GDPR Compliance
General Data Protection Regulation (GDPR)
| GDPR Rule | What it means | How to be compliant with Referral Rock |
|---|---|---|
| Right to be forgotten / Deletion | Individuals have the right to have ALL of their data be deleted. GDPR requires the permanent removal of an individual’s data from your systems and database
In many cases, you’ll need to respond to their request within 30 days. |
All Member and Referral data can easily be deleted by an Admin user from your Referral Rock Admin interface. |
| Right to data portability / Right to Access | Allows individuals/data subjects to demand a copy of their data in a common format
The timescale for processing an access request will also drop to a 30 day period. |
All Member and Referral data can be exported via a CSV file. |
| Modification | Allows individuals/data subjects to demand that you modify their personal if it’s inaccurate or incomplete. | All Member and Referral personal data can be edited and changed through the Admin portal on their profile record |
| Lawful basis of processing | You need to have a legal reason to use an individual’s personal data. That reason could be consent (they opted in) with notice (they know what they’re opting in for), performance of a contract, or purposes of “legitimate interests”(e.g. They joined the referral program, and you want to send them information related to the referral program). | All Members and Referrals in Referral Rock should fall under the “legitimate interest” or “consent” lawful basis of processing depending on your registration process because they have joined your referral program.
All Referral Rock related emails should be related to your referral program and not an unrelated issue. We recommend that you track the lawful basis of processing in your system of record (i.e. CRM, Email Marketing, Ecommerce, etc.). Use our various integration tools to update your system of record. |
| Consent | One type of lawful basis of processing is consent with proper notice.
The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous.” In order for an individual to give consent, you must meet a few criteria:
|
This is only applicable for Referral Rock if you are using our Referral Form to collect new lead/referral information and want to run other promotional marketing campaigns. If this is the case, then use one of the custom dropdown fields on the Referral Form to have individual opt-in for other marketing campaigns (this gives you consent to market to them in other ways). Be clear on how you will market to them. |
| Withdrawal of consent (or opt out) | Individuals need to see what they’ve signed up for and withdraw their consent (or other lawful basis of processing). This needs to be as easy to withdraw as to give. | In Referral Rock, a member can manage their emails preferenance and unsubscribe from any emails they no longer wish to receive. They’ll be added to a block list and will no longer receive any future emails from Referral Rock.
Through Zapier and our API they can also unsubscribe from everything. For example, if they they unsubscribe from your Newsletter, you can unsubscribe them from any Referral Rock emails. |
| Cookies | An individual needs to be given notice that you're using cookies to track them. This needs to be in clear, simple language that they can understand. If you’re using tracking cookies, they need to give consent to being tracked.
Any cookie that is capable of identifying an individual, or treating them as unique without explicitly identifying them means your business is processing personal data. |
Referral Rock’s referral cookie doesn’t store any unique or identifiable information. It’s not used for any third party usage. As such, our cookie doesn’t apply to the GDPR rule.
The referral cookie is solely used for making sure the member gets attribution for the specific referral action. The specific referral action are only set by you, the client, and are not used by any third parties. If you still don't want Referral cookies to be set, you can immediately delete them by setting the cookie length to 0 days. |
| Data Protection Agreement | The GDPR imposes many obligations on companies wanting to collect and use personal data about their clients. One of the most important obligations is having a DPA with every entity that has access to this data. | Review Referral Rock's Data Processing Agreement |