SOLVED

Re: Are smart list subscriptions GDPR compliant?

Go to solution
Kim_Gandy1
Level 7

Are smart list subscriptions GDPR compliant?

I have some teammates who use the download feature on weekly smart list subscriptions. Will download these lists of leads be compliant with GDPR secure file sharing?

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Are smart list subscriptions GDPR compliant?

The GDPR itself does not mandate encryption.

But if your legal team has determined that encryption at rest is part of a good-faith effort to protect private data (with or without GDPR, but with an eye toward smoothing things over with regulators when bad things happen) then making lists available offline on untrusted devices is likely to break that internal contract.

View solution in original post

3 REPLIES 3
SanfordWhiteman
Level 10 - Community Moderator

Re: Are smart list subscriptions GDPR compliant?

The GDPR itself does not mandate encryption.

But if your legal team has determined that encryption at rest is part of a good-faith effort to protect private data (with or without GDPR, but with an eye toward smoothing things over with regulators when bad things happen) then making lists available offline on untrusted devices is likely to break that internal contract.

Mark_Wallace1
Level 4

Re: Are smart list subscriptions GDPR compliant?

Hello All

I just had a read of this GDPR guide from Marketo

Its says it applies "encryption to all data in transit".

It includes the following

Data Encryption By default, Marketo implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during transmission, applying high grade TLS encryption to all data-in-transit through the use of HTTPS connections to all Marketo instances. In addition, customers have the option to add encryption to data at-rest by storing their data on AES-256 encrypted hardware. Encryption at-rest provides a further safeguard in the case of a data breach, as any data stolen would be illegible and unusable.

Does this mean that the subscription lists are encrypted and only readable by the recipient?

thanks

Mark

SanfordWhiteman
Level 10 - Community Moderator

Re: Are smart list subscriptions GDPR compliant?

Nope, because the link is being sent via SMTP, which is inherently insecure (it's a plain-text medium).  This would not be considered end-to-end encryption by any means. Any network that includes plain HTTP (not HTTPS), FTP (not SFTP/FTPS), or SMTP can't be considered "encrypted."

Does this mean that the subscription lists are encrypted and only readable by the recipient?

Nope. Even if the link to the list were transmitted over a totally secure medium and encrypted at rest on the server, anybody with access to the instance can decrypt the data (it's not per-recipient encryption).

Again, your legal department will determine what level of security is necessary but it's vital to state clearly what's being delivered.