers are going to break into the network by exploiting these vulnerabilities.

To demonstrate that you are compliant with the regulations that are in place, you need to show that you have taken all of the steps that are required to secure your systems.

Auditors may need reports of what patches were applied and when they were applied, so it is critical that you have the right systems in place so you can document the patches that have been issued accurately. Patches are critical in making sure your machines are stable, up to date, and safe from threats such as malware.

Put together an incident response plan

In addition to the points that we have discussed so far, it is imperative to put together an incident response plan to help guide your staff members.

As per the GDPR, all businesses need to disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection. To efficiently and effectively comply with this, businesses must put together a plan that gives them the ability to respond to incidents in a quick, coordinated, and organized manner.

Your incident response plan should define the steps you plan to take to rectify the issue. It should also define roles and responsibilities of those in your organization. This will ensure that you can manage the situation effectively and make the right decisions.

Putting together an incident response plan allows you to:

Inform and educate staff members.
Enhance stakeholder confidence.
Improve customer confidence.
Improve organizational structures.

It will also help in terms of lowering the possible financial impact after a major data breach.

Implement a policy management system

Last but not least, another critical step when it comes to complying with GDPR is putting together a successful policy management system.

Compliance can prove to be an impossible task if you simply use current communication methods, such as corporate intranet and email. Nevertheless, if you implement policy management software, you can streamline internal processes, as well as successfully target areas that present the biggest data security risk and showcase legislative compliance.

A policy management solution will give your business a centralized and easy-to-use solution that will help you in terms of the creation, storage, and distribution of critical policy documents.

A successful policy management system will have a consistent method for policy creation, adding structure to the procedures in place at your business and making compliance easier to track.

Wrapping up how to ensure you are GDPR compliant

So, there you have it: everything you ended to know about GDPR and how to make sure you are compliant with this privacy legislation.

This article does not constitute legal advice. We recommend that you consult a GDPR expert for how it may impact your own business or data processing activities.

You only need to turn on the news today to find out about the latest data breach. It seems that there is a significant one every day! The last thing you want is your customers to suffer because you have not protected their data effectively.

At the same time, all businesses have to respect consumer rights in terms of how a person’s data is used and what data we hold on individuals.

GDPR is simply not an option. It is a necessity. If you have not implemented data and privacy protection processes at your business, now is the time to do so.

The post How to Ensure You are GDPR Compliant appeared first on Shout.com.