NextPost General Data Protection Regulation (GDPR)
Updated: May 24, 2018
Approved by the European Commission in 2016 — and effective as of May 25th 2018 — the General Data Protection Regulation (GDPR) is a European privacy law designed to replace the Directive 95/46/EC, which has been the basis of European data protection law since 1995.
The GDPR has been put in place to bring EU privacy law up to speed with recent legal developments, such as the European understanding of privacy as a fundamental human right. It regulates how personal data may be obtained, used and stored, as well as how/when it is removed, with the aim of giving EU citizens and residents more control over their personal information.
With the GDPR in place, companies must:
- Collect data in a fair, legal and transparent way
- Use data in a reasonable manner, and only for the purpose it was collected
- Specify why they need the personal data they collect
- Delete personal data once its purpose has been fulfilled and/or when customers request its removal
- Provide access, including a copy of the relevant data, to any customer/consumer who requests it
Any companies found in breach of these rules are subject to heavy fines. As well as updating existing ones, the GDPR adds some new requirements for compliance. As such, enforcement will be a particularly big issue in the months to come after the GDPR comes into effect.
NextPost, Data Privacy And GDPR Compliance
The first thing we should point out is that most reputable companies see all of the requirements of the GDPR as representing responsible business practices. At NextPost we’ve always felt that data privacy is extremely important, and we already have extensive security and privacy measures in place.
You’ll find a few of the measures we’ve been taking outlined below:
1. Data Processing Addendum (DPA)
We offer a DPA (Data Processing Addendum), which has contractual terms that line up with all GDPR requirements, for any of our customers collecting data from those in the EU. We’ve be added this to our Terms of Service on May 25th, with no action required on your part.
As a small team with no legal counsel on staff, we regret to say that we’re unable to make individual changes to our DPA or sign customers’ DPAs.
2. Training And Awareness
We’ve assembled a privacy team comprised of leaders from all areas of our business, from Engineering to Marketing and Ops, and headed up by a DPO (Data Protection Officer).
All employees, existing and new, will be made aware of GDPR regulations. Plus, where appropriate, additional training will be available for all members of our team.
3. Consent And Cookies
4. Data Inventory
5. Updates To Our Third Party Vendor Contracts
We’ve performed a deep review of all our third party vendors and their GDPR compliance. The result of this assessment is that, from May 25th 2018 onwards, all of our third party vendors are GDPR compliant. We’re also glad to say that many took additional measures to ensure that they were ready for GDPR well before this deadline.
7. Access, Portability and Deletion
The GDPR states that EU customers must be able to access, update and/or remove personal data. Our self service platform allows you, and has always allowed you, to access both your data and data belonging to your customers. You can search for and delete any end user conversations from within NextPost. You can also access, update, retrieve and remove personal data concerning “agent” users (including yourself) in your NextPost account.
Please contact our support team if you need to export end user data in a computer readable format.
8. Risk Assessment (Data Protection Impact Assessments)
Our managed data protection impact assessment (DPIA) process, which is a requirement of the GDPR, allows us to identify and minimize the data protection risks of any project. We’ll always collaborate on a solution to address any risk identified, big or small, in order to mitigate its impact on data privacy.
We’ve always taken security and privacy into account when looking at the implementation of new features or changes, discussing the potential impact on privacy and security for NextPost customers, and we’ll continue with this risk assessment process as we expand our offerings.
9. Breach Management
Since NextPost has always handled a good deal of personal data, we already had a breach management and communication plan in place (and have done so for some time). We have, however, updated this process to comply with GDPR regulations. Specifically, we re-examined the escalation process and approach to data subject notification.
If you have any questions about these Terms, please contact NextPost at: