What you need to know about Sysomos and GDPR

Kelly Bebenek, Data Privacy Officer

By now everyone should know about the EU General Data Protection Regulation (GDPR) which goes into effect May 25, 2018. We’re a data company and thus want to ensure that everyone understands our position on GDPR. The Sysomos and Meltwater teams have been working diligently to ensure compliance, as we recognize how important privacy is to all of us as individuals and the organizations we work for.

Sysomos collects data that impacts our customers in four ways:

  • Customer organization and employee data, so that we can provide access to our platform and services; this is usually the employee’s first and last name, email, and/or IP address.
  • Customer social content, so that we can connect the customers social profiles to the Sysomos platform.
  • Social data available in our product; this is publicly available data that is provided to us through our data partners. This information is usually the user name, first and last name.
  • Marketing data; this is information we collect when someone has interest in the Sysomos product.

GDPR clearly defines the roles that organizations have when processing personal data. There are two major roles – Controllers and Processors.

Data Controllers are individuals or organizations that determine the purpose of the personal data that is collected, and how it can be processed. Simply, they control why, and how, personal data is processed by a business.

Data Processors are individuals or organizations that process personal data within the parameters determined by the Data Controller.

Depending on the scenario, Sysomos could take on different roles. We’ve outlined our role based on the type of personal data we process:

  • Customer Data – Sysomos is the Processor for customer data and our customer is the Controller. Sysomos is working to get Data Protection Addendums (DPA) signed with all customers. If you are a customer, please contact us at privacy@sysomos.com or your Customer Success Account Manager to get your copy.
  • Personal data available in Search/Listen and Analyze –  The data partner, Sysomos and the customer are all Controllers. This is because even though Sysomos has a contract in place or we follow the API terms and conditions of our data partner, we determine the purpose of the personal data and in turn our customers also determine the purpose of the data they process from Sysomos.
  • Personal data available in Publish and Engage – Sysomos is the Processor because we only process the data on behalf of the client.  In these products the customer provides Sysomos access to their profile and the social channel is collecting the data and consent from the data subject so both parties are Controllers.
  • Marketing data – Sysomos is the Controller of this data.

In order to collect personal data from EU residents, a company must have a legal reason to do so. We’ve outlined our legal basis based on the personal data we process:

  • Customer Data – Sysomos has a contractual obligation to collect this information.
  •  Personal data available in our product – Sysomos has a legitimate interest to collect this information and provide it to our customers. We have legal grounds because the information is public information and because the use of the personal data does not conflict with the rights of the data subject.
  • Marketing data – Sysomos has a legitimate interest to collect this information but we will also collect and track consent of all marketing outreach recipients.

Our privacy policy has been updated to ensure it meets the requirements of GDPR. We not have two policies, one for our website (www.sysomos.com/privacy) and one for our product (www.sysomos.com/privacy-services). You can also find it on our product log-in screen.

We’ve also taken this as an opportunity to make technology improvements. We’ve invested in our technology and updated our practices, policies, and controls to ensure the data we process is secure. Here is a summary of some of those efforts:

  • We’ve moved our cloud servers to the EU and Canada.
  • Implemented data minimization, data anonymization and data security best practices for GDPR compliance (Privacy by Design).
  • Updated our data security policies (Data Retention, Data Security Audit, Data Breach and Data Controls).
  • Put in place a process to handle all data privacy requests based on the data subject’s GDPR rights.
  • Rolled out GDPR compliance training for all employees to ensure they understand their role in keeping your data confidential.  In addition, we have implemented an annual training program for all developers on privacy and security.
  • Ensure all new product developers complete a Data Protection Impact Assessment and consults with EU regulators where appropriate.

Should you have any questions or concerns about our GDPR position, please reach out to us via privacy@sysomos.com with any data related questions.