GDPR leadmasterWhat is the General Data Protection Regulation (GDPR)?

The GDPR is a regulation from the Council of the European Union. It was created in April, 2016 and will become enforceable on May 25th, 2018, replacing the Data Protection Act of 1998.  The intent is to give European Union citizens control over their data and standardize regulations for any business working with an EU citizen’s data (whether the company is located in the EU or not).  For complete details on the GDPR please visit

What does this mean for me as a LeadMaster customer?

If you have any kind of electronic interaction with customers or prospects in the EU, the regulations concerning how you collect, store, and access data are quite strict with regard to the GDPR.

What data is included in the GDPR?

According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

How does the GDPR impact email marketing?

  1. Opt-in – Contacts must now give you explicit consent for you to collect any of their personal data.  People who fill out a contact us form must also explicitly agree to be marketed to.  In other words, they must Opt-in if you want to send them an email.  The form should have a checkbox indicating they agree to receive email from you.  Simply filling out a web form does not mean they consent.
  2. TransparencyThe GDPR gives people more control over how you collect and use their data. This includes their right to request a report of where their data is being used, and taking that a step further, requesting that you completely erase their data from your records.

This means that you will need to provide contacts with access to their Opt-in / out preferences and give them the ability to manage consent for each type of email you send. LeadMaster will provide an unsubscribe link in ALL emails sent.

What are the terms & terminology associated with the GDPR?

There are three main terms:

  1. The Data Subject – This is the contact in LeadMaster.
  2. The Data Controller – This is a LeadMaster customer. If you log into LeadMaster you are a data controller.
  3. The Data Processor – This is LeadMaster.  We process data on behalf of you, our customer, the data controller.

Please note: if your contacts (data subjects) reside in the EU the GDPR applies to you regardless of whether or not you are located in the EU.

What’s the Privacy Shield?

There are two parts to the privacy shield.

  1. The Right To Be Forgotten – requires the data controller, in other words the LeadMaster customer that logs into the system, to delete customer data when requested.
  2. The Right To View Data – requires the data controller, in other words the LeadMaster customer that logs into the system, to provide data subjects with a copy of the data housed in the LeadMaster system in a common format within 30 days of the request.

How can I prepare for the GDPR?

The GDPR requires you to supply copies of your Opt-in forms, privacy notices, and any other methods you have in place to handle the processing of personal data and requests from contacts.

What is LeadMaster doing to help Data Controllers be GDPR compliant?

There are two primary enhancements; a new email preferences page and a new Workgroup setting – Enforce GDPR.

For email preferences LeadMaster is updating the Opt-in / out function to include an email preferences link in any email sent from the LeadMaster system.  Since there are many ways to send email, the Email Preferences page has separate selections for One-to-One Email and Email Marketing.

These include the timestamp when the selection was made and where possible, the source of the selection (a link to the original email or the username of the person who updated the selection if the choice was updated by hand).

If the Workgroup setting “Enfore GDPR”, is enabled, LeadMaster will ONLY send email if the user has specifically Opted-in for that type of email.  For example with “Enforce GDPR” enabled and the following selections for an individual contact.

  1. For One-to-One Email there is no selection for Opt-in / out, then no one-to-one email would be sent to this contact.
  2. For Email Marketing Email Opt-in is selected, then Email marketing would be sent to this contact.

If you want to be GDPR compliant, LeadMaster suggests that you send all of your contacts an email asking them to update their email preferences by clicking on the link at the bottom of the email.  You also have the option of including a merge field “[EmailPreferences]” in the body of the email that, when clicked, will take the user to the email preferences page that same way as the link at the bottom of the page.  This will provide you with your contact’s specific wishes regarding Opt-in / out.  Once you’ve given your contacts time to update their email preferences, then update the workgroup setting to ‘Enforce GDPR’.  This will ensure that you are only sending email to contacts for which you have documented proof they have Opted-in.

LeadMaster Security Measures:

  • LeadMaster uses an encrypted connection (SSL, TLS 1.3, SHA256) to transmit data.
  • LeadMaster has extensive access control measures, for example, role based security.
  • Data is protected by default, you only have access to data that you are granted access to.
  • LeadMaster has extensive options for password security.
  • LeadMaster provides the option of limiting access to specific IP addresses.
  • LeadMaster conducts periodic internal security audits.
  • LeadMaster has an incident reponse plan availabe upon request.
  • LeadMaster retains customer backups for 30 days.
  • LeadMaster’s Privacy Policy.

The right to be forgotten:

The ‘right to be forgotten’ is part of the GDPR and CCPA and is the responsibility of LeadMaster’s customers.  LeadMaster doesn’t touch customer data.   The data belongs to LeadMaster customers.   When a contact is deleted the only way to recover that data is to restore the data from backup.  In order to be GDPR complaint LeadMaster customers must keep track of all deleted / anonymized contacts so that in the event a backup is restored they can then go in and delete / anonymize those contacts again.  LeadMaster provides an append function so that this can be done as a mass update.