GDPR and your Command.App

New European Union privacy regulations take effect this Friday, May 25, 2018. The General Data Protection Regulation ("GDPR") ensures that your personal data is collected, handled, and processed securely and responsibly. Privacy and protection are very important to us, so to comply with GDPR consent requirements, we’ve updated our privacy policy and terms of service.

By continuing to using the data collection toolsets in your app, you acknowledge Command.App’s updated Privacy Policy and agree to the terms and conditions..

We’re excited to see these new regulations take effect because they bring welcome responsibility and accountability to companies and services handling personal customer data. For more information on the changes required by these new regulations, please see our GDPR information page or contact our customer success team at support@command-app.com.

What is the GDPR?

Preparing Your Command.App solution for GDPR.

The General Data Protection Regulation (GDPR), which comes into force on May 25th, 2018, aims to protect the fundamental right to privacy and the protection of personal data of European Union (EU) citizens.

This regulation affects any entity (including applications and websites) that processes EU citizens' personal data. Whether or not you or your business is located in the EU, if you have EU app users collecting data from EU citizens, this affects you.

What does the GDPR mean for you?

Transparency and communication with your customers are key elements of the GDPR. As part of the new regulation, you must let your customer engagement targets know how you collect, store, and use their data, in a clear and transparent way. In addition, you must comply with your customers' requests to receive a copy of their data that is processed on your app or online portal.

How to help your Command.App meet GDPR requirements.

Take a look at our recommendations below so you know how to start preparing your Command.App users for the GDPR.
Click here (https://ec.europa.eu/info/law/law-topic/data-protection_en) for more detailed information on the regulation.

Product Roadmap

What we’re building and when.

Below, find a detailed list of the features we’re building to help streamline compliance. A quick note on timelines: we’ve already started to build many of these new automated features, and we’ll continue to update them regularly over the next few months. Our planned timeline is to have every feature on this list completed by July 2018. In the meantime, we are implementing a service level commitment to continue to maintain compliance upon request.
First, a quick primer on the legalese associated with the GDPR.
Let’s say that Sam is a contact of yours and an EU citizen. She's called the "data subject," and your company (let's call you Enterprise Inc.) is called the "controller" of that data. If you're a Command.App customer, then Command.App acts as the "processor" of Sam’s data on behalf of Enterprise. With the introduction of the GDPR, data subjects like Sam are given an enhanced set of rights, and controllers and processors like Enterprise Inc. and Command.App, respectively, an enhanced set of regulations.
And, before diving into specific functionality, one more quick note: certain GDPR-related features will be enabled by a single on-off switch in your settings. In some cases, flipping this switch will make a GDPR feature appear from your account. In others, it will simply change the default behavior for a certain feature.
Turning on the switch will not, on its own, make your process GDPR compliant; rather, it’ll enable the features that will help you comply.
What It Means What Command.App is Building
Lawful basis of processing You need to have a legal reason to use Sam’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into), performance of a contract (e.g. she’s your customer and you want to send her a bill), or what the GDPR calls “legitimate interest” (e.g. she’s a customer, and you want to send her products related to what she currently has).

You need the ability to track that reason (also known as “lawful basis”) for a given contact.
Per Command.App’s functionality of gathering customer data in face-to-face and/or kiosk interactions with customers, we will be adding ‘customer consent’ fields within all forms, quotes and data collection toolsets where EU citizens are part of your target interactions. For example, we might configure an automated workflow to set the lawful basis property when Sam agrees to be sent materials or a quote generated from the app. .

In addition, you’ll be able to track and audit the grant of lawful basis using the property history for that new property.

Applicable when using the following Command.App Toolsets where customer specific data is collected :
• Forms
• Surveys
• Assessments
• Quotes
• Proposals
Consent One type of lawful basis of processing is consent with proper notice.

In order for Sam to grant consent under the GDPR, a few things need to happen:

• She needs to be told what she’s opting into. That’s called “notice.”

• She needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Her filling out a form alone cannot implicitly opt her into everything your company sends.

• The consent needs to be granular, meaning it needs to cover the various ways you process and use Sam’s personal data (e.g. media request email or quick quote sharing). You must log auditable evidence of what Sam consented to, what she was told (notice), and when she consented.
In Command.App, we're adding features to make collecting, tracking, and managing consent in a GDPR-compliant way as straightforward as possible.

Three of the most common ways that Command.App customers acquire new customers are through Forms (including Lead Flows), Quotes, and Meetings.

These are different channels through which Sam might initially engage with Enterprise. In each of these tools, you’ll be able to provide proper notice to Sam before she provides information to you (using text boxes on forms), and to collect the appropriate consent when she’s ready to grant it.

An additional detail on notice: if you need to link out to additional notice provisions (like privacy notices), you can do so using hyperlinks in forms when online. Once Sam submits her information, we will store a copy of the notice that Sam was provided, information about which consent she provided, and the timestamp of the interaction.

We’ll make this level of consent tracking available for other forms of contact creation as well: imports, APIs, and manual additions.
Withdrawal of consent (or opt out) Sam needs to be given notice that you're using cookies to track her (in language she can understand) and needs to consent to being tracked by cookies.

*** We know the ePrivacy Regulation is coming, and that it may have an impact on how cookies are regulated. We’ll adjust our product accordingly.
Command.App does not use cookies to track customers.
Deletion Sam has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Sam’s contact from your database, including email tracking history, call records, form submissions and more.

In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
You will be able to perform a GDPR-compliant permanent delete in your Command.App portal.

In Progress

Currently upon request, your Command.App Implementation Team will perform manual deletions throughout the platform and will provide confirmation of the customer’s removal from all databases.
Access / Portability Just as she can request that you delete her data, Sam can request access to the personal data you have about her.

Personal data is anything identifiable, like her name and email address.

If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

Sam can also request to see and verify the lawfulness of processing (see above).
Command.App enables you to grant any access/portability request by easily exporting Sam’s contact record into a machine-readable format. You can verify Sam’s lawfulness of processing using the associated contact property we mentioned above.

In Progress

Currently upon request, your Command.App Implementation Team will process manual access/portability requests by easily exporting Sam’s contact record into a machine-readable format.
Security Measures The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization. As part of Command.App's approach to the GDPR, we’re strengthening our security controls across the board.

All data transferred throughout the Command.App platform is secured at rest and in transit using SSL technology. Network communication uses at least 128-bit TLS authentication, is SOC2 certified and we do independent penetration testing and code audits several times per year.