Release Letter - May 2018
Release Letter
May 2018
This release letter is slightly longer than our usual release letters. We made this choice as – guess what – GDPR is upon us!
If few days time, the new and unified European law concerning dealing with personal data – GDPR – becomes effective. At HeroBase, we have been preparing for this for a long time. Many data privacy related features have already been added to our platform. And with this release, we release a few more, very important ones.
We here do our best to tell you how to utilize these to comply with various important parts of GDPR.
Rights of the data subject
The fact that you are only allowed to call private individuals, who gave you permission to do so, is nothing new in Denmark and many other countries. So we are confident you have this in place already. Remember permissions can easily be documented in Hero Outbound by making fields on your campaign template showing your agents where permissions derive from; when they were given; etc. These would just be plain fields like anything else. Many of you do this already. But it is a wise thing to do, giving your agents information-at-hand if your leads ask you, where you got permissions from.
As you have this in place, you should be prepared that leads as “data subjects” (that’s what GDPR calls them) get a set of rights with GDPR. So they may ask you (directly or indirectly – for example through your end-customer) to document what data you have concerning them; which interactions you did with them; and to correct parts of this information or even delete – “forget” – them.
All of this has been collected in our brand new “Data Privacy board” – which you will find in the Administration menu.
Search for a phone number, and you will see all leads where this phone number occurs; enter each lead to see detailed data, and click “Forget” to delete this lead. This is point of no return – there is no undo! Clicking “Forget” will in fact delete all personal data whatsoever, related with this lead. We will keep the lead entity as an anonymous piece of data for statistics purposes. But, lead data will be deleted, for you to serve data subjects on this important new right.
In the middle, you see a summary of all data we have for this phone number, i.e. across all lead instances.
To the right, you see which people in your organization, who altogether have access to the personal data of this lead.
Avoid future contact
This feature has also allowed us to solve a wish from you for a long time: Ability to block future contact to phone numbers, placing them on a “Do Not Call-list”. You get to this by switching to “Block Phone Numbers” via the toggler at the top.
Here, you may block phone numbers so that leads with the blocked number cannot be uploaded as new leads. When you block, you may set an expiration date, so you don’t necessarily block forever, but for example for one year.
Only keep the data you have a purpose to store…
Another big part of GDPR is that you should only store the data, you have a purpose to store. This purpose is up to you to define – but it could for example be, that you store data on successes for 60 days, after which point you delete it from Hero Outbound because you already exported data to an external system now keeping track of billing and your new customers. For not-interested leads, you may only want to keep it for 30 days. Remember that these time limits are your choices!
Our new Project control panel now allows you to set up rules for automatic deletion. Unless you already have other procedures in place assuring data deletion (either manually, via API or at field level via the campaign template property which already existed for a long time), this new control panel can be of enormous importance for you to comply with this important part of GDPR.
At a project level, you mark which data you consider as being sensitive. This is defined at data type level – i.e. exactly the data types, you set each field to, when you create campaign templates. So you may mark “Phone number”, “social security number” and even “long text” (because you use this for notes which could contain sensitive data) as sensitive – while keeping the rest non-sensitive. Up to you!
At the bottom, you define for how long you store sensitive and non-sensitive data at lead type level (success and non-success).
All this takes place at project level – allowing you to comply with different politics and purpose definitions per project.
Who changed what?
From the more administrative side, we have developed further new overviews putting more control and logs in the hands of you as a customer administrator.
This has allowed us to fulfill another wish for a long time: A visible log of changes to campaigns, users, organization etc. Enter Administration – Change Log, to see this now. Have never more doubt about when and by whom vital campaign settings were changed. It’s all in the hands of you now.
Who accessed large volumes of lead data?
In the undesirable (and, hopefully, according to how you set up your organization, unlikely) event of a data breach, you need to be able to understand who has been able to conduct actions ultimately leading to a data breach/data leak. In the Lead Privacy Board, you have the list at hand at individual lead (phone number) level. We have taken it a step further and added a log of user actions where Lead Admin has been accessed.
We believe that the visible log of this itself (of course only accessible to administrators via Administration – Lead Admin Access Log) will have a highly preventive effect once you communicate this in your organization, meaning that you will reduce risk of people accessing data, they don’t have any reason to access even if you on purpose gave them the feature permission to do it – will never breach your policies and data.
What now?
This was a long text – we know it, and sorry. But data privacy is important, and with GDPR, we believe we merely have a beginning than an end.
Spend the next time going through our new features and make sure you get your data storage purposes and resulting deletion rules in place; grant rights to the new Data Privacy board and visible logs to the right people in your organization, and make sure they’re trained to deal with requests from data subjects or your end-customers.
As you know, we already have a Data Processing Agreement in place between us, so you’re also compliant with this important part of GDPR.
Now, enjoy being on the most compliant platform and look forward to a future after May 25th, where data privacy matters even more.
Happy and compliant working!
Best regards,- Team HeroBase