Terminus and GDPR
Terminus has made information security and data privacy foundational principles of everything we do, and we are firmly committed to GDPR readiness.
To ensure we meet regulatory guidelines, Terminus has built the Terminus ABM platform with data privacy by design and are only working with the data necessary to provide our service.
The European Union’s General Data Protection Regulation (GDPR) will become enforceable on May 25th, 2018 and imposes additional requirements upon companies to enhance the protection of personal data for EU citizens. It expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organizations to be more accountable for data protection. Learn more about GDPR.
Who has to comply with the GDPR?
- Any EU-based organization considered controllers or processor of data. In general, controllers determine the means and purposes of data processing while processors handle data for specified purposes on behalf of controllers.
- Organizations, regardless of location, considered controllers or processors of personal data of EU residents in relation to goods or services provided to them
- Organizations who monitor the behavior of EU residents
What are the primary principles of the GDPR?
- Accountability – As a data controller, organizations shall be responsible for compliance and should be able to demonstrate the controls they have in place for continued compliance.
- Purpose Limitations – Personal data shall be collected for specified and explicit purposes.
- Data Minimization – Only collect data that will be needed, limit the amount of data that is stored.
- Data Accuracy – Any personal data that is stored should be kept up-to-date. If possible, allow users to update or delete their own data.
- Integrity & Security – Create a privacy-by-design system. Protect personal data against unauthorized or unlawful processing.
- Storage Limitation – Store personal data for only as long as it is needed, use anonymization and pseudonymization where possible.
- Lawful, Fair & Transparent – Personal data processed and the reason for processing must be clearly and truthfully explained to the data subject and agreed to by the user.
How does GDPR impact Terminus and its customers?
Terminus is excited about GDPR and other international laws that promote privacy and security principles.
The Terminus customer would be considered the controller in choosing how and when to use their data with Terminus and Terminus would be considered the processor of that data. Since Terminus falls under the processor category we are required by the GDPR to treat our customers’ data as if it were our own.
However, Terminus is working diligently to ensure it meets the guidelines set forth in GDPR and provide protection from regulation for our customers as it relates to the use of Terminus.
What is Terminus doing to be GDPR ready?
To assist customers in complying with privacy regulations, Terminus has taken the opportunity to do the following:
- Release new Terminus data compliance policies
- Encrypt all customer data and remove personal data, where necessary
- Provide internal tools for the effective processing of Data Subject Rights requests (Right to Erasure & Right to Portability)
- Terminus is also in the process of obtaining a SOC 2 compliance report by the end of 2018
- The Terminus product provides targeted direct marketing on a legitimate interest basis through advertising that utilizes an Opt-out through Ad Choices on every advertisement to give consumers control and choices.
How is Terminus processing data covered by the GDPR?
Terminus is also primarily only processing account-level data from customers (who are entities, not individuals) to perform the account-based marketing service. Terminus intentionally minimizes the processing of personal data as an account-based solution.
Under GDPR, personal data is any piece of data that allows one to identify a specific person located in the EU/EEA. The GDPR provides the following as examples of personal data: Full Name, ID Number, Home Address, Date of Birth, Telephone Number, Gender, Race, Religion, Biometric, Economic, Social Identity Data, Online Identifier*. In contrast, Terminus collects the following types of Account-Level Data: Company Name, Website, Company Address, Employee Count, Revenue Range, SIC & NAICS codes, Company Social Profiles, Latitude & Longitude, Stock Symbol, Company IP Address Ranges.
While Terminus does process personal-level data to perform its account-based marketing service, it does not expose this data to our customers and thus protects individuals’ data through anonymization.
*Recital 30 of the GDPR states online identifiers can be considered personal data if they can be used to single out or identify an individual: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Disclaimer: The GDPR is broad in scope and compliance will vary greatly between organizations. This guide should not be considered legal advice, it is informational only and aims to help you understand how Terminus is addressing GDPR compliance as a data processor. If you are looking for legal advice after reading this guide, please consult legal counsel with your specific questions regarding GDPR.