This statement sets out the operating procedures Strattmont undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.
From 25th May 2018, the GDPR brings all EU member states under a common regulatory framework as well as companies outside EU that serve EU clients.
Strattmont takes GDPR compliance seriously, and in addition to appointing a compliance officer to oversee our adherence to the rules, Strattmont have engaged 3rd party legal expertise to audit and advise on best practice.
This investment enables us to assure clients that GDPR best practices are strictly observed wherever possible, at all times.
Strattmont is a service provider, when you engage our services, we work for you, and when we create data, we create data exclusively for you.
To put this in the language of GDPR:
Strattmont’s services are designed and offered solely to help businesses promote to other businesses. I.e. B2B marketing only.
Before launching new client activity, Strattmont conducts an in-depth assessment to establish if the product or service, combined with the proposed targeting, meets the criteria for GDPR compliant business to business (b2b) marketing. This assessment is called the Legitimate Interest Assessment (LIA).
Prior to conducting the LIA, suitability can usually be determined by the following two questions:
3.1 Will the product or service being offered benefit the businesses you are targeting, and not the individual?
The product or service that you are offering needs to be of benefit to the target business, and when talking to any individual, relevant to their business role only. It can help to consider the following examples:
3.2 Are the services being provided equally beneficial to whomever may be contacted about them?
If question one can be answered positively then a further test to the business nature of your offering is to consider the target individuals that you would like to introduce it to. The only consideration here should be job specific – typically department and seniority. Your offer should be equally relevant to whoever fills these role(s) at any given time, and in no way targeting any given individual.
At the core of the Strattmont processes is the identification of target companies. Whilst the details of this stage can vary, it involves no personal information at all. Once the list of accounts has been finalized we then determine the details of the individuals in the target role(s) at the companies. This stage typically generates Personally Identifiable Information (PII).
Personally Identifiable Information (PII) data held is kept to an absolute minimum:
GDPR sets out a number of permissible circumstances (or categories) under which PII can be stored and processed, the most appropriate category in the case of Strattmont is Legitimate Interests.
This link explains the Legitimate Interests basis for storing and processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/
To ensure client activity falls into this category, prior to engaging, we will carry out a full Legitimate Interests Assessment (LIA) with each new client.
Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:
The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
Can the same result be achieved differently? Core to the Strattmont services is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.
Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company?
No data processing may replace or infringe the individuals interests or cause unjustified harm
If Strattmont determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR then we cannot support the activity within any regions subject to GDPR.
All recipients are able to opt out easily to prevent further email communication being received.
All replies to prospecting emails are logged and those prospects are added to your campaign exclusion list within 24 hours.
Strattmont allows import of existing exclusion lists in advance of campaign activity. Exclusions can be submitted in the form of individual email addresses or full domains, and will prevent communications being issued to those email addresses or domains listed.
All individuals have the right to request a copy of all data you hold on them. To support this you can email any SAR requests to firstname.lastname@example.org and we will return this data within 72 hours.
All individuals have the right to have their data removed (to be ‘forgotten’) which is a request that can be carried out easily by your Strattmont account manager. Your data belongs to you and you can choose to delete some or all of it at any time.
A conflict does arise in removing or forgetting an email address whilst at the same time keeping this address on an exclusion list to prevent future mailing. Where we have removed data, we will move the email address to a separate exclusion list, encrypted using a one-way hashing algorithm (SHA1), ensuring we are able to prevent any future messages being sent to the customer whilst continuing to honor their right to be forgotten.
All Strattmont employees undergo GDPR and general compliance training, this covers the GDPR rule set in detail, the relevance and impact of those rules on Strattmont and our clients, and the steps we take to ensure best practice is observed at all times. We also make clear the consequences (I.e. penalties) associated with failure to meet the strict GDPR standards.
We do not hold the ISO 270001 accreditation however we recognise the standards and operate a similar or better approach in most cases. We are working to achieve this accreditation
All data regarding our clients, prospects and employees is stored in commercial databases hosted in tier 1 EU data centres, encrypted both a rest and in transit. Access to the database is secured by both username and password and IP address.
No passwords are stored in clear text, and access to any information is secured by individual user account access. All users with any kind of access have been issued with and agreed to Strattmont’s Data and IT Security Policy.
The physical security of our data is managed by GSuite – more details here: https://gsuite.google.com/learn-more/security/security-whitepaper/page-8.html
Our database resides in an isolated environment, behind a firewall with all connections restricted by default. All Data (not just PII) is encrypted at rest, and has an automated anomalous threat detection system monitoring activity.
Access to all systems is provided on an individual user account basis, with all passwords stored as hashed strings.
Incremental backups are continuously updated giving the ability to rollback the database to any point within the past 48 hours
Backups are encrypted at rest.
In the event of a back up restore, RTE (Right to Erase) data removals are automatically re-removed during the backup restore process.
Duration of Storage
To ensure private information is held no longer than necessary, all PII that is stored or processed solely for client campaign purposes is removed (by overwrite) after 12 months of client inactivity (or on request).
Strattmont is a MK based company and operates under Macedonian law. Where the service is used to target countries outside of Macedonia we are unable to provide guidance or take responsibility for any additional or differing laws that may be in place.
Whilst Strattmont continues to take extensive measures to ensure best practice with respect to GDPR across all client activity, clients should take note that responsibility for compliance vests (in different forms) with all parties.
Strattmont cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you, as the client, have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.