Sugar Market & GDPR

In early December 2017, the EU agreed upon new regulations for the General Data Protection Regulation (GDPR). The new regulations will create a uniform and consistent set of rules across all 28 countries in the EU that is aimed at protecting EU citizens’ personal data and increasing transparency by organizations on how that data is used. If you’re a company who deals with processing data with customers in the EU, then the GDPR applies to you.

At Sugar Market, previously Salesfusion, we are dedicated in helping our customers understand what GDPR means for their business and providing the basic tools needed for customers to achieve GDPR compliance.

We’ve created this page as a reference on all things GDPR related. Please reference below for GDPR-related products our team has rolled out.

DISCLAIMER: The content on this page is provided for informational purposes only and to help organizations understand the GDPR in connection with Sugar Market’s services.

The information contained herein may not be construed as legal advice or to determine how GDPR might apply to you and your organization. Organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR and how best to ensure compliance.

Sugar Market Assists with GDPR-Compliance

We have listed out GDPR regulations, what they mean, and the Sugar Market features that will help you stay compliant.

What it Means
Sugar Market Features for GDPR
Consent & Double Opt-In for Emails The regulations require explicit consent for the use of data with proper notice. Personal data will have to be collected and used for a specific purpose and consent must be given for each purpose. Marketers cannot contact email users who do not wish to be contacted. In order for consent to be granted, the following needs to be accounted for:

  • Users must know what they’re opting into, that’s called “notice”
  • The “notice” needs to outline how and what we’re using customer’s data for. Evidence must be logged of what the user consented into.
  • A clear opt-in action needs to be presented and made by a user. Filling out a form or visiting a page cannot imply the user is providing consent to receive any communications from a company.
Double Opt-In for Form Submissions

Users are able to specify whether they want an opt-in email with an opt-in link to automatically be sent after a form submission. This setting can be configured at the form level and/or you can set a default setting at the global level that results in every future created form having the opt-in setting set. Clicking on the opt-in link in the email will route the user to a pre-set confirmation page.

We also store a copy of the email that your users consent into as well as the time and date that consent was given.

Opt-In for Other Forms of Contact Creation

Sugar Market includes opt-in verification in all the places on the platform where contacts can be manually uploaded which include imports and uploads of individual contacts. You’ll have to verify that contacts you’re adding have opted-in before you can add them. This will ensure best practices and act as a check for you before adding your contacts.

Control of Data Customers have more of a say on how they want their data to be handled. For example, they can ask to have their data modified or to request access to their personal data. If your company receives this request, you need to be able to accommodate for editing their data or providing them information in a machine-readable format (XLS or CSV) Requesting Access to Data

Sugar Market allows you build custom reports where you can pull in most personal data that your customer could ask for (name, email, etc.). You can export these files into an appropriate machine-readable format.

Modification of Data

Contact level data is held within the contact card, where you can view their personal data. You can edit this data currently at any point for an individual contact.

Right to be Forgotten (Delete Data) Just as customers can request access or modification to their data, they can also ask to have all their personal data erased from your database. This means removing any personally identifiable in the database like form submissions, notes, IP Address, etc.

A process is in place to take inbound delete requests from our clients that Sugar Market will execute on behalf of our customers.

Cookie Consent Cookies are important as they are used to track customer information such as their user journey and all the interactions with your website to help provide a personalized experience and better analytics for companies. However, proper consent needs to be given by the user to allow being tracked by cookies.

We have implemented the ability for customers to indicate whether they want to prompt cookie consent for each new visitor to a landing page built with Sugar Market. A standardized banner appears at the top of each page where cookie consent is indicated that will prompt a visitor to either accept or reject cookies.

We preserve your visitors’ choice so they’re not constantly bombarded with the banner everytime they visit one of your pages.

Withdrawing Consent This means that your customers should be able to know what they signed up for and can withdraw their consent (opt-out) at any time. Essentially, withdrawing consent needs to be just as easy as providing it. Email Opt-Out

Currently, on the Sugar Market platform, you can view the opt-out status of a contact. If one of your customers request to opt-out, you can easily change the opt-out status of the customer to “yes” in their contact details.

Your customers can also opt-out via any email communications you send them through an unsubscribe link in the emails you send out.

Change Cookie Preferences

On every landing page built in Sugar Market where cookie consent is specified, we have added a way for users to edit their cookie settings. They’ll be able to change their setting at any point to either accept or reject cookies.

Frequently Asked Questions

What is GDPR?

The General Data Protection Regulation (GDPR) strengthens individuals' privacy rights and creates consistent data protection rules across Europe.

When did GDPR go into effect?

May 25, 2018

My company is based in the United States, do we need to comply?

GDPR applies to companies who process personal data about individuals in the EU.

Does this apply to B2B and B2C communications?

Yes. There is no distinction between B2B and B2C and applies to any organization doing business with individuals in the EU.

What is the EU definition of personal data?

Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified directly or indirectly. This includes:
Phone Number
Email Address
Social Network ID
IP Address
Metadata such as location, device, timestamp

What do we do after the GDPR comes into effect?

Once the GPDR is in effect you are going to have to make sure you are only marketing to those who have opted-in to your communications! Otherwise, you risk the €20 million or 4% of your companies global annual turnover as a fine. And remember, having good, valuable content that people will want to download is essential to getting more people to opt-in to your marketing.

Can I still market to my customers?

The current legal consensus is that an existing business relationship (a current client) generally constitutes a lawful basis for communication particularly in fulfillment of a specific request (notices, product delivery, etc). That relationship also provides at least implied consent for offering additional and related products and services to the existing customer.

For the avoidance of doubt, of course, explicit opt-in to anything that can be deemed a marketing or sales communication is going to be a best practice, but the discretion is up to the Data Controller.

For marketing contacts that you have no existing business relationship collecting informed consent will be key to ensuring compliance with GDPR.

Is Sugar Market GDPR complaint?

Sugar Market believes privacy and data protection is key factor for marketing success and has taken steps to ensure compliance with the GDPR framework. Below are some data points on Sugar Market’s security standards:

  • Customer data is housed in a secure SOC 1 & 2 SSAE 16 audited facility at Amazon Web Services, utilizing a multi-tenant environment that is partitioned logically and isolated to prevent unauthorized access.

  • Sugar Market has rigorous processes and security controls in place, including physical access controls, data access controls, data transmission controls, and data entry controls.

  • Sugar Market monitors for intrusion detection to ensure that our best-in-class security is constantly maintained and maintains a detailed set of logs for platform user and API activities.

  • For our EU customers, by default all data is hosted in Europe on Amazon Web Services (“AWS”) facility in Ireland.

  • Sugar Market participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. Sugar Market Privacy Shield Certification.

  • Sugar Market offers customers a robust data processing addendum containing data transfer frameworks ensuring that our customers can lawfully transfer personal data outside of the European Economic Area by relying on our Privacy Shield certification or the Standard Contractual Clauses.