DATA PRIVACY WITH CLOZD
GDPR Compliance

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. It was drafted and passed by the European Union (EU), and imposes obligations onto organizations anywhere that target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR levies fines against those who violate its privacy and security standards. You can learn more about the regulatory framework here:

Learn More
Clozd’s GDPR Compliance

Clozd is proactive about GDPR compliance both as a controller and a processor (when processing personal data on behalf of our clients).

Highlights of our compliance efforts include:

Lawful Basis

Clozd does not store or process personal data without the consent of the data subject and/or the written consent of our clients in accordance with legitimate interest allowances. For more details, please review our privacy policy.

Information Security

Clozd is ISO 27001 compliant and maintains industry-best technical and organizational security measures that ensure the safeguarding of personal data against accidental or unlawful access, modification, and destruction. For more details, visit our trust center.

Rectification & Erasure

Clozd honors the fundamental rights of data subjects, including data rectification and erasure (the right to be forgotten). Clozd promptly honors data subject and/or client requests to modify or erase personal data. Individuals and organizations can request erasure or rectification at any time using this request form.

GDPR Terms to Know
Personal Data

Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.

Data Processing

Any action performed on personal data, whether automated or manual, such as collecting, recording, storing, organizing, erasing, etc.

Data Subject

The person whose data is processed.

Data Controller

The entity who decides why and how personal data will be processed.

Data Processor

A third-party that processes personal data on behalf of a data controller.

Frequently Asked Questions
Win-loss analysis and the GDPR

Does the GDPR govern how organizations conduct win-loss analysis?

Yes. Organizations that want to conduct win-loss analysis, particularly those with prospects and customers in the EU, must abide by the GDPR. The GDPR imposes restrictions on how data controllers may legally contact and interact with their data subjects (i.e., prospects/customers) as they carry out win-loss analysis.

Is “consent” required before contacting a data subject for win-loss feedback?

The GDPR generally prohibits data controllers from contacting data subjects, or processing their personal data in any way, without prior consent. This is especially true for direct marketing use cases (i.e., marketing your products or services to them).

However, the GDPR has allowances for certain processing activities like win-loss analysis. These exceptions are permitted under “legitimate interest allowances” that overcome the requirement for prior consent. As a result, organizations can legally contact data subjects to solicit win-loss feedback without their prior consent to do so. Learn more below.

Disclaimer

This page is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR.

Instead, this page provides background information to help you better understand Clozd’s approach to GDPR compliance, and the basic principles of lawful data processing for win-loss analysis.

This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.

What are “legitimate interest allowances” and how do they apply to win-loss analysis?

The term “legitimate interest allowances” refers to circumstances wherein a controller may legally process personal data of a data subject without their explicit prior consent to do so.

To qualify, the processing activity in question must pass a three-part test:

  • Purpose Test: Does the processing serve a legitimate, non-trivial business interest?
  • Necessity Test: Is the processing necessary to serve the purpose? Have less intrusive alternatives been considered and deemed insufficient to serve the purpose?
  • Balance Test: Does the processing pose any risk or harm to the data subject? Does the purpose being served justify the risk posed to the data subject?

The UK Information Commissioner provides helpful guidelines for conducting a legitimate interest assessment here.

In regards to win-loss analysis, legitimate interest allowances are widely considered adequate basis for processing due to the fact that (a) the data subject previously consented to data processing by the controller during their sales evaluation, (b) soliciting the prospect’s feedback at the end of the sales process is a reasonable, non-harmful use case that only involves business-related data, and (c) the processing serves a non-trivial business purpose for the controller.

Thus, there is widespread consensus that win-loss analysis passes the three-part test, and that organizations may contact prospects/customers for win-loss feedback without their prior consent.

What is a processor and can we use a processor (like Clozd) to conduct win-loss analysis?

When organizations (“controllers”) process data about their prospects or customers (“data subjects”), they often need the help of third-party products or services to do so. The third-party entities that provide these products or services are referred to as “processors”.

Consider this simple example. A bank wants to send account notices to its customers via email. To do so, the bank uses a third-party software solution to design and send the emails. Under the GDPR, the bank is the “controller” and the software vendor is the “processor.” The GDPR allows controllers (bank) to utilize the processor (software vendor) without the permission of their data subjects. However, the bank must ensure that personal data is safeguarded by the processor, and that the data is only used to fulfill the controller’s lawful processing activities.

In regards to win-loss analysis, most organizations do not have in-house tools and resources to capture and analyze win-loss feedback. Thus, most organizations enlist the help of a processor like Clozd to carry out win-loss analysis. Like the bank example above, this is allowable under the GDPR so long as certain safeguards and contractual agreements are in place between the controller and Clozd.

Can we legally send our win-loss invitation messages using the Clozd platform?

Yes. As discussed above, many organizations utilize vendors like Clozd to conduct win-loss analysis. When doing so, Clozd acts in the capacity of a “processor” as permitted under the GDPR. As a processor, Clozd may be utilized for any or all of the relevant processing activities such as:

  • Filtering customer/prospect data to determine which data subjects should be contacted for win-loss feedback,
  • Contacting data subjects to request win-loss feedback,
  • Collecting their win-loss feedback through surveys or interviews,
  • Interpreting and analyzing the data collected.

Furthermore, there is a common misconception that sending win-loss invitation emails through your existing email marketing system might somehow be preferable under the GDPR. However, the GDPR is agnostic in regards to what processor an organization uses for any given processing activity. The GDPR is only concerned that a lawful basis and proper controls have been established. Thus, using Clozd for win-loss invitation emails is legally equivalent to using your email marketing system, but offers more purpose-built functionality to support the niche use case.

As a processor, does Clozd do anything proactive to support its clients with GDPR compliance?

Yes, Clozd proactively supports clients with their GDPR-compliance efforts in various ways.

First, Clozd helps clients implement a Data Processing Agreement (with Standard Contractual Clauses) as part of our contract process to ensure the legal relationship between controller and processor is properly established, with Clozd bearing contractual responsibility to safeguard personal data and process it legally.

Second, the Clozd Platform is built in a way that supports essential data processing controls such as data rectification, erasure, and opt out management.

Third, Clozd is audited annually for ISO 27001 and SOC 2 Type II compliance, ensuring that personal data is safeguarded in accordance with industry best practices. As a result, Clients can legally and confidently rely on Clozd to process personal data on their behalf.

Disclaimer

This page is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR.

Instead, this page provides background information to help you better understand Clozd’s approach to GDPR compliance, and the basic principles of lawful data processing for win-loss analysis.

This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.