Are you ready for EU GDPR Compliance?

On May 25, 2018 the EU General Data Protection Regulation (GDPR) goes into effect, creating data privacy and security concerns for firms both inside and outside of the EU.  The GDPR covers both companies that provide goods and services to EU residents and those that are part of the value chain.  The regulation covers all individuals domiciled within the EU, regardless of where the company is headquartered.

According to Forrester, the regulation has five key requirements:

  • If a firm has “regular, systemic collection or storage of sensitive data,” they need to hire or designate a Data Protection Officer (DPO).  The function may be filled by individuals with legal, privacy, security, marketing, or customer experience.  The International Association of Privacy Professionals (IAPP) estimates that the regulation will require 30,000 privacy officers.  The DPO will need to work with security leaders with respect to identity and access management (IAM) and encryption.  They will also be involved in purchasing decisions around CRM, analytics, and other platforms.
  • Should a data breach occur, firms have a-72 hour window for reporting breach details to the authorities and customers.  The window begins as soon as the breach is detected.
  • Privacy must be built into any new projects with a “Privacy-by-design” philosophy.  Forrester stated that “sustained collaboration between teams will be critical, so firms will have to establish new processes to encourage, enforce, and oversee it.” For example, privacy officers will need to review business requirements and development plans related to new apps.
  • Extraterritoriality places requirements on firms outside of the EU, making it a global requirement.  Forrester notes that “a US-based data aggregator that collects and resells EU customers’ data to other business partners will need to comply fully with GDPR requirements, rather than simply meeting international data transfer rules.”
  • Firms will be responsible not only for securing data but providing evidence that they have implemented appropriate risk mitigation.  Thus, a firm can be held in violation even if they have not had customer complaints or data breaches.

US companies are still obligated to comply with the 2016 Privacy Shield agreement between the US and EU.  Forrester also warned UK firms to comply with the GDPR as lowering British privacy standards would only serve to complicate UK-EU data transfer rules post Brexit.

Forrester suggested that firms take a cost-benefit analysis to data instead of simply storing everything:

“Firms will learn to better assess the costs and benefits of records they process, store, and protect. They will progressively focus on collecting, buying, processing, storing, and protecting only the data that offers them the most value and will kill the rest.”

Forrester also suggested that privacy should be part of a firm’s DNA and some firms will integrate privacy into brand perception and the customer experience, providing a basis for competitive advantage.

Osterman Research conducted a survey of mid to large companies subject to the law to identify technology expenditure increases for GDPR compliance.

GDPR compliance expenditure increases (January 2017)
GDPR compliance expenditure increases (January 2017)

GDPR non-compliance costs are potentially very high with penalties up to the greater of €20 million or 4% of total worldwide annual turnover of the preceding financial year.

Quora: Why is My Information on Zoominfo?

I recently answered two posts on this question.  As Zoominfo data collection is opt-out versus opt-in, executives are sometimes concerned about what is being collected and how they can opt out.  Here is my post:


ZoomInfo collects data about US and international businesspeople. Information is gathered via web crawling (for bio data) and email plugins that collect signature information such as name, title, company, direct dial, and email. This information is then available to its customers who use it primarily for sales, marketing, and executive recruitment. Customer use cases include prospecting lists for B2B email and telemarketing campaigns, data hygiene (i.e. confirming you are still at a company and that your contact information is accurate), and call prep prior to telemarketing or recruitment calls.

Here is an example of how they provide additional information about you to LinkedIn users via their ReachOut Chrome plug-in:

The ZoomInfo ReachOut Chrome connector provides just-in-time company and executive intelligence from corporate websites and LinkedIn.
The ZoomInfo ReachOut Chrome connector provides just-in-time company and executive intelligence from corporate websites and LinkedIn.

ZoomInfo does not collect any consumer or credit information. Thus, they have no lifestyle data, political affiliations, donations, income estimates, age, family details, credit histories, personal emails, mobile phone numbers, or housing data. They focus strictly on your professional persona.

ZoomInfo’s privacy rules and how to opt out of their database can be found on their website.

If you would like to know more about ZoomInfo, I cover them on my blog.

FullContact Cloud-based Enrichment

Contact data vendor FullContact offers a cloud-based contact enrichment service via a single user app, team app, and API.  Contact data includes publicly available contact intelligence such as social networks, headshots, and affinities.  FullContact suppresses personal identifiers such as mobile phones, personal email, and home addresses.  For individuals, FullContact supports a unified contact view across Gmail, Outlook, mobile, and LinkedIn contact networks.  For teams, FullContact offers a shared master address database.

FullContact employs a FullContact ID to tie together global business and consumer identifiers.  Individual profiles include 4,500 affinity/lifestyle tags along with social medial links spanning 120 sites including LinkedIn, Twitter, and Facebook.

FullContact Enrichment may be performed via batch processing or API.
FullContact Enrichment may be performed via batch processing or API.

The team service, priced at $9.99 per user per month (when billed annually), provides team members with a master address book.  Team features include business card scanning, contact unification, public information contact updates, and the sharing of tags and notes across the team.

Individual users have access to a free single user Basic edition limited to 1,000 contacts.  A middle tier Premium Edition synchs contacts for up to five users and 25,000 contacts.  Premium is priced at $8.33 per user per month.

“When it comes to managing contacts, businesses, even more than individuals, face huge challenges today. When contact and relationship data is fragmented across many employees and tools, a business isn’t able to harness the power of their extended relationship network,” said VP of Product Matt Holden. “FullContact for Teams alleviates this headache by getting all team contacts in one place, so people can focus on getting their job done, not fighting their address books.”

FullContact offers both People and Company APIs.  The Person API returns social profiles, profile photos, basic demographics, and social influence.  The Company API call takes company names or domains and returns the Key People (CxO and VP) along with firmographics.  While titles are available, the firm does not support a job function and job level taxonomy.

Developers have access to 250 matches per month during the API testing window.  A Starter package provides 2,500 people and 2,500 company matches for $99 per month with a four cent charge per overage.  The Plus edition supports 15,000 people and 15,000 company matches for $299 per month with a two cent charge for overages.  Pricing is based upon successful matches, not total queries.  Both plans are throttled (300 per minute for Starter and 400 per minute for Plus).  Beyond that, the firm offers custom match quotas and rates along with a batch processing option.

FullContact maintains a Human Research team to assist with projects such as B2B Prospecting, large database match and enrich, influencer marketing, and B2C luxury marketing.

FullContact is US – EU Privacy Shield compliant.

D&B NetProspex B2B Contact File Stolen

A NetProspex breach sample record for journalist Zack Whitaker (originally published by Troy Hunt with permission)
A NetProspex breach sample record for journalist Zack Whitaker (originally published by Troy Hunt with permission)

A 52.5 GB NetProspex file of nearly 34 million US business contacts was recently stolen.  Dun & Bradstreet did not indicate how the MongoDB database was purloined, but indicated it suffered no data breaches and the file was likely stolen from a customer.  “We’ve carefully evaluated the information that was shared with us and it is of a type and in a format that we deliver to customers every day. Based on our analysis, it was not accessed or exposed through a Dun & Bradstreet system,” the firm said in a statement to ZD Net.

The file was believed to be six months old.  While it was built and sold for legitimate sales and marketing purposes and complies with US law, it could be used for spamming and spear phishing.  “It’s an absolute goldmine for phishing because here you have a huge amount of useful information from which to craft attacks,” said Internet security advocate Troy Hunt who publicized the breach. “From this data, you can piece together organizational structures and tailor messaging to create an air of authenticity and that’s something that’s attractive to crooks and nation-state actors alike.”

Content includes business contact information; job titles, functions, and levels; current employer; and employer firmographics including size, industry, location, and D-U-N-S Number.  Their file does not contain personal emails, phones, biographics, or any kind of consumer credit data as Dun & Bradstreet strictly collects B2B company and contact intelligence.  However, the file does contain extensive business and government employee data such as 100,000 Department of Defense and a combined 75,000 Army, Air Force, and VA contacts.

Dun & Bradstreet should evaluate whether retaining titles for military and security agencies is in their best interest (and the country’s).  For example, being able to identify 715 military Intelligence Analysts makes it easy for nefarious parties to spearphish them.  This may be a case where losing the actual job title and simply mapping the title to a job function (e.g. procurement, security, medical, R&D) would make sense.  Another option might be to track only government officials whose name appear in official sites and publications.  As the government publishes bid data through FedBizOpps, procurement contacts would still be available for commercial purposes.

“Whilst you could piece together parts of the data from information already in the public domain, having it aggregated and so easily searchable in this fashion is enormously valuable,” said Hunt. “It also serves as a reminder that we’ve lost control of our privacy; the vast majority of people in the data set would have no idea their information is being sold in this fashion and they certainly don’t have any control over it.”

If you would like to check on whether your personal or business email information have been stolen, Hunt has setup a free site which tracks over 200 stolen databases.  Registration takes about 3 minutes (you need to validate that you are researching your own contact information).  The site will also advise you if your email appears in future breaches.

LeadGnome: EU-US Privacy Shield Certification

LeadGnome -- Mining Email for LeadsAccount Based Intelligence vendor LeadGnome completed the EU-U.S. Privacy Shield certification process with the U.S. Department of Commerce.  The new process ensures that privacy is protected when personal data is transferred from the EU to the US.  The Privacy Shield process was implemented last summer after the previous Safe Harbour regime was invalidated by the European Court of Justice.

LeadGnome’s email reply service mines emails for intelligence such as left the company, out of office, change of position, change of name/email, and unsubscribe requests.  “LeadGnome is unique in its ability to mine the unstructured body of reply emails for account based intelligence.  It was, therefore, important to acquire EU-U.S. Privacy Shield certification to assure our customers of our commitment to the privacy of their data,” said Matt Benati, CEO of LeadGnome.

Because the firm collects emails, titles, and business phones, they did not have to go through the more stringent approval level for firms that store credit, payment, or personal data.  This helped expedite the approval process with the Department of Commerce.  As LeadGnome was already Safe Harbour compliant, the approval process was focused on conforming to changes between the Safe Harbour and Privacy Shield.  LeadGnome worked with the Better Business Bureau as a compliance partner and completed the process in about two months.  Benati believes the process will speed up as the certification backlog clears, but noted that his firm benefited from having Safe Harbour certification.

The LeadGnome platform is integrated with major CRMs and MAPs including Salesforce, HubSpot, Marketo and Oracle Cloud.

“LeadGnome is committed to data privacy and business transparency. We had already employed many of the required best practices, so the certification process was completed significantly ahead of schedule,” said Benati.

Other vendors that are Privacy Shield compliant include Dun & Bradstreet, Avention, Zoominfo, Infogroup, Salesforce, Microsoft, Oracle, SalesLoft, ReachForce, and Outreach.  The US International Trade Administration publishes a list of Privacy Shield compliant firms.

US-EU Privacy Shield

EU LogoThe US and EU finalized a new Privacy Shield agreement to replace the recently invalidated Safe Harbour agreement concerning data privacy.  The new program allows firms to begin self-certifying their compliance as of August 1st.  As part of the agreement, the US Department of Commerce will begin conducting regular compliance reviews.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible,” Andrus Ansip, said vice president for the European Commission’s Digital Single Market initiative. “Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions.”

The US government will also implement “clear limitations, safeguards and oversight mechanisms” concerning the handling of European data.  Furthermore, The European Commission has assurances that bulk data collection would only be conducted “under specific preconditions and needs to be as targeted and focused as possible.”

A complaint mechanism is in place for Europeans which would be handled by the US Department of Commerce or the US Federal Trade Commission.  Mechanisms also exist for an independent ombudsman where national security questions come into play.

While tech companies applauded the new agreement, European privacy advocates contend the deal still fails to protect European citizens.