The GDPR and


On May 25th, 2018, the European Union’s (EU) new data protection framework, the General Data Protection Regulation (GDPR), will come into effect. It is the most significant piece of data protection legislation to date and will impact any organization that processes personal data in connection with goods/services offered to an EU resident, or monitors the behavior of persons within the EU, regardless of where that organization is located in the world.

The introduction of GDPR will force us to be better at protecting the personal information we collect. What the GDPR mandates is actually a set of best practices that benefits marketers to follow. At a basic level, it requires that you:

If you work with one or more outside organizations to collect, store, or use the personal information of people within the EU, then make sure that each of those organizations is fully prepared for GDPR compliance.

Implications of Not Complying

You should embrace the changes for GDPR for a number of reasons. The first, is that protecting privacy and being clear and transparent about how and why you use personal information is just good business. The second, if that you can be hit with heavy fines. Depending on the violation, a company can be fined up to the greater of €20 million (approximately $24.5 million) or 4% of the preceding year’s worldwide revenue.’s Commitment to GDPR Compliance is committed to helping our customers and partners by protecting and respecting personal data, no matter where it is from or where it flows.’s Legal, Trust and Privacy teams have carefully analyzed the GDPR and have taken the necessary steps to ensure that we comply. Between now and May 25th (and beyond), we are fully committed to enhancing the platform to enable easier compliance with the GDPR.

Key Definitions

Information We Collect may collect and receive customer data, personal information, attendee information, and other information and data (collectively “information”) in a variety of ways.


Individuals granted access to the application by a customer (“end users”) routinely submit information to

When an end user of a customer has been granted access to the application, we collect and store information about the end user. The personally identifiable information collected from the end user through the application includes information in the “Profile” section of the application, which is populated through the Registration Page. This information might be name, email address, company, title, location, and phone number (which makes up the end user’s “personal information”).

We use this personal information to set up the end user’s account or allow administration and communication with the end user regarding their registration. We may also use their email address to send updates about the customer program on the Application and to provide support in connection with said program.

Consent is implementing a new “opt-in” consent for the platform.’s customers are considered the Controller of the data from a GDPR perspective, making our customers ultimately responsible for fulfilling data subject rights and ensuring that the opt-in consent is in place. understands that their customers will need to rely on to collect the opt-in because they are using our platform to collect information for user registrants (data subjects) they may not have an existing relationship with. will also provide the ability for Customers to provide details on how they will use John’s data.

The opt-in consent will include a link to the Data Collection Consent, as well a link to the Customer Terms & Conditions.

Meeting GDPR Requirements

Let’s say that John Doe is a registrant on the Application and an EU citizen. John is the Data Subject (End User). Any Customer using the Application to host a webinar is the Controller. acts as the Processor of John’s data on behalf of the Customer.

Below are a few key areas where is helping our Customers be GDPR-compliant.

What It GDPR Enhancement
Lawful basis of processing needs to have a legal reason to use John's data. That reason could be consent (he opted in by registering). needs the ability to track that reason (also known as “lawful basis”) for a given contact. will track lawful basis of processing via Consent; see below. will be able to track and audit the grant of lawful basis based on using the property history for Consent.
ConsentOne type of lawful basis of processing is consent with proper notice.

In order for John to grant consent under the GDPR, a few things need to happen:

He needs to be told what he’s opting into. That’s called “notice.”

He needs to affirmatively opt-in (pre-selected checkboxes aren’t valid).

The consent needs to be granular, meaning it needs to cover the various ways processes and uses John’s personal data (e.g. marketing webinar). We must log auditable evidence of what John consented to, what he was told (notice), and when he consented.

Customers of must also provide granular details on how they will use John’s personal data. makes collecting, tracking, and managing consent as straightforward as possible. Customers acquire personal information about End Users like John through registration.

On our Customer registration page, we will provide proper notice to John before he provides information to will also collect the appropriate consent when he’s ready to grant it.

Once John submits his information, we will store a copy of the notice that John was provided, information about which consent he provided, and the timestamp of the interaction.
Withdrawal of consent (or opt out) John needs the ability (as a data subject) to see what he’s signed up for and have the ability to withdraw his consent (or object to how is processing his data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.John can send a withdrawal of consent directly to via, as detailed in our Privacy Policy. will be able to modify the lawful basis contact property mentioned above.

In addition, all John's data within that current webinar will be masked.
DeletionJohn has the right to request that deletes all the personal data we have about him. The GDPR requires the permanent removal of John’s contact from the database.

In many cases, will need to respond to his request within 30 days. The right to deletion is not absolute, and can depend on the context of the request.

Therefore, it doesn’t always apply. will provide a GDPR- compliant permanent delete in all webinar Environments. This will be performed by a employee only, per direct request.
Access / PortabilityJust as he can request that you delete his data, John can request access to the personal data you have about him. Personal data is anything identifiable, like his name and email address. If he requests access, needs to provide a copy of the data.

John can also request to see and verify the lawfulness of processing. enables Customers to grant any access/portability request by allowing John to easily export his contact record into a machine-readable format. This is done via the Setting drop-down, Download My Data, inside the Application. can verify John’s lawfulness of processing and using the associated contact property we mentioned above.
Modification Just as he can request to delete or access his data, John can ask Customers to modify his personal data if it’s inaccurate or incomplete. If and when he does, we need to be able to accommodate that modification request.Inside the Application, John can easily update his personal information via the Settings drop-down, Edit Registration.