Our company currently uses Co-Pilot quite regularly and there's some been questions lately if this type of functionality (1 to many communication) is GDPR/ CASL compliant. Is anyone else having these conversations in their org and/or does Gainsight have any more info I can share with our legal team?
Page 1 / 1
Hey Alicia!
We have had many conversations in this regard. GDPR is an immensely detailed conversation and not exactly one I can comfortable exhaust here. However, I can touch on what I know to be the main points.
If you are using CoPilot to contact customers*, and you allow them to Opt-Out of non-Operational communications, and you honor those Opt-Outs, then you should be just fine. You should also have a workflow in place to delete Contact records for any EU citizen, or employee of an EU business regardless of if the employee lives in the EU. In short, this sort of workflow would have you covered.
*A customer in this case is defined as a person or entity that has, on their own volition, acquired a product or service from your organization. This type of company - customer connection is classified as "Legitimate Interest" and gives you (the company) a pretty big umbrella of safety to operate under. You do still have to live by the rules I mention above, but otherwise, you're set.
Where things get a lot more difficult is pre-sale. My teams live exclusively post-Sale (i.e. customer and "Legitimate Interest"), so I cannot speak in detail about that. I do know that our Marketing and Sales teams are collaborating extensively to ensure we meet GDPR on that end as well.
Hopefully this helps! Happy to talk about it further and interested to hear other stories from our peers.
-Ben
We have had many conversations in this regard. GDPR is an immensely detailed conversation and not exactly one I can comfortable exhaust here. However, I can touch on what I know to be the main points.
If you are using CoPilot to contact customers*, and you allow them to Opt-Out of non-Operational communications, and you honor those Opt-Outs, then you should be just fine. You should also have a workflow in place to delete Contact records for any EU citizen, or employee of an EU business regardless of if the employee lives in the EU. In short, this sort of workflow would have you covered.
*A customer in this case is defined as a person or entity that has, on their own volition, acquired a product or service from your organization. This type of company - customer connection is classified as "Legitimate Interest" and gives you (the company) a pretty big umbrella of safety to operate under. You do still have to live by the rules I mention above, but otherwise, you're set.
Where things get a lot more difficult is pre-sale. My teams live exclusively post-Sale (i.e. customer and "Legitimate Interest"), so I cannot speak in detail about that. I do know that our Marketing and Sales teams are collaborating extensively to ensure we meet GDPR on that end as well.
Hopefully this helps! Happy to talk about it further and interested to hear other stories from our peers.
-Ben
Also as a processor of your information through Gainsight - Gainsight is taking the actions (including customer DPAs - Data processing addendums) to ensure we are a GDPR compliant processor
Reply
Sign up
If you ever had a profile with us, there's no need to create another one.
Don't worry if your email address has since changed, or you can't remember your login, just let us know at community@gainsight.com and we'll help you get started from where you left.
Else, please continue with the registration below.
Welcome to the Gainsight Community
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.